001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.util.ParamUtil;
018 import com.liferay.portal.kernel.util.PropsKeys;
019 import com.liferay.portal.kernel.util.SetUtil;
020 import com.liferay.portal.kernel.util.Validator;
021 import com.liferay.portal.kernel.util.WebKeys;
022 import com.liferay.portal.service.permission.PortletPermissionUtil;
023 import com.liferay.portal.util.PortalUtil;
024 import com.liferay.portal.util.PropsUtil;
025 import com.liferay.portal.util.PropsValues;
026 import com.liferay.util.Encryptor;
027 import com.liferay.util.PwdGenerator;
028
029 import java.util.HashMap;
030 import java.util.Map;
031 import java.util.Set;
032
033 import javax.servlet.http.HttpServletRequest;
034 import javax.servlet.http.HttpSession;
035
036
039 public class SessionAuthToken implements AuthToken {
040
041 public SessionAuthToken() {
042 _ignoreActions = SetUtil.fromArray(
043 PropsUtil.getArray(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS));
044 }
045
046 public void check(HttpServletRequest request) throws PrincipalException {
047 if (isIgnoreAction(request)) {
048 return;
049 }
050
051 String requestAuthenticationToken = ParamUtil.getString(
052 request, "p_auth");
053
054 String sessionAuthenticationToken = getSessionAuthenticationToken(
055 request, _PORTAL);
056
057 String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
058 PropsValues.AUTH_TOKEN_SHARED_SECRET);
059
060 String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
061 request, "p_auth_secret");
062
063 if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
064 !requestAuthenticatonTokenSharedSecret.equals(
065 propertiesAuthenticatonTokenSharedSecret)) {
066
067 throw new PrincipalException("Invalid authentication token");
068 }
069 }
070
071 public String getToken(HttpServletRequest request) {
072 return getSessionAuthenticationToken(request, _PORTAL);
073 }
074
075 public String getToken(
076 HttpServletRequest request, long plid, String portletId) {
077
078 return getSessionAuthenticationToken(
079 request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
080 }
081
082 protected String getSessionAuthenticationToken(
083 HttpServletRequest request, String key) {
084
085 Map<String, String> sessionAuthenticationTokensMap =
086 getSessionAuthenticationTokensMap(request);
087
088 String sessionAuthenticationToken = sessionAuthenticationTokensMap.get(
089 key);
090
091 if (Validator.isNull(sessionAuthenticationToken)) {
092 sessionAuthenticationToken = PwdGenerator.getPassword();
093
094 sessionAuthenticationTokensMap.put(key, sessionAuthenticationToken);
095 }
096
097 return sessionAuthenticationToken;
098 }
099
100 protected Map<String, String> getSessionAuthenticationTokensMap(
101 HttpServletRequest request) {
102
103 HttpSession session = request.getSession();
104
105 Map<String, String> sessionAuthenticationTokensMap =
106 (Map<String, String>)session.getAttribute(
107 WebKeys.AUTHENTICATION_TOKEN);
108
109 if (sessionAuthenticationTokensMap == null) {
110 sessionAuthenticationTokensMap = new HashMap<String, String>();
111
112 session.setAttribute(
113 WebKeys.AUTHENTICATION_TOKEN, sessionAuthenticationTokensMap);
114 }
115
116 return sessionAuthenticationTokensMap;
117 }
118
119 protected boolean isIgnoreAction(HttpServletRequest request) {
120 String ppid = ParamUtil.getString(request, "p_p_id");
121
122 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
123
124 String strutsAction = ParamUtil.getString(
125 request, portletNamespace + "struts_action");
126
127 return isIgnoreAction(strutsAction);
128 }
129
130 protected boolean isIgnoreAction(String strutsAction) {
131 return _ignoreActions.contains(strutsAction);
132 }
133
134 private static final String _PORTAL = "PORTAL";
135
136 private Set<String> _ignoreActions;
137
138 }