001
014
015 package com.liferay.portal.security.access.control;
016
017 import com.liferay.portal.kernel.security.access.control.AccessControlled;
018 import com.liferay.portal.kernel.security.access.control.BaseAccessControlPolicy;
019 import com.liferay.portal.kernel.util.MapUtil;
020 import com.liferay.portal.kernel.util.SetUtil;
021 import com.liferay.portal.kernel.util.StringUtil;
022 import com.liferay.portal.security.auth.AccessControlContext;
023 import com.liferay.portal.security.sso.SSOUtil;
024
025 import java.lang.reflect.Method;
026
027 import java.util.Set;
028
029 import javax.servlet.http.HttpServletRequest;
030
031
037 public class AllowedHostsAccessControlPolicy extends BaseAccessControlPolicy {
038
039 @Override
040 public void onServiceRemoteAccess(
041 Method method, Object[] arguments,
042 AccessControlled accessControlled)
043 throws SecurityException {
044
045 if (!accessControlled.hostAllowedValidationEnabled()) {
046 return;
047 }
048
049 AccessControlContext accessControlContext =
050 AccessControlUtil.getAccessControlContext();
051
052 if (accessControlContext == null) {
053 return;
054 }
055
056 HttpServletRequest request = accessControlContext.getRequest();
057
058 String hostsAllowedString = MapUtil.getString(
059 accessControlContext.getSettings(), "hosts.allowed");
060
061 String[] hostsAllowed = StringUtil.split(hostsAllowedString);
062
063 Set<String> hostsAllowedSet = SetUtil.fromArray(hostsAllowed);
064
065 if (!SSOUtil.isAccessAllowed(request, hostsAllowedSet)) {
066 throw new SecurityException(
067 "Access denied for " + request.getRemoteAddr());
068 }
069 }
070
071 }