1
22
23 package com.liferay.filters.secure;
24
25 import com.liferay.portal.kernel.util.GetterUtil;
26 import com.liferay.portal.kernel.util.StringMaker;
27 import com.liferay.portal.kernel.util.StringPool;
28 import com.liferay.portal.kernel.util.StringUtil;
29 import com.liferay.portal.kernel.util.Validator;
30 import com.liferay.portal.util.PropsUtil;
31 import com.liferay.util.CollectionFactory;
32 import com.liferay.util.Http;
33
34 import java.io.IOException;
35
36 import java.util.Set;
37
38 import javax.servlet.Filter;
39 import javax.servlet.FilterChain;
40 import javax.servlet.FilterConfig;
41 import javax.servlet.ServletException;
42 import javax.servlet.ServletRequest;
43 import javax.servlet.ServletResponse;
44 import javax.servlet.http.HttpServletRequest;
45 import javax.servlet.http.HttpServletResponse;
46
47 import org.apache.commons.logging.Log;
48 import org.apache.commons.logging.LogFactory;
49
50
56 public class SecureFilter implements Filter {
57
58 public void init(FilterConfig config) {
59 String propertyPrefix =
60 config.getInitParameter("portal_property_prefix");
61
62 String[] hostsAllowedArray = null;
63
64 if (Validator.isNull(propertyPrefix)) {
65 hostsAllowedArray = StringUtil.split(
66 config.getInitParameter("hosts.allowed"));
67 _httpsRequired = GetterUtil.getBoolean(
68 config.getInitParameter("https.required"));
69 }
70 else {
71 hostsAllowedArray = PropsUtil.getArray(
72 propertyPrefix + "hosts.allowed");
73 _httpsRequired = GetterUtil.getBoolean(
74 PropsUtil.get(propertyPrefix + "https.required"));
75 }
76
77 for (int i = 0; i < hostsAllowedArray.length; i++) {
78 _hostsAllowed.add(hostsAllowedArray[i]);
79 }
80 }
81
82 public void doFilter(
83 ServletRequest req, ServletResponse res, FilterChain chain)
84 throws IOException, ServletException {
85
86 HttpServletRequest httpReq = (HttpServletRequest)req;
87 HttpServletResponse httpRes = (HttpServletResponse)res;
88
89 String remoteAddr = httpReq.getRemoteAddr();
90
91 if (isAccessAllowed(httpReq)) {
92 if (_log.isDebugEnabled()) {
93 _log.debug("Access allowed for " + remoteAddr);
94 }
95 }
96 else {
97 if (_log.isErrorEnabled()) {
98 _log.error("Access denied for " + remoteAddr);
99 }
100
101 httpRes.sendError(
102 HttpServletResponse.SC_FORBIDDEN,
103 "Access denied for " + remoteAddr);
104
105 return;
106 }
107
108 if (_log.isDebugEnabled()) {
109 if (_httpsRequired) {
110 _log.debug("https is required");
111 }
112 else {
113 _log.debug("https is not required");
114 }
115 }
116
117 String completeURL = Http.getCompleteURL(httpReq);
118
119 if (_httpsRequired && !httpReq.isSecure()) {
120 if (_log.isDebugEnabled()) {
121 _log.debug("Securing " + completeURL);
122 }
123
124 StringMaker redirectURL = new StringMaker();
125
126 redirectURL.append(Http.HTTPS_WITH_SLASH);
127 redirectURL.append(httpReq.getServerName());
128 redirectURL.append(httpReq.getServletPath());
129
130 String queryString = httpReq.getQueryString();
131
132 if (Validator.isNotNull(queryString)) {
133 redirectURL.append(StringPool.QUESTION);
134 redirectURL.append(httpReq.getQueryString());
135 }
136
137 if (_log.isDebugEnabled()) {
138 _log.debug("Redirect to " + redirectURL);
139 }
140
141 httpRes.sendRedirect(redirectURL.toString());
142 }
143 else {
144 if (_log.isDebugEnabled()) {
145 _log.debug("Not securing " + completeURL);
146 }
147
148 chain.doFilter(req, res);
149 }
150 }
151
152 public void destroy() {
153 }
154
155 protected boolean isAccessAllowed(HttpServletRequest req) {
156 String remoteAddr = req.getRemoteAddr();
157 String serverIp = req.getServerName();
158
159 if ((_hostsAllowed.size() > 0) &&
160 (!_hostsAllowed.contains(remoteAddr))) {
161
162 if ((serverIp.equals(remoteAddr)) &&
163 (_hostsAllowed.contains(_SERVER_IP))) {
164
165 return true;
166 }
167
168 return false;
169 }
170 else {
171 return true;
172 }
173 }
174
175 private static final String _SERVER_IP = "SERVER_IP";
176
177 private static Log _log = LogFactory.getLog(SecureFilter.class);
178
179 private Set _hostsAllowed = CollectionFactory.getHashSet();
180 private boolean _httpsRequired;
181
182 }