1   /**
2    * Copyright (c) 2000-2010 Liferay, Inc. All rights reserved.
3    *
4    * The contents of this file are subject to the terms of the Liferay Enterprise
5    * Subscription License ("License"). You may not use this file except in
6    * compliance with the License. You can obtain a copy of the License by
7    * contacting Liferay, Inc. See the License for the specific language governing
8    * permissions and limitations under the License, including but not limited to
9    * distribution rights of the Software.
10   *
11   *
12   *
13   */
14  
15  package com.liferay.portal.security.auth;
16  
17  import com.liferay.portal.kernel.util.ParamUtil;
18  import com.liferay.portal.kernel.util.PropsKeys;
19  import com.liferay.portal.kernel.util.SetUtil;
20  import com.liferay.portal.kernel.util.Validator;
21  import com.liferay.portal.kernel.util.WebKeys;
22  import com.liferay.portal.service.permission.PortletPermissionUtil;
23  import com.liferay.portal.util.PortalUtil;
24  import com.liferay.portal.util.PropsUtil;
25  import com.liferay.portal.util.PropsValues;
26  import com.liferay.util.Encryptor;
27  import com.liferay.util.PwdGenerator;
28  
29  import java.util.Map;
30  import java.util.Set;
31  import java.util.concurrent.ConcurrentHashMap;
32  
33  import javax.servlet.http.HttpServletRequest;
34  import javax.servlet.http.HttpSession;
35  
36  /**
37   * <a href="SessionAuthToken.java.html"><b><i>View Source</i></b></a>
38   *
39   * @author Amos Fong
40   */
41  public class SessionAuthToken implements AuthToken {
42  
43      public SessionAuthToken() {
44          _ignoreActions = SetUtil.fromArray(
45              PropsUtil.getArray(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS));
46      }
47  
48      public void check(HttpServletRequest request) throws PrincipalException {
49          if (isIgnoreAction(request)) {
50              return;
51          }
52  
53          String requestAuthenticationToken = ParamUtil.getString(
54              request, "p_auth");
55  
56          String sessionAuthenticationToken = getSessionAuthenticationToken(
57              request, _PORTAL);
58  
59          String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
60              PropsValues.AUTH_TOKEN_SHARED_SECRET);
61  
62          String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
63              request, "p_auth_secret");
64  
65          if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
66              !requestAuthenticatonTokenSharedSecret.equals(
67                  propertiesAuthenticatonTokenSharedSecret)) {
68  
69              throw new PrincipalException("Invalid authentication token");
70          }
71      }
72  
73      public String getToken(HttpServletRequest request) {
74          return getSessionAuthenticationToken(request, _PORTAL);
75      }
76  
77      public String getToken(
78          HttpServletRequest request, long plid, String portletId) {
79  
80          return getSessionAuthenticationToken(
81              request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
82      }
83  
84      protected String getSessionAuthenticationToken(
85          HttpServletRequest request, String key) {
86  
87          Map<String, String> sessionAuthenticationTokensMap =
88              getSessionAuthenticationTokensMap(request);
89  
90          String sessionAuthenticationToken = sessionAuthenticationTokensMap.get(
91              key);
92  
93          if (Validator.isNull(sessionAuthenticationToken)) {
94              sessionAuthenticationToken = PwdGenerator.getPassword();
95  
96              sessionAuthenticationTokensMap.put(key, sessionAuthenticationToken);
97          }
98  
99          return sessionAuthenticationToken;
100     }
101 
102     protected Map<String, String> getSessionAuthenticationTokensMap(
103         HttpServletRequest request) {
104 
105         HttpSession session = request.getSession();
106 
107         Map<String, String> sessionAuthenticationTokensMap =
108             (Map<String, String>)session.getAttribute(
109                 WebKeys.AUTHENTICATION_TOKEN);
110 
111         if (sessionAuthenticationTokensMap == null) {
112             sessionAuthenticationTokensMap =
113                 new ConcurrentHashMap<String, String>();
114 
115             session.setAttribute(
116                 WebKeys.AUTHENTICATION_TOKEN, sessionAuthenticationTokensMap);
117         }
118 
119         return sessionAuthenticationTokensMap;
120     }
121 
122     protected boolean isIgnoreAction(HttpServletRequest request) {
123         String ppid = ParamUtil.getString(request, "p_p_id");
124 
125         String portletNamespace = PortalUtil.getPortletNamespace(ppid);
126 
127         String strutsAction = ParamUtil.getString(
128             request, portletNamespace + "struts_action");
129 
130         return isIgnoreAction(strutsAction);
131     }
132 
133     protected boolean isIgnoreAction(String strutsAction) {
134         return _ignoreActions.contains(strutsAction);
135     }
136 
137     private static final String _PORTAL = "PORTAL";
138 
139     private Set<String> _ignoreActions;
140 
141 }