1
14
15 package com.liferay.portal.security.auth;
16
17 import com.liferay.portal.kernel.util.ParamUtil;
18 import com.liferay.portal.kernel.util.PropsKeys;
19 import com.liferay.portal.kernel.util.SetUtil;
20 import com.liferay.portal.kernel.util.Validator;
21 import com.liferay.portal.kernel.util.WebKeys;
22 import com.liferay.portal.service.permission.PortletPermissionUtil;
23 import com.liferay.portal.util.PortalUtil;
24 import com.liferay.portal.util.PropsUtil;
25 import com.liferay.portal.util.PropsValues;
26 import com.liferay.util.Encryptor;
27 import com.liferay.util.PwdGenerator;
28
29 import java.util.Map;
30 import java.util.Set;
31 import java.util.concurrent.ConcurrentHashMap;
32
33 import javax.servlet.http.HttpServletRequest;
34 import javax.servlet.http.HttpSession;
35
36
41 public class SessionAuthToken implements AuthToken {
42
43 public SessionAuthToken() {
44 _ignoreActions = SetUtil.fromArray(
45 PropsUtil.getArray(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS));
46 }
47
48 public void check(HttpServletRequest request) throws PrincipalException {
49 if (isIgnoreAction(request)) {
50 return;
51 }
52
53 String requestAuthenticationToken = ParamUtil.getString(
54 request, "p_auth");
55
56 String sessionAuthenticationToken = getSessionAuthenticationToken(
57 request, _PORTAL);
58
59 String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
60 PropsValues.AUTH_TOKEN_SHARED_SECRET);
61
62 String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
63 request, "p_auth_secret");
64
65 if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
66 !requestAuthenticatonTokenSharedSecret.equals(
67 propertiesAuthenticatonTokenSharedSecret)) {
68
69 throw new PrincipalException("Invalid authentication token");
70 }
71 }
72
73 public String getToken(HttpServletRequest request) {
74 return getSessionAuthenticationToken(request, _PORTAL);
75 }
76
77 public String getToken(
78 HttpServletRequest request, long plid, String portletId) {
79
80 return getSessionAuthenticationToken(
81 request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
82 }
83
84 protected String getSessionAuthenticationToken(
85 HttpServletRequest request, String key) {
86
87 Map<String, String> sessionAuthenticationTokensMap =
88 getSessionAuthenticationTokensMap(request);
89
90 String sessionAuthenticationToken = sessionAuthenticationTokensMap.get(
91 key);
92
93 if (Validator.isNull(sessionAuthenticationToken)) {
94 sessionAuthenticationToken = PwdGenerator.getPassword();
95
96 sessionAuthenticationTokensMap.put(key, sessionAuthenticationToken);
97 }
98
99 return sessionAuthenticationToken;
100 }
101
102 protected Map<String, String> getSessionAuthenticationTokensMap(
103 HttpServletRequest request) {
104
105 HttpSession session = request.getSession();
106
107 Map<String, String> sessionAuthenticationTokensMap =
108 (Map<String, String>)session.getAttribute(
109 WebKeys.AUTHENTICATION_TOKEN);
110
111 if (sessionAuthenticationTokensMap == null) {
112 sessionAuthenticationTokensMap =
113 new ConcurrentHashMap<String, String>();
114
115 session.setAttribute(
116 WebKeys.AUTHENTICATION_TOKEN, sessionAuthenticationTokensMap);
117 }
118
119 return sessionAuthenticationTokensMap;
120 }
121
122 protected boolean isIgnoreAction(HttpServletRequest request) {
123 String ppid = ParamUtil.getString(request, "p_p_id");
124
125 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
126
127 String strutsAction = ParamUtil.getString(
128 request, portletNamespace + "struts_action");
129
130 return isIgnoreAction(strutsAction);
131 }
132
133 protected boolean isIgnoreAction(String strutsAction) {
134 return _ignoreActions.contains(strutsAction);
135 }
136
137 private static final String _PORTAL = "PORTAL";
138
139 private Set<String> _ignoreActions;
140
141 }