001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.struts;
016    
017    import com.liferay.portal.kernel.exception.PortalException;
018    import com.liferay.portal.kernel.json.JSONFactoryUtil;
019    import com.liferay.portal.kernel.log.Log;
020    import com.liferay.portal.kernel.log.LogFactoryUtil;
021    import com.liferay.portal.kernel.servlet.HttpHeaders;
022    import com.liferay.portal.kernel.servlet.ServletContextPool;
023    import com.liferay.portal.kernel.util.ClassUtil;
024    import com.liferay.portal.kernel.util.ContentTypes;
025    import com.liferay.portal.kernel.util.GetterUtil;
026    import com.liferay.portal.kernel.util.ParamUtil;
027    import com.liferay.portal.kernel.util.SetUtil;
028    import com.liferay.portal.kernel.util.StringBundler;
029    import com.liferay.portal.kernel.util.StringPool;
030    import com.liferay.portal.kernel.util.Validator;
031    import com.liferay.portal.security.access.control.AccessControlUtil;
032    import com.liferay.portal.security.auth.AuthTokenUtil;
033    import com.liferay.portal.security.sso.SSOUtil;
034    import com.liferay.portal.servlet.SharedSessionServletRequest;
035    import com.liferay.portal.util.PortalUtil;
036    import com.liferay.portal.util.PropsValues;
037    import com.liferay.portal.util.WebKeys;
038    
039    import java.io.OutputStream;
040    
041    import java.util.Set;
042    
043    import javax.servlet.RequestDispatcher;
044    import javax.servlet.ServletContext;
045    import javax.servlet.http.HttpServletRequest;
046    import javax.servlet.http.HttpServletResponse;
047    
048    import org.apache.struts.action.Action;
049    import org.apache.struts.action.ActionForm;
050    import org.apache.struts.action.ActionForward;
051    import org.apache.struts.action.ActionMapping;
052    
053    /**
054     * @author Ming-Gih Lam
055     * @author Brian Wing Shun Chan
056     * @author Tomas Polesovsky
057     */
058    public abstract class JSONAction extends Action {
059    
060            @Override
061            public ActionForward execute(
062                            ActionMapping actionMapping, ActionForm actionForm,
063                            HttpServletRequest request, HttpServletResponse response)
064                    throws Exception {
065    
066                    if (rerouteExecute(request, response)) {
067                            return null;
068                    }
069    
070                    String callback = ParamUtil.getString(request, "callback");
071    
072                    String json = null;
073    
074                    try {
075                            checkAuthToken(request);
076    
077                            json = getJSON(actionMapping, actionForm, request, response);
078    
079                            if (Validator.isNotNull(callback)) {
080                                    StringBundler sb = new StringBundler(5);
081    
082                                    sb.append("/**/");
083                                    sb.append(callback);
084                                    sb.append(StringPool.OPEN_PARENTHESIS);
085                                    sb.append(json);
086                                    sb.append(StringPool.CLOSE_PARENTHESIS);
087    
088                                    json = sb.toString();
089                            }
090                    }
091                    catch (SecurityException se) {
092                            if (_log.isWarnEnabled()) {
093                                    _log.warn(se.getMessage());
094                            }
095    
096                            json = JSONFactoryUtil.serializeThrowable(se);
097                    }
098                    catch (Exception e) {
099                            _log.error(e, e);
100    
101                            PortalUtil.sendError(
102                                    HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e, request,
103                                    response);
104    
105                            return null;
106                    }
107    
108                    boolean refresh = ParamUtil.getBoolean(request, "refresh");
109    
110                    if (refresh) {
111                            return actionMapping.findForward(ActionConstants.COMMON_REFERER);
112                    }
113                    else if (Validator.isNotNull(json)) {
114                            response.setCharacterEncoding(StringPool.UTF8);
115                            response.setContentType(ContentTypes.APPLICATION_JSON);
116                            response.setHeader(
117                                    HttpHeaders.CACHE_CONTROL,
118                                    HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
119    
120                            try (OutputStream outputStream = response.getOutputStream()) {
121                                    byte[] bytes = json.getBytes(StringPool.UTF8);
122    
123                                    outputStream.write(bytes);
124                            }
125                    }
126    
127                    return null;
128            }
129    
130            public abstract String getJSON(
131                            ActionMapping actionMapping, ActionForm actionForm,
132                            HttpServletRequest request, HttpServletResponse response)
133                    throws Exception;
134    
135            public void setServletContext(ServletContext servletContext) {
136                    _servletContext = servletContext;
137            }
138    
139            protected void checkAuthToken(HttpServletRequest request)
140                    throws PortalException {
141    
142                    String authType = GetterUtil.getString(request.getAuthType());
143    
144                    // Support for the legacy JSON API at /c/portal/json_service
145    
146                    if (AccessControlUtil.getAccessControlContext() == null) {
147                            if (authType.equals(HttpServletRequest.BASIC_AUTH) ||
148                                    authType.equals(HttpServletRequest.DIGEST_AUTH)) {
149    
150                                    return;
151                            }
152                    }
153                    else {
154    
155                            // The new web service should only check auth tokens when the user
156                            // is authenticated using portal session cookies
157    
158                            if (!authType.equals(HttpServletRequest.FORM_AUTH)) {
159                                    return;
160                            }
161                    }
162    
163                    if (PropsValues.JSON_SERVICE_AUTH_TOKEN_ENABLED) {
164                            if (!SSOUtil.isAccessAllowed(request, _hostsAllowed)) {
165                                    AuthTokenUtil.checkCSRFToken(request, getCSRFOrigin(request));
166                            }
167                    }
168            }
169    
170            protected String getCSRFOrigin(HttpServletRequest request) {
171                    return ClassUtil.getClassName(this);
172            }
173    
174            protected String getReroutePath() {
175                    return null;
176            }
177    
178            protected boolean rerouteExecute(
179                            HttpServletRequest request, HttpServletResponse response)
180                    throws Exception {
181    
182                    String reroutePath = getReroutePath();
183    
184                    if (Validator.isNull(reroutePath)) {
185                            return false;
186                    }
187    
188                    String requestServletContextName = ParamUtil.getString(
189                            request, "servletContextName");
190    
191                    if (Validator.isNull(requestServletContextName)) {
192                            return false;
193                    }
194    
195                    ServletContext servletContext = _servletContext;
196    
197                    if (servletContext == null) {
198                            servletContext = (ServletContext)request.getAttribute(WebKeys.CTX);
199                    }
200    
201                    String servletContextName = GetterUtil.getString(
202                            servletContext.getServletContextName());
203    
204                    if (servletContextName.equals(requestServletContextName)) {
205                            return false;
206                    }
207    
208                    ServletContext requestServletContext = ServletContextPool.get(
209                            requestServletContextName);
210    
211                    if (requestServletContext == null) {
212                            return false;
213                    }
214    
215                    RequestDispatcher requestDispatcher =
216                            requestServletContext.getRequestDispatcher(reroutePath);
217    
218                    if (requestDispatcher == null) {
219                            return false;
220                    }
221    
222                    requestDispatcher.forward(
223                            new SharedSessionServletRequest(request, true), response);
224    
225                    return true;
226            }
227    
228            private static final Log _log = LogFactoryUtil.getLog(JSONAction.class);
229    
230            private final Set<String> _hostsAllowed = SetUtil.fromArray(
231                    PropsValues.JSON_SERVICE_AUTH_TOKEN_HOSTS_ALLOWED);
232            private ServletContext _servletContext;
233    
234    }