001
014
015 package com.liferay.portal.struts;
016
017 import com.liferay.portal.kernel.exception.PortalException;
018 import com.liferay.portal.kernel.json.JSONFactoryUtil;
019 import com.liferay.portal.kernel.log.Log;
020 import com.liferay.portal.kernel.log.LogFactoryUtil;
021 import com.liferay.portal.kernel.servlet.HttpHeaders;
022 import com.liferay.portal.kernel.servlet.ServletContextPool;
023 import com.liferay.portal.kernel.util.ClassUtil;
024 import com.liferay.portal.kernel.util.ContentTypes;
025 import com.liferay.portal.kernel.util.GetterUtil;
026 import com.liferay.portal.kernel.util.ParamUtil;
027 import com.liferay.portal.kernel.util.SetUtil;
028 import com.liferay.portal.kernel.util.StringBundler;
029 import com.liferay.portal.kernel.util.StringPool;
030 import com.liferay.portal.kernel.util.Validator;
031 import com.liferay.portal.security.access.control.AccessControlUtil;
032 import com.liferay.portal.security.auth.AuthTokenUtil;
033 import com.liferay.portal.security.sso.SSOUtil;
034 import com.liferay.portal.servlet.SharedSessionServletRequest;
035 import com.liferay.portal.util.PortalUtil;
036 import com.liferay.portal.util.PropsValues;
037 import com.liferay.portal.util.WebKeys;
038
039 import java.io.OutputStream;
040
041 import java.util.Set;
042
043 import javax.servlet.RequestDispatcher;
044 import javax.servlet.ServletContext;
045 import javax.servlet.http.HttpServletRequest;
046 import javax.servlet.http.HttpServletResponse;
047
048 import org.apache.struts.action.Action;
049 import org.apache.struts.action.ActionForm;
050 import org.apache.struts.action.ActionForward;
051 import org.apache.struts.action.ActionMapping;
052
053
058 public abstract class JSONAction extends Action {
059
060 @Override
061 public ActionForward execute(
062 ActionMapping actionMapping, ActionForm actionForm,
063 HttpServletRequest request, HttpServletResponse response)
064 throws Exception {
065
066 if (rerouteExecute(request, response)) {
067 return null;
068 }
069
070 String callback = ParamUtil.getString(request, "callback");
071
072 String json = null;
073
074 try {
075 checkAuthToken(request);
076
077 json = getJSON(actionMapping, actionForm, request, response);
078
079 if (Validator.isNotNull(callback)) {
080 StringBundler sb = new StringBundler(5);
081
082 sb.append("");
083 sb.append(callback);
084 sb.append(StringPool.OPEN_PARENTHESIS);
085 sb.append(json);
086 sb.append(StringPool.CLOSE_PARENTHESIS);
087
088 json = sb.toString();
089 }
090 }
091 catch (SecurityException se) {
092 if (_log.isWarnEnabled()) {
093 _log.warn(se.getMessage());
094 }
095
096 json = JSONFactoryUtil.serializeThrowable(se);
097 }
098 catch (Exception e) {
099 _log.error(e, e);
100
101 PortalUtil.sendError(
102 HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e, request,
103 response);
104
105 return null;
106 }
107
108 boolean refresh = ParamUtil.getBoolean(request, "refresh");
109
110 if (refresh) {
111 return actionMapping.findForward(ActionConstants.COMMON_REFERER);
112 }
113 else if (Validator.isNotNull(json)) {
114 response.setCharacterEncoding(StringPool.UTF8);
115 response.setContentType(ContentTypes.APPLICATION_JSON);
116 response.setHeader(
117 HttpHeaders.CACHE_CONTROL,
118 HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
119
120 try (OutputStream outputStream = response.getOutputStream()) {
121 byte[] bytes = json.getBytes(StringPool.UTF8);
122
123 outputStream.write(bytes);
124 }
125 }
126
127 return null;
128 }
129
130 public abstract String getJSON(
131 ActionMapping actionMapping, ActionForm actionForm,
132 HttpServletRequest request, HttpServletResponse response)
133 throws Exception;
134
135 public void setServletContext(ServletContext servletContext) {
136 _servletContext = servletContext;
137 }
138
139 protected void checkAuthToken(HttpServletRequest request)
140 throws PortalException {
141
142 String authType = GetterUtil.getString(request.getAuthType());
143
144
145
146 if (AccessControlUtil.getAccessControlContext() == null) {
147 if (authType.equals(HttpServletRequest.BASIC_AUTH) ||
148 authType.equals(HttpServletRequest.DIGEST_AUTH)) {
149
150 return;
151 }
152 }
153 else {
154
155
156
157
158 if (!authType.equals(HttpServletRequest.FORM_AUTH)) {
159 return;
160 }
161 }
162
163 if (PropsValues.JSON_SERVICE_AUTH_TOKEN_ENABLED) {
164 if (!SSOUtil.isAccessAllowed(request, _hostsAllowed)) {
165 AuthTokenUtil.checkCSRFToken(request, getCSRFOrigin(request));
166 }
167 }
168 }
169
170 protected String getCSRFOrigin(HttpServletRequest request) {
171 return ClassUtil.getClassName(this);
172 }
173
174 protected String getReroutePath() {
175 return null;
176 }
177
178 protected boolean rerouteExecute(
179 HttpServletRequest request, HttpServletResponse response)
180 throws Exception {
181
182 String reroutePath = getReroutePath();
183
184 if (Validator.isNull(reroutePath)) {
185 return false;
186 }
187
188 String requestServletContextName = ParamUtil.getString(
189 request, "servletContextName");
190
191 if (Validator.isNull(requestServletContextName)) {
192 return false;
193 }
194
195 ServletContext servletContext = _servletContext;
196
197 if (servletContext == null) {
198 servletContext = (ServletContext)request.getAttribute(WebKeys.CTX);
199 }
200
201 String servletContextName = GetterUtil.getString(
202 servletContext.getServletContextName());
203
204 if (servletContextName.equals(requestServletContextName)) {
205 return false;
206 }
207
208 ServletContext requestServletContext = ServletContextPool.get(
209 requestServletContextName);
210
211 if (requestServletContext == null) {
212 return false;
213 }
214
215 RequestDispatcher requestDispatcher =
216 requestServletContext.getRequestDispatcher(reroutePath);
217
218 if (requestDispatcher == null) {
219 return false;
220 }
221
222 requestDispatcher.forward(
223 new SharedSessionServletRequest(request, true), response);
224
225 return true;
226 }
227
228 private static final Log _log = LogFactoryUtil.getLog(JSONAction.class);
229
230 private final Set<String> _hostsAllowed = SetUtil.fromArray(
231 PropsValues.JSON_SERVICE_AUTH_TOKEN_HOSTS_ALLOWED);
232 private ServletContext _servletContext;
233
234 }