1   /**
2    * Copyright (c) 2000-2009 Liferay, Inc. All rights reserved.
3    *
4    * The contents of this file are subject to the terms of the Liferay Enterprise
5    * Subscription License ("License"). You may not use this file except in
6    * compliance with the License. You can obtain a copy of the License by
7    * contacting Liferay, Inc. See the License for the specific language governing
8    * permissions and limitations under the License, including but not limited to
9    * distribution rights of the Software.
10   *
11   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
12   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
14   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
15   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
16   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
17   * SOFTWARE.
18   */
19  
20  package com.liferay.portal.servlet.filters.autologin;
21  
22  import com.liferay.portal.NoSuchUserException;
23  import com.liferay.portal.kernel.log.Log;
24  import com.liferay.portal.kernel.log.LogFactoryUtil;
25  import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
26  import com.liferay.portal.kernel.util.GetterUtil;
27  import com.liferay.portal.kernel.util.InstancePool;
28  import com.liferay.portal.kernel.util.ListUtil;
29  import com.liferay.portal.kernel.util.StringPool;
30  import com.liferay.portal.kernel.util.Validator;
31  import com.liferay.portal.model.User;
32  import com.liferay.portal.security.auth.AutoLogin;
33  import com.liferay.portal.security.pwd.PwdEncryptor;
34  import com.liferay.portal.service.UserLocalServiceUtil;
35  import com.liferay.portal.servlet.filters.BasePortalFilter;
36  import com.liferay.portal.util.PortalInstances;
37  import com.liferay.portal.util.PortalUtil;
38  import com.liferay.portal.util.PropsValues;
39  import com.liferay.portal.util.WebKeys;
40  
41  import java.io.IOException;
42  
43  import java.util.ArrayList;
44  import java.util.List;
45  
46  import javax.servlet.FilterChain;
47  import javax.servlet.ServletException;
48  import javax.servlet.http.HttpServletRequest;
49  import javax.servlet.http.HttpServletResponse;
50  import javax.servlet.http.HttpSession;
51  
52  /**
53   * <a href="AutoLoginFilter.java.html"><b><i>View Source</i></b></a>
54   *
55   * @author Brian Wing Shun Chan
56   * @author Raymond Augé
57   *
58   */
59  public class AutoLoginFilter extends BasePortalFilter {
60  
61      public static void registerAutoLogin(AutoLogin autoLogin) {
62          if (_autoLogins == null) {
63              _log.error("AutoLoginFilter is not initialized yet");
64  
65              return;
66          }
67  
68          List<AutoLogin> autoLogins = ListUtil.fromArray(_autoLogins);
69  
70          autoLogins.add(autoLogin);
71  
72          _autoLogins = autoLogins.toArray(new AutoLogin[autoLogins.size()]);
73      }
74  
75      public static void unregisterAutoLogin(AutoLogin autoLogin) {
76          if (_autoLogins == null) {
77              _log.error("AutoLoginFilter is not initialized yet");
78  
79              return;
80          }
81  
82          List<AutoLogin> autoLogins = ListUtil.fromArray(_autoLogins);
83  
84          if (autoLogins.remove(autoLogin)) {
85              _autoLogins = autoLogins.toArray(new AutoLogin[autoLogins.size()]);
86          }
87      }
88  
89      public AutoLoginFilter() {
90          List<AutoLogin> autoLogins = new ArrayList<AutoLogin>();
91  
92          for (String autoLoginHook : PropsValues.AUTO_LOGIN_HOOKS) {
93              AutoLogin autoLogin = (AutoLogin)InstancePool.get(
94                  autoLoginHook);
95  
96              autoLogins.add(autoLogin);
97          }
98  
99          _autoLogins = autoLogins.toArray(new AutoLogin[autoLogins.size()]);
100     }
101 
102     protected String getLoginRemoteUser(
103             HttpServletRequest request, HttpServletResponse response,
104             HttpSession session, String[] credentials)
105         throws Exception {
106 
107         if ((credentials != null) && (credentials.length == 3)) {
108             String jUsername = credentials[0];
109             String jPassword = credentials[1];
110             boolean encPassword = GetterUtil.getBoolean(credentials[2]);
111 
112             if (Validator.isNotNull(jUsername) &&
113                 Validator.isNotNull(jPassword)) {
114 
115                 try {
116                     long userId = GetterUtil.getLong(jUsername);
117 
118                     if (userId > 0) {
119                         User user = UserLocalServiceUtil.getUserById(userId);
120 
121                         if (user.isLockout()) {
122                             return null;
123                         }
124                     }
125                     else {
126                         return null;
127                     }
128                 }
129                 catch (NoSuchUserException nsue) {
130                     return null;
131                 }
132 
133                 session.setAttribute("j_username", jUsername);
134 
135                 // Not having access to the unencrypted password
136                 // will not allow you to connect to external
137                 // resources that require it (mail server)
138 
139                 if (encPassword) {
140                     session.setAttribute("j_password", jPassword);
141                 }
142                 else {
143                     session.setAttribute(
144                         "j_password", PwdEncryptor.encrypt(jPassword));
145 
146                     session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
147                 }
148 
149                 if (PropsValues.PORTAL_JAAS_ENABLE) {
150                     response.sendRedirect(
151                         PortalUtil.getPathMain() + "/portal/touch_protected");
152                 }
153 
154                 return jUsername;
155             }
156         }
157 
158         return null;
159     }
160 
161     protected void processFilter(
162             HttpServletRequest request, HttpServletResponse response,
163             FilterChain filterChain)
164         throws IOException, ServletException {
165 
166         HttpSession session = request.getSession();
167 
168         String host = PortalUtil.getHost(request);
169 
170         if (PortalInstances.isAutoLoginIgnoreHost(host)) {
171             if (_log.isDebugEnabled()) {
172                 _log.debug("Ignore host " + host);
173             }
174 
175             processFilter(
176                 AutoLoginFilter.class, request, response, filterChain);
177 
178             return;
179         }
180 
181         String contextPath = PortalUtil.getPathContext();
182 
183         String path = request.getRequestURI().toLowerCase();
184 
185         if ((!contextPath.equals(StringPool.SLASH)) &&
186             (path.indexOf(contextPath) != -1)) {
187 
188             path = path.substring(contextPath.length(), path.length());
189         }
190 
191         if (PortalInstances.isAutoLoginIgnorePath(path)) {
192             if (_log.isDebugEnabled()) {
193                 _log.debug("Ignore path " + path);
194             }
195 
196             processFilter(
197                 AutoLoginFilter.class, request, response, filterChain);
198 
199             return;
200         }
201 
202         String remoteUser = request.getRemoteUser();
203         String jUserName = (String)session.getAttribute("j_username");
204 
205         if ((remoteUser == null) && (jUserName == null)) {
206             for (AutoLogin autoLogin : _autoLogins) {
207                 try {
208                     String[] credentials = autoLogin.login(request, response);
209 
210                     String redirect = (String)request.getAttribute(
211                         AutoLogin.AUTO_LOGIN_REDIRECT);
212 
213                     if (redirect != null) {
214                         response.sendRedirect(redirect);
215 
216                         return;
217                     }
218 
219                     String loginRemoteUser = getLoginRemoteUser(
220                         request, response, session, credentials);
221 
222                     if (loginRemoteUser != null) {
223                         request = new ProtectedServletRequest(
224                             request, loginRemoteUser);
225 
226                         if (PropsValues.PORTAL_JAAS_ENABLE) {
227                             return;
228                         }
229                     }
230                 }
231                 catch (Exception e) {
232                     if (_log.isWarnEnabled()) {
233                         _log.warn(e, e);
234                     }
235 
236                     String currentURL = PortalUtil.getCurrentURL(request);
237 
238                     if (currentURL.endsWith(_PATH_CHAT_LATEST)) {
239                         if (_log.isWarnEnabled()) {
240                             _log.warn(
241                                 "Current URL " + currentURL +
242                                     " generates exception: " + e.getMessage());
243                         }
244                     }
245                     else {
246                         _log.error(
247                             "Current URL " + currentURL +
248                                 " generates exception: " + e.getMessage());
249                     }
250                 }
251             }
252         }
253 
254         processFilter(AutoLoginFilter.class, request, response, filterChain);
255     }
256 
257     private static final String _PATH_CHAT_LATEST = "/-/chat/latest";
258 
259     private static Log _log = LogFactoryUtil.getLog(AutoLoginFilter.class);
260 
261     private static AutoLogin[] _autoLogins;
262 
263 }