001    /**
002     * Copyright (c) 2000-2010 Liferay, Inc. All rights reserved.
003     *
004     * The contents of this file are subject to the terms of the Liferay Enterprise
005     * Subscription License ("License"). You may not use this file except in
006     * compliance with the License. You can obtain a copy of the License by
007     * contacting Liferay, Inc. See the License for the specific language governing
008     * permissions and limitations under the License, including but not limited to
009     * distribution rights of the Software.
010     *
011     *
012     *
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.util.ParamUtil;
018    import com.liferay.portal.kernel.util.PropsKeys;
019    import com.liferay.portal.kernel.util.SetUtil;
020    import com.liferay.portal.kernel.util.Validator;
021    import com.liferay.portal.kernel.util.WebKeys;
022    import com.liferay.portal.service.permission.PortletPermissionUtil;
023    import com.liferay.portal.util.PortalUtil;
024    import com.liferay.portal.util.PropsUtil;
025    import com.liferay.portal.util.PropsValues;
026    import com.liferay.util.Encryptor;
027    import com.liferay.util.PwdGenerator;
028    
029    import java.util.HashMap;
030    import java.util.Map;
031    import java.util.Set;
032    
033    import javax.servlet.http.HttpServletRequest;
034    import javax.servlet.http.HttpSession;
035    
036    /**
037     * @author Amos Fong
038     */
039    public class SessionAuthToken implements AuthToken {
040    
041            public SessionAuthToken() {
042                    _ignoreActions = SetUtil.fromArray(
043                            PropsUtil.getArray(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS));
044            }
045    
046            public void check(HttpServletRequest request) throws PrincipalException {
047                    if (isIgnoreAction(request)) {
048                            return;
049                    }
050    
051                    String requestAuthenticationToken = ParamUtil.getString(
052                            request, "p_auth");
053    
054                    String sessionAuthenticationToken = getSessionAuthenticationToken(
055                            request, _PORTAL);
056    
057                    String propertiesAuthenticatonTokenSharedSecret = Encryptor.digest(
058                            PropsValues.AUTH_TOKEN_SHARED_SECRET);
059    
060                    String requestAuthenticatonTokenSharedSecret = ParamUtil.getString(
061                            request, "p_auth_secret");
062    
063                    if (!requestAuthenticationToken.equals(sessionAuthenticationToken) &&
064                            !requestAuthenticatonTokenSharedSecret.equals(
065                                    propertiesAuthenticatonTokenSharedSecret)) {
066    
067                            throw new PrincipalException("Invalid authentication token");
068                    }
069            }
070    
071            public String getToken(HttpServletRequest request) {
072                    return getSessionAuthenticationToken(request, _PORTAL);
073            }
074    
075            public String getToken(
076                    HttpServletRequest request, long plid, String portletId) {
077    
078                    return getSessionAuthenticationToken(
079                            request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
080            }
081    
082            protected String getSessionAuthenticationToken(
083                    HttpServletRequest request, String key) {
084    
085                    Map<String, String> sessionAuthenticationTokensMap =
086                            getSessionAuthenticationTokensMap(request);
087    
088                    String sessionAuthenticationToken = sessionAuthenticationTokensMap.get(
089                            key);
090    
091                    if (Validator.isNull(sessionAuthenticationToken)) {
092                            sessionAuthenticationToken = PwdGenerator.getPassword();
093    
094                            sessionAuthenticationTokensMap.put(key, sessionAuthenticationToken);
095                    }
096    
097                    return sessionAuthenticationToken;
098            }
099    
100            protected Map<String, String> getSessionAuthenticationTokensMap(
101                    HttpServletRequest request) {
102    
103                    HttpSession session = request.getSession();
104    
105                    Map<String, String> sessionAuthenticationTokensMap =
106                            (Map<String, String>)session.getAttribute(
107                                    WebKeys.AUTHENTICATION_TOKEN);
108    
109                    if (sessionAuthenticationTokensMap == null) {
110                            sessionAuthenticationTokensMap = new HashMap<String, String>();
111    
112                            session.setAttribute(
113                                    WebKeys.AUTHENTICATION_TOKEN, sessionAuthenticationTokensMap);
114                    }
115    
116                    return sessionAuthenticationTokensMap;
117            }
118    
119            protected boolean isIgnoreAction(HttpServletRequest request) {
120                    String ppid = ParamUtil.getString(request, "p_p_id");
121    
122                    String portletNamespace = PortalUtil.getPortletNamespace(ppid);
123    
124                    String strutsAction = ParamUtil.getString(
125                            request, portletNamespace + "struts_action");
126    
127                    return isIgnoreAction(strutsAction);
128            }
129    
130            protected boolean isIgnoreAction(String strutsAction) {
131                    return _ignoreActions.contains(strutsAction);
132            }
133    
134            private static final String _PORTAL = "PORTAL";
135    
136            private Set<String> _ignoreActions;
137    
138    }