1   /**
2    * Copyright (c) 2000-2007 Liferay, Inc. All rights reserved.
3    *
4    * Permission is hereby granted, free of charge, to any person obtaining a copy
5    * of this software and associated documentation files (the "Software"), to deal
6    * in the Software without restriction, including without limitation the rights
7    * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8    * copies of the Software, and to permit persons to whom the Software is
9    * furnished to do so, subject to the following conditions:
10   *
11   * The above copyright notice and this permission notice shall be included in
12   * all copies or substantial portions of the Software.
13   *
14   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
20   * SOFTWARE.
21   */
22  
23  package com.liferay.portal.servlet.filters.autologin;
24  
25  import com.liferay.portal.NoSuchUserException;
26  import com.liferay.portal.kernel.util.GetterUtil;
27  import com.liferay.portal.kernel.util.InstancePool;
28  import com.liferay.portal.kernel.util.Validator;
29  import com.liferay.portal.model.User;
30  import com.liferay.portal.security.auth.AutoLogin;
31  import com.liferay.portal.security.pwd.PwdEncryptor;
32  import com.liferay.portal.service.UserLocalServiceUtil;
33  import com.liferay.portal.util.PortalUtil;
34  import com.liferay.portal.util.PropsUtil;
35  import com.liferay.portal.util.WebKeys;
36  import com.liferay.util.servlet.ProtectedServletRequest;
37  
38  import java.io.IOException;
39  
40  import javax.servlet.Filter;
41  import javax.servlet.FilterChain;
42  import javax.servlet.FilterConfig;
43  import javax.servlet.ServletException;
44  import javax.servlet.ServletRequest;
45  import javax.servlet.ServletResponse;
46  import javax.servlet.http.HttpServletRequest;
47  import javax.servlet.http.HttpServletResponse;
48  import javax.servlet.http.HttpSession;
49  
50  import org.apache.commons.logging.Log;
51  import org.apache.commons.logging.LogFactory;
52  
53  /**
54   * <a href="AutoLoginFilter.java.html"><b><i>View Source</i></b></a>
55   *
56   * @author Brian Wing Shun Chan
57   *
58   */
59  public class AutoLoginFilter implements Filter {
60  
61      public void init(FilterConfig config) throws ServletException {
62      }
63  
64      public void doFilter(
65              ServletRequest req, ServletResponse res, FilterChain chain)
66          throws IOException, ServletException {
67  
68          HttpServletRequest httpReq = (HttpServletRequest)req;
69          HttpServletResponse httpRes = (HttpServletResponse)res;
70  
71          HttpSession ses = httpReq.getSession();
72  
73          String remoteUser = httpReq.getRemoteUser();
74          String jUserName = (String)ses.getAttribute("j_username");
75  
76          if ((remoteUser == null) && (jUserName == null)) {
77              String[] autoLogins = PropsUtil.getArray(
78                  PropsUtil.AUTO_LOGIN_HOOKS);
79  
80              for (int i = 0; i < autoLogins.length; i++) {
81                  AutoLogin autoLogin =
82                      (AutoLogin)InstancePool.get(autoLogins[i]);
83  
84                  try {
85                      String[] credentials = autoLogin.login(httpReq, httpRes);
86  
87                      String redirect = (String)req.getAttribute(
88                          AutoLogin.AUTO_LOGIN_REDIRECT);
89  
90                      if (redirect != null) {
91                          httpRes.sendRedirect(redirect);
92  
93                          return;
94                      }
95  
96                      String loginRemoteUser = getLoginRemoteUser(
97                          httpReq, httpRes, ses, credentials);
98  
99                      if (loginRemoteUser != null) {
100                         req = new ProtectedServletRequest(
101                             httpReq, loginRemoteUser);
102 
103                         if (GetterUtil.getBoolean(
104                                 PropsUtil.get(PropsUtil.PORTAL_JAAS_ENABLE))) {
105 
106                             return;
107                         }
108                     }
109                 }
110                 catch (Exception e) {
111                     _log.warn(e, e);
112                     _log.error(e.getMessage());
113                 }
114             }
115         }
116 
117         chain.doFilter(req, res);
118     }
119 
120     public void destroy() {
121     }
122 
123     protected String getLoginRemoteUser(
124             HttpServletRequest req, HttpServletResponse res, HttpSession ses,
125             String[] credentials)
126         throws Exception {
127 
128         if ((credentials != null) && (credentials.length == 3)) {
129             String jUsername = credentials[0];
130             String jPassword = credentials[1];
131             boolean encPwd = GetterUtil.getBoolean(credentials[2]);
132 
133             if (Validator.isNotNull(jUsername) &&
134                 Validator.isNotNull(jPassword)) {
135 
136                 try {
137                     long userId = GetterUtil.getLong(jUsername);
138 
139                     if (userId > 0) {
140                         User user = UserLocalServiceUtil.getUserById(userId);
141 
142                         if (user.isLockout()) {
143                             return null;
144                         }
145                     }
146                     else {
147                         return null;
148                     }
149                 }
150                 catch (NoSuchUserException nsue) {
151                     return null;
152                 }
153 
154                 ses.setAttribute("j_username", jUsername);
155 
156                 // Not having access to the unencrypted password
157                 // will not allow you to connect to external
158                 // resources that require it (mail server)
159 
160                 if (encPwd) {
161                     ses.setAttribute("j_password", jPassword);
162                 }
163                 else {
164                     ses.setAttribute(
165                         "j_password", PwdEncryptor.encrypt(jPassword));
166 
167                     ses.setAttribute(WebKeys.USER_PASSWORD, jPassword);
168                 }
169 
170                 if (GetterUtil.getBoolean(
171                         PropsUtil.get(PropsUtil.PORTAL_JAAS_ENABLE))) {
172 
173                     res.sendRedirect(
174                         PortalUtil.getPathMain() + "/portal/touch_protected");
175                 }
176 
177                 return jUsername;
178             }
179         }
180 
181         return null;
182     }
183 
184     private static Log _log = LogFactory.getLog(AutoLoginFilter.class);
185 
186 }