001
014
015 package com.liferay.portal.struts;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.json.JSONFactoryUtil;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.servlet.HttpHeaders;
022 import com.liferay.portal.kernel.servlet.ServletContextPool;
023 import com.liferay.portal.kernel.util.ClassUtil;
024 import com.liferay.portal.kernel.util.ContentTypes;
025 import com.liferay.portal.kernel.util.GetterUtil;
026 import com.liferay.portal.kernel.util.ParamUtil;
027 import com.liferay.portal.kernel.util.SetUtil;
028 import com.liferay.portal.kernel.util.StringPool;
029 import com.liferay.portal.kernel.util.Validator;
030 import com.liferay.portal.security.ac.AccessControlUtil;
031 import com.liferay.portal.security.auth.AuthTokenUtil;
032 import com.liferay.portal.security.auth.PortalSessionAuthVerifier;
033 import com.liferay.portal.security.sso.SSOUtil;
034 import com.liferay.portal.servlet.SharedSessionServletRequest;
035 import com.liferay.portal.util.PortalUtil;
036 import com.liferay.portal.util.PropsValues;
037 import com.liferay.portal.util.WebKeys;
038
039 import java.io.OutputStream;
040
041 import java.util.Set;
042
043 import javax.servlet.RequestDispatcher;
044 import javax.servlet.ServletContext;
045 import javax.servlet.http.HttpServletRequest;
046 import javax.servlet.http.HttpServletResponse;
047
048 import org.apache.struts.action.Action;
049 import org.apache.struts.action.ActionForm;
050 import org.apache.struts.action.ActionForward;
051 import org.apache.struts.action.ActionMapping;
052
053
058 public abstract class JSONAction extends Action {
059
060 @Override
061 public ActionForward execute(
062 ActionMapping actionMapping, ActionForm actionForm,
063 HttpServletRequest request, HttpServletResponse response)
064 throws Exception {
065
066 if (rerouteExecute(request, response)) {
067 return null;
068 }
069
070 String callback = ParamUtil.getString(request, "callback");
071
072 String json = null;
073
074 try {
075 checkAuthToken(request);
076
077 json = getJSON(actionMapping, actionForm, request, response);
078
079 if (Validator.isNotNull(callback)) {
080 json = callback + "(" + json + ");";
081 }
082 }
083 catch (SecurityException se) {
084 if (_log.isWarnEnabled()) {
085 _log.warn(se.getMessage());
086 }
087
088 json = JSONFactoryUtil.serializeThrowable(se);
089 }
090 catch (Exception e) {
091 _log.error(e, e);
092
093 PortalUtil.sendError(
094 HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e, request,
095 response);
096
097 return null;
098 }
099
100 boolean refresh = ParamUtil.getBoolean(request, "refresh");
101
102 if (refresh) {
103 return actionMapping.findForward(ActionConstants.COMMON_REFERER);
104 }
105 else if (Validator.isNotNull(json)) {
106 response.setCharacterEncoding(StringPool.UTF8);
107 response.setContentType(ContentTypes.APPLICATION_JSON);
108 response.setHeader(
109 HttpHeaders.CACHE_CONTROL,
110 HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
111
112 try (OutputStream outputStream = response.getOutputStream()) {
113 byte[] bytes = json.getBytes(StringPool.UTF8);
114
115 outputStream.write(bytes);
116 }
117 }
118
119 return null;
120 }
121
122 public abstract String getJSON(
123 ActionMapping actionMapping, ActionForm actionForm,
124 HttpServletRequest request, HttpServletResponse response)
125 throws Exception;
126
127 public void setServletContext(ServletContext servletContext) {
128 _servletContext = servletContext;
129 }
130
131 protected void checkAuthToken(HttpServletRequest request)
132 throws PortalException {
133
134 String authType = GetterUtil.getString(request.getAuthType());
135
136
137
138 if (AccessControlUtil.getAccessControlContext() == null) {
139 if (authType.equals(HttpServletRequest.BASIC_AUTH) ||
140 authType.equals(HttpServletRequest.DIGEST_AUTH)) {
141
142 return;
143 }
144 }
145 else {
146
147
148
149
150 if (!authType.equals(PortalSessionAuthVerifier.AUTH_TYPE)) {
151 return;
152 }
153 }
154
155 if (PropsValues.JSON_SERVICE_AUTH_TOKEN_ENABLED) {
156 if (!SSOUtil.isAccessAllowed(request, _hostsAllowed)) {
157 AuthTokenUtil.checkCSRFToken(request, getCSRFOrigin(request));
158 }
159 }
160 }
161
162 protected String getCSRFOrigin(HttpServletRequest request) {
163 return ClassUtil.getClassName(this);
164 }
165
166 protected String getReroutePath() {
167 return null;
168 }
169
170 protected boolean rerouteExecute(
171 HttpServletRequest request, HttpServletResponse response)
172 throws Exception {
173
174 String reroutePath = getReroutePath();
175
176 if (Validator.isNull(reroutePath)) {
177 return false;
178 }
179
180 String requestServletContextName = ParamUtil.getString(
181 request, "servletContextName");
182
183 if (Validator.isNull(requestServletContextName)) {
184 return false;
185 }
186
187 ServletContext servletContext = _servletContext;
188
189 if (servletContext == null) {
190 servletContext = (ServletContext)request.getAttribute(WebKeys.CTX);
191 }
192
193 String servletContextName = GetterUtil.getString(
194 servletContext.getServletContextName());
195
196 if (servletContextName.equals(requestServletContextName)) {
197 return false;
198 }
199
200 ServletContext requestServletContext = ServletContextPool.get(
201 requestServletContextName);
202
203 if (requestServletContext == null) {
204 return false;
205 }
206
207 RequestDispatcher requestDispatcher =
208 requestServletContext.getRequestDispatcher(reroutePath);
209
210 if (requestDispatcher == null) {
211 return false;
212 }
213
214 requestDispatcher.forward(
215 new SharedSessionServletRequest(request, true), response);
216
217 return true;
218 }
219
220 private static final Log _log = LogFactoryUtil.getLog(JSONAction.class);
221
222 private final Set<String> _hostsAllowed = SetUtil.fromArray(
223 PropsValues.JSON_SERVICE_AUTH_TOKEN_HOSTS_ALLOWED);
224 private ServletContext _servletContext;
225
226 }