1   /**
2    * Copyright (c) 2000-2010 Liferay, Inc. All rights reserved.
3    *
4    * The contents of this file are subject to the terms of the Liferay Enterprise
5    * Subscription License ("License"). You may not use this file except in
6    * compliance with the License. You can obtain a copy of the License by
7    * contacting Liferay, Inc. See the License for the specific language governing
8    * permissions and limitations under the License, including but not limited to
9    * distribution rights of the Software.
10   *
11   *
12   *
13   */
14  
15  package com.liferay.portlet.login.util;
16  
17  import com.liferay.portal.PortalException;
18  import com.liferay.portal.SystemException;
19  import com.liferay.portal.kernel.log.Log;
20  import com.liferay.portal.kernel.log.LogFactoryUtil;
21  import com.liferay.portal.kernel.servlet.HttpHeaders;
22  import com.liferay.portal.kernel.servlet.SessionMessages;
23  import com.liferay.portal.kernel.util.GetterUtil;
24  import com.liferay.portal.kernel.util.ParamUtil;
25  import com.liferay.portal.kernel.util.StringPool;
26  import com.liferay.portal.kernel.util.Validator;
27  import com.liferay.portal.model.Company;
28  import com.liferay.portal.model.CompanyConstants;
29  import com.liferay.portal.model.User;
30  import com.liferay.portal.security.auth.AuthException;
31  import com.liferay.portal.security.auth.Authenticator;
32  import com.liferay.portal.service.UserLocalServiceUtil;
33  import com.liferay.portal.theme.ThemeDisplay;
34  import com.liferay.portal.util.CookieKeys;
35  import com.liferay.portal.util.PortalUtil;
36  import com.liferay.portal.util.PortletKeys;
37  import com.liferay.portal.util.PropsValues;
38  import com.liferay.portal.util.WebKeys;
39  import com.liferay.portlet.PortletURLImpl;
40  import com.liferay.util.Encryptor;
41  
42  import java.util.ArrayList;
43  import java.util.Enumeration;
44  import java.util.HashMap;
45  import java.util.List;
46  import java.util.Map;
47  
48  import javax.portlet.ActionRequest;
49  import javax.portlet.PortletMode;
50  import javax.portlet.PortletModeException;
51  import javax.portlet.PortletRequest;
52  import javax.portlet.PortletURL;
53  import javax.portlet.WindowState;
54  import javax.portlet.WindowStateException;
55  
56  import javax.servlet.http.Cookie;
57  import javax.servlet.http.HttpServletRequest;
58  import javax.servlet.http.HttpServletResponse;
59  import javax.servlet.http.HttpSession;
60  
61  /**
62   * <a href="LoginUtil.java.html"><b><i>View Source</i></b></a>
63   *
64   * @author Brian Wing Shun Chan
65   * @author Scott Lee
66   */
67  public class LoginUtil {
68  
69      public static long getAuthenticatedUserId(
70              HttpServletRequest request, String login, String password,
71              String authType)
72          throws PortalException, SystemException {
73  
74          long userId = GetterUtil.getLong(login);
75  
76          Company company = PortalUtil.getCompany(request);
77  
78          String requestURI = request.getRequestURI();
79  
80          if (requestURI.startsWith("/tunnel-web/liferay") ||
81              requestURI.startsWith("/tunnel-web/secure/liferay")) {
82  
83              // Tunnel requests are serialized objects and cannot manipulate the
84              // request input stream in any way. Do not use the auth pipeline to
85              // authenticate tunnel requests.
86  
87              long companyId = company.getCompanyId();
88  
89              userId = UserLocalServiceUtil.authenticateForBasic(
90                  companyId, CompanyConstants.AUTH_TYPE_EA, login, password);
91  
92              if (userId > 0) {
93                  return userId;
94              }
95  
96              userId = UserLocalServiceUtil.authenticateForBasic(
97                  companyId, CompanyConstants.AUTH_TYPE_SN, login, password);
98  
99              if (userId > 0) {
100                 return userId;
101             }
102 
103             userId = UserLocalServiceUtil.authenticateForBasic(
104                 companyId, CompanyConstants.AUTH_TYPE_ID, login, password);
105 
106             if (userId <= 0) {
107                 throw new AuthException();
108             }
109         }
110         else {
111             Map<String, String[]> headerMap = new HashMap<String, String[]>();
112 
113             Enumeration<String> enu1 = request.getHeaderNames();
114 
115             while (enu1.hasMoreElements()) {
116                 String name = enu1.nextElement();
117 
118                 Enumeration<String> enu2 = request.getHeaders(name);
119 
120                 List<String> headers = new ArrayList<String>();
121 
122                 while (enu2.hasMoreElements()) {
123                     String value = enu2.nextElement();
124 
125                     headers.add(value);
126                 }
127 
128                 headerMap.put(
129                     name, headers.toArray(new String[headers.size()]));
130             }
131 
132             Map<String, String[]> parameterMap = request.getParameterMap();
133 
134             if (Validator.isNull(authType)) {
135                 authType = company.getAuthType();
136             }
137 
138             int authResult = Authenticator.FAILURE;
139 
140             if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
141                 authResult = UserLocalServiceUtil.authenticateByEmailAddress(
142                     company.getCompanyId(), login, password, headerMap,
143                     parameterMap);
144 
145                 userId = UserLocalServiceUtil.getUserIdByEmailAddress(
146                     company.getCompanyId(), login);
147             }
148             else if (authType.equals(CompanyConstants.AUTH_TYPE_SN)) {
149                 authResult = UserLocalServiceUtil.authenticateByScreenName(
150                     company.getCompanyId(), login, password, headerMap,
151                     parameterMap);
152 
153                 userId = UserLocalServiceUtil.getUserIdByScreenName(
154                     company.getCompanyId(), login);
155             }
156             else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) {
157                 authResult = UserLocalServiceUtil.authenticateByUserId(
158                     company.getCompanyId(), userId, password, headerMap,
159                     parameterMap);
160             }
161 
162             if (authResult != Authenticator.SUCCESS) {
163                 throw new AuthException();
164             }
165         }
166 
167         return userId;
168     }
169 
170     public static String getLogin(
171             HttpServletRequest request, String paramName, Company company)
172         throws SystemException {
173 
174         String login = request.getParameter(paramName);
175 
176         if ((login == null) || (login.equals(StringPool.NULL))) {
177             login = GetterUtil.getString(
178                 CookieKeys.getCookie(request, CookieKeys.LOGIN));
179 
180             if (PropsValues.COMPANY_LOGIN_PREPOPULATE_DOMAIN &&
181                 Validator.isNull(login) &&
182                 company.getAuthType().equals(CompanyConstants.AUTH_TYPE_EA)) {
183 
184                 login = "@" + company.getMx();
185             }
186         }
187 
188         return login;
189     }
190 
191     public static PortletURL getLoginURL(
192             HttpServletRequest request, long plid)
193         throws PortletModeException, WindowStateException {
194 
195         PortletURL portletURL = new PortletURLImpl(
196             request, PortletKeys.LOGIN, plid, PortletRequest.RENDER_PHASE);
197 
198         portletURL.setWindowState(WindowState.MAXIMIZED);
199         portletURL.setPortletMode(PortletMode.VIEW);
200 
201         portletURL.setParameter("saveLastPath", "0");
202         portletURL.setParameter("struts_action", "/login/login");
203 
204         return portletURL;
205     }
206 
207     public static void login(
208             HttpServletRequest request, HttpServletResponse response,
209             String login, String password, boolean rememberMe, String authType)
210         throws Exception {
211 
212         CookieKeys.validateSupportCookie(request);
213 
214         HttpSession session = request.getSession();
215 
216         Company company = PortalUtil.getCompany(request);
217 
218         long userId = getAuthenticatedUserId(
219             request, login, password, authType);
220 
221         if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
222 
223             // Invalidate the previous session to prevent phishing
224 
225             String[] protectedAttributeNames =
226                 PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;
227 
228             Map<String, Object> protectedAttributes =
229                 new HashMap<String, Object>();
230 
231             for (String protectedAttributeName : protectedAttributeNames) {
232                 Object protectedAttributeValue = session.getAttribute(
233                     protectedAttributeName);
234 
235                 if (protectedAttributeValue == null) {
236                     continue;
237                 }
238 
239                 protectedAttributes.put(
240                     protectedAttributeName, protectedAttributeValue);
241             }
242 
243             try {
244                 session.invalidate();
245             }
246             catch (IllegalStateException ise) {
247 
248                 // This only happens in Geronimo
249 
250                 if (_log.isWarnEnabled()) {
251                     _log.warn(ise.getMessage());
252                 }
253             }
254 
255             session = request.getSession(true);
256 
257             for (String protectedAttributeName : protectedAttributeNames) {
258                 Object protectedAttributeValue = protectedAttributes.get(
259                     protectedAttributeName);
260 
261                 if (protectedAttributeValue == null) {
262                     continue;
263                 }
264 
265                 session.setAttribute(
266                     protectedAttributeName, protectedAttributeValue);
267             }
268         }
269 
270         // Set cookies
271 
272         String domain = CookieKeys.getDomain(request);
273 
274         User user = UserLocalServiceUtil.getUserById(userId);
275 
276         String userIdString = String.valueOf(userId);
277 
278         session.setAttribute("j_username", userIdString);
279         session.setAttribute("j_password", user.getPassword());
280         session.setAttribute("j_remoteuser", userIdString);
281 
282         session.setAttribute(WebKeys.USER_PASSWORD, password);
283 
284         Cookie companyIdCookie = new Cookie(
285             CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
286 
287         if (Validator.isNotNull(domain)) {
288             companyIdCookie.setDomain(domain);
289         }
290 
291         companyIdCookie.setPath(StringPool.SLASH);
292 
293         Cookie idCookie = new Cookie(
294             CookieKeys.ID, UserLocalServiceUtil.encryptUserId(userIdString));
295 
296         if (Validator.isNotNull(domain)) {
297             idCookie.setDomain(domain);
298         }
299 
300         idCookie.setPath(StringPool.SLASH);
301 
302         Cookie passwordCookie = new Cookie(
303             CookieKeys.PASSWORD,
304             Encryptor.encrypt(company.getKeyObj(), password));
305 
306         if (Validator.isNotNull(domain)) {
307             passwordCookie.setDomain(domain);
308         }
309 
310         passwordCookie.setPath(StringPool.SLASH);
311 
312         Cookie rememberMeCookie = new Cookie(
313             CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
314 
315         if (Validator.isNotNull(domain)) {
316             rememberMeCookie.setDomain(domain);
317         }
318 
319         rememberMeCookie.setPath(StringPool.SLASH);
320 
321         int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
322 
323         if (PropsValues.SESSION_DISABLED) {
324             rememberMe = true;
325         }
326 
327         if (rememberMe) {
328             companyIdCookie.setMaxAge(loginMaxAge);
329             idCookie.setMaxAge(loginMaxAge);
330             passwordCookie.setMaxAge(loginMaxAge);
331             rememberMeCookie.setMaxAge(loginMaxAge);
332         }
333         else {
334 
335             // This was explicitly changed from 0 to -1 so that the cookie lasts
336             // as long as the browser. This allows an external servlet wrapped
337             // in AutoLoginFilter to work throughout the client connection. The
338             // cookies ARE removed on an actual logout, so there is no security
339             // issue. See LEP-4678 and LEP-5177.
340 
341             companyIdCookie.setMaxAge(-1);
342             idCookie.setMaxAge(-1);
343             passwordCookie.setMaxAge(-1);
344             rememberMeCookie.setMaxAge(0);
345         }
346 
347         Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
348 
349         if (Validator.isNotNull(domain)) {
350             loginCookie.setDomain(domain);
351         }
352 
353         loginCookie.setMaxAge(loginMaxAge);
354         loginCookie.setPath(StringPool.SLASH);
355 
356         Cookie screenNameCookie = new Cookie(
357             CookieKeys.SCREEN_NAME,
358             Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
359 
360         if (Validator.isNotNull(domain)) {
361             screenNameCookie.setDomain(domain);
362         }
363 
364         screenNameCookie.setMaxAge(loginMaxAge);
365         screenNameCookie.setPath(StringPool.SLASH);
366 
367         boolean secure = request.isSecure();
368 
369         if (secure) {
370             Boolean httpsInitial = (Boolean)session.getAttribute(
371                 WebKeys.HTTPS_INITIAL);
372 
373             if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
374                 secure = false;
375             }
376         }
377 
378         CookieKeys.addCookie(request, response, companyIdCookie, secure);
379         CookieKeys.addCookie(request, response, idCookie, secure);
380         CookieKeys.addCookie(request, response, passwordCookie, secure);
381         CookieKeys.addCookie(request, response, rememberMeCookie, secure);
382         CookieKeys.addCookie(request, response, loginCookie, secure);
383         CookieKeys.addCookie(request, response, screenNameCookie, secure);
384     }
385 
386     public static void sendPassword(ActionRequest actionRequest)
387         throws Exception {
388 
389         String toAddress = ParamUtil.getString(actionRequest, "emailAddress");
390 
391         sendPassword(actionRequest, null, null, toAddress, null, null);
392     }
393 
394     public static void sendPassword(
395             ActionRequest actionRequest, String fromName, String fromAddress,
396             String toAddress, String subject, String body)
397         throws Exception {
398 
399         HttpServletRequest request = PortalUtil.getHttpServletRequest(
400             actionRequest);
401 
402         ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
403             WebKeys.THEME_DISPLAY);
404 
405         Company company = themeDisplay.getCompany();
406 
407         if (!company.isSendPassword()) {
408             return;
409         }
410 
411         String remoteAddr = request.getRemoteAddr();
412         String remoteHost = request.getRemoteHost();
413         String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
414 
415         UserLocalServiceUtil.sendPassword(
416             company.getCompanyId(), toAddress, remoteAddr, remoteHost,
417             userAgent, fromName, fromAddress, subject, body);
418 
419         SessionMessages.add(actionRequest, "request_processed", toAddress);
420     }
421 
422     private static Log _log = LogFactoryUtil.getLog(LoginUtil.class);
423 
424 }