001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.ParamUtil;
018 import com.liferay.portal.kernel.util.PwdGenerator;
019 import com.liferay.portal.kernel.util.Validator;
020 import com.liferay.portal.kernel.util.WebKeys;
021 import com.liferay.portal.service.permission.PortletPermissionUtil;
022 import com.liferay.portal.util.PortalUtil;
023 import com.liferay.portal.util.PropsValues;
024 import com.liferay.portlet.SecurityPortletContainerWrapper;
025
026 import javax.servlet.http.HttpServletRequest;
027 import javax.servlet.http.HttpSession;
028
029
032 public class SessionAuthToken implements AuthToken {
033
034 @Override
035 public void check(HttpServletRequest request) throws PrincipalException {
036 checkCSRFToken(
037 request, SecurityPortletContainerWrapper.class.getName());
038 }
039
040 @Override
041 public void checkCSRFToken(HttpServletRequest request, String origin)
042 throws PrincipalException {
043
044 if (!PropsValues.AUTH_TOKEN_CHECK_ENABLED) {
045 return;
046 }
047
048 String sharedSecret = ParamUtil.getString(request, "p_auth_secret");
049
050 if (AuthTokenWhitelistUtil.isValidSharedSecret(sharedSecret)) {
051 return;
052 }
053
054 long companyId = PortalUtil.getCompanyId(request);
055
056 if (AuthTokenWhitelistUtil.isCSRFOrigintWhitelisted(
057 companyId, origin)) {
058
059 return;
060 }
061
062 if (origin.equals(SecurityPortletContainerWrapper.class.getName())) {
063 String ppid = ParamUtil.getString(request, "p_p_id");
064
065 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
066
067 String strutsAction = ParamUtil.getString(
068 request, portletNamespace + "struts_action");
069
070 if (AuthTokenWhitelistUtil.isPortletCSRFWhitelisted(
071 companyId, ppid, strutsAction)) {
072
073 return;
074 }
075 }
076
077 String csrfToken = ParamUtil.getString(request, "p_auth");
078
079 String sessionToken = getSessionAuthenticationToken(
080 request, _CSRF, false);
081
082 if (!csrfToken.equals(sessionToken)) {
083 throw new PrincipalException("Invalid authentication token");
084 }
085 }
086
087 @Override
088 public String getToken(HttpServletRequest request) {
089 return getSessionAuthenticationToken(request, _CSRF, true);
090 }
091
092 @Override
093 public String getToken(
094 HttpServletRequest request, long plid, String portletId) {
095
096 return getSessionAuthenticationToken(
097 request, PortletPermissionUtil.getPrimaryKey(plid, portletId),
098 true);
099 }
100
101 @Override
102 public boolean isValidPortletInvocationToken(
103 HttpServletRequest request, long plid, String portletId,
104 String strutsAction, String tokenValue) {
105
106 long companyId = PortalUtil.getCompanyId(request);
107
108 if (AuthTokenWhitelistUtil.isPortletInvocationWhitelisted(
109 companyId, portletId, strutsAction)) {
110
111 return true;
112 }
113
114 if (Validator.isNotNull(tokenValue)) {
115 String key = PortletPermissionUtil.getPrimaryKey(plid, portletId);
116
117 String sessionToken = getSessionAuthenticationToken(
118 request, key, false);
119
120 if (Validator.isNotNull(sessionToken) &&
121 sessionToken.equals(tokenValue)) {
122
123 return true;
124 }
125 }
126
127 return false;
128 }
129
130 protected String getSessionAuthenticationToken(
131 HttpServletRequest request, String key, boolean createToken) {
132
133 HttpSession session = request.getSession();
134
135 String tokenKey = WebKeys.AUTHENTICATION_TOKEN.concat(key);
136
137 String sessionAuthenticationToken = (String)session.getAttribute(
138 tokenKey);
139
140 if (createToken && Validator.isNull(sessionAuthenticationToken)) {
141 sessionAuthenticationToken = PwdGenerator.getPassword(
142 PropsValues.AUTH_TOKEN_LENGTH);
143
144 session.setAttribute(tokenKey, sessionAuthenticationToken);
145 }
146
147 return sessionAuthenticationToken;
148 }
149
150 private static final String _CSRF = "#CSRF";
151
152 }