1   /**
2    * Copyright (c) 2000-2008 Liferay, Inc. All rights reserved.
3    *
4    * Permission is hereby granted, free of charge, to any person obtaining a copy
5    * of this software and associated documentation files (the "Software"), to deal
6    * in the Software without restriction, including without limitation the rights
7    * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8    * copies of the Software, and to permit persons to whom the Software is
9    * furnished to do so, subject to the following conditions:
10   *
11   * The above copyright notice and this permission notice shall be included in
12   * all copies or substantial portions of the Software.
13   *
14   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
20   * SOFTWARE.
21   */
22  
23  package com.liferay.portal.action;
24  
25  import com.liferay.portal.CookieNotSupportedException;
26  import com.liferay.portal.NoSuchUserException;
27  import com.liferay.portal.PasswordExpiredException;
28  import com.liferay.portal.PortalException;
29  import com.liferay.portal.SendPasswordException;
30  import com.liferay.portal.SystemException;
31  import com.liferay.portal.UserEmailAddressException;
32  import com.liferay.portal.UserIdException;
33  import com.liferay.portal.UserLockoutException;
34  import com.liferay.portal.UserPasswordException;
35  import com.liferay.portal.UserScreenNameException;
36  import com.liferay.portal.captcha.CaptchaTextException;
37  import com.liferay.portal.captcha.CaptchaUtil;
38  import com.liferay.portal.kernel.servlet.HttpHeaders;
39  import com.liferay.portal.kernel.servlet.SessionErrors;
40  import com.liferay.portal.kernel.servlet.SessionMessages;
41  import com.liferay.portal.kernel.util.Constants;
42  import com.liferay.portal.kernel.util.GetterUtil;
43  import com.liferay.portal.kernel.util.ParamUtil;
44  import com.liferay.portal.kernel.util.StringPool;
45  import com.liferay.portal.kernel.util.Validator;
46  import com.liferay.portal.model.Company;
47  import com.liferay.portal.model.CompanyConstants;
48  import com.liferay.portal.model.User;
49  import com.liferay.portal.security.auth.AuthException;
50  import com.liferay.portal.security.auth.Authenticator;
51  import com.liferay.portal.service.UserLocalServiceUtil;
52  import com.liferay.portal.struts.LastPath;
53  import com.liferay.portal.theme.ThemeDisplay;
54  import com.liferay.portal.util.CookieKeys;
55  import com.liferay.portal.util.PortalUtil;
56  import com.liferay.portal.util.PropsValues;
57  import com.liferay.portal.util.WebKeys;
58  import com.liferay.util.Encryptor;
59  import com.liferay.util.servlet.SessionParameters;
60  
61  import java.util.ArrayList;
62  import java.util.Enumeration;
63  import java.util.HashMap;
64  import java.util.List;
65  import java.util.Map;
66  
67  import javax.servlet.http.Cookie;
68  import javax.servlet.http.HttpServletRequest;
69  import javax.servlet.http.HttpServletResponse;
70  import javax.servlet.http.HttpSession;
71  
72  import org.apache.commons.logging.Log;
73  import org.apache.commons.logging.LogFactory;
74  import org.apache.struts.action.Action;
75  import org.apache.struts.action.ActionForm;
76  import org.apache.struts.action.ActionForward;
77  import org.apache.struts.action.ActionMapping;
78  
79  /**
80   * <a href="LoginAction.java.html"><b><i>View Source</i></b></a>
81   *
82   * @author Brian Wing Shun Chan
83   * @author Scott Lee
84   *
85   */
86  public class LoginAction extends Action {
87  
88      public static String getLogin(
89              HttpServletRequest request, String paramName, Company company)
90          throws PortalException, SystemException {
91  
92          String login = request.getParameter(paramName);
93  
94          if ((login == null) || (login.equals(StringPool.NULL))) {
95              login = GetterUtil.getString(
96                  CookieKeys.getCookie(request, CookieKeys.LOGIN));
97  
98              if (PropsValues.COMPANY_LOGIN_PREPOPULATE_DOMAIN &&
99                  Validator.isNull(login) &&
100                 company.getAuthType().equals(CompanyConstants.AUTH_TYPE_EA)) {
101 
102                 login = "@" + company.getMx();
103             }
104         }
105 
106         return login;
107     }
108 
109     public static void login(
110             HttpServletRequest request, HttpServletResponse response,
111             String login, String password, boolean rememberMe)
112         throws Exception {
113 
114         CookieKeys.validateSupportCookie(request);
115 
116         HttpSession session = request.getSession();
117 
118         long userId = GetterUtil.getLong(login);
119 
120         int authResult = Authenticator.FAILURE;
121 
122         Company company = PortalUtil.getCompany(request);
123 
124         Map<String, String[]> headerMap = new HashMap<String, String[]>();
125 
126         Enumeration<String> enu1 = request.getHeaderNames();
127 
128         while (enu1.hasMoreElements()) {
129             String name = enu1.nextElement();
130 
131             Enumeration<String> enu2 = request.getHeaders(name);
132 
133             List<String> headers = new ArrayList<String>();
134 
135             while (enu2.hasMoreElements()) {
136                 String value = enu2.nextElement();
137 
138                 headers.add(value);
139             }
140 
141             headerMap.put(name, headers.toArray(new String[headers.size()]));
142         }
143 
144         Map<String, String[]> parameterMap = request.getParameterMap();
145 
146         if (company.getAuthType().equals(CompanyConstants.AUTH_TYPE_EA)) {
147             authResult = UserLocalServiceUtil.authenticateByEmailAddress(
148                 company.getCompanyId(), login, password, headerMap,
149                 parameterMap);
150 
151             userId = UserLocalServiceUtil.getUserIdByEmailAddress(
152                 company.getCompanyId(), login);
153         }
154         else if (company.getAuthType().equals(CompanyConstants.AUTH_TYPE_SN)) {
155             authResult = UserLocalServiceUtil.authenticateByScreenName(
156                 company.getCompanyId(), login, password, headerMap,
157                 parameterMap);
158 
159             userId = UserLocalServiceUtil.getUserIdByScreenName(
160                 company.getCompanyId(), login);
161         }
162         else if (company.getAuthType().equals(CompanyConstants.AUTH_TYPE_ID)) {
163             authResult = UserLocalServiceUtil.authenticateByUserId(
164                 company.getCompanyId(), userId, password, headerMap,
165                 parameterMap);
166         }
167 
168         if (authResult == Authenticator.SUCCESS) {
169             if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
170 
171                 // Invalidate the previous session to prevent phishing
172 
173                 Boolean httpsInitial = (Boolean)session.getAttribute(
174                     WebKeys.HTTPS_INITIAL);
175 
176                 LastPath lastPath = (LastPath)session.getAttribute(
177                     WebKeys.LAST_PATH);
178 
179                 try {
180                     session.invalidate();
181                 }
182                 catch (IllegalStateException ise) {
183 
184                     // This only happens in Geronimo
185 
186                     if (_log.isWarnEnabled()) {
187                         _log.warn(ise.getMessage());
188                     }
189                 }
190 
191                 session = request.getSession(true);
192 
193                 if (httpsInitial != null) {
194                     session.setAttribute(WebKeys.HTTPS_INITIAL, httpsInitial);
195                 }
196 
197                 if (lastPath != null) {
198                     session.setAttribute(WebKeys.LAST_PATH, lastPath);
199                 }
200             }
201 
202             // Set cookies
203 
204             String domain = CookieKeys.getDomain(request);
205 
206             User user = UserLocalServiceUtil.getUserById(userId);
207 
208             String userIdString = String.valueOf(userId);
209 
210             session.setAttribute("j_username", userIdString);
211             session.setAttribute("j_password", user.getPassword());
212             session.setAttribute("j_remoteuser", userIdString);
213 
214             session.setAttribute(WebKeys.USER_PASSWORD, password);
215 
216             Cookie companyIdCookie = new Cookie(
217                 CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
218 
219             if (Validator.isNotNull(domain)) {
220                 companyIdCookie.setDomain(domain);
221             }
222 
223             companyIdCookie.setPath(StringPool.SLASH);
224 
225             Cookie idCookie = new Cookie(
226                 CookieKeys.ID,
227                 UserLocalServiceUtil.encryptUserId(userIdString));
228 
229             if (Validator.isNotNull(domain)) {
230                 idCookie.setDomain(domain);
231             }
232 
233             idCookie.setPath(StringPool.SLASH);
234 
235             Cookie passwordCookie = new Cookie(
236                 CookieKeys.PASSWORD,
237                 Encryptor.encrypt(company.getKeyObj(), password));
238 
239             if (Validator.isNotNull(domain)) {
240                 passwordCookie.setDomain(domain);
241             }
242 
243             passwordCookie.setPath(StringPool.SLASH);
244 
245             Cookie rememberMeCookie = new Cookie(
246                 CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
247 
248             if (Validator.isNotNull(domain)) {
249                 rememberMeCookie.setDomain(domain);
250             }
251 
252             rememberMeCookie.setPath(StringPool.SLASH);
253 
254             int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
255 
256             if (PropsValues.SESSION_DISABLED) {
257                 rememberMe = true;
258             }
259 
260             if (rememberMe) {
261                 companyIdCookie.setMaxAge(loginMaxAge);
262                 idCookie.setMaxAge(loginMaxAge);
263                 passwordCookie.setMaxAge(loginMaxAge);
264                 rememberMeCookie.setMaxAge(loginMaxAge);
265             }
266             else {
267 
268                 // This was explicitly changed from 0 to -1 so that the cookie
269                 // lasts as long as the browser. This allows an external servlet
270                 // wrapped in AutoLoginFilter to work throughout the client
271                 // connection. The cookies ARE removed on an actual logout, so
272                 // there is no security issue. See LEP-4678 and LEP-5177.
273 
274                 companyIdCookie.setMaxAge(-1);
275                 idCookie.setMaxAge(-1);
276                 passwordCookie.setMaxAge(-1);
277                 rememberMeCookie.setMaxAge(0);
278             }
279 
280             Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
281 
282             if (Validator.isNotNull(domain)) {
283                 loginCookie.setDomain(domain);
284             }
285 
286             loginCookie.setMaxAge(loginMaxAge);
287             loginCookie.setPath(StringPool.SLASH);
288 
289             Cookie screenNameCookie = new Cookie(
290                 CookieKeys.SCREEN_NAME,
291                 Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
292 
293             if (Validator.isNotNull(domain)) {
294                 screenNameCookie.setDomain(domain);
295             }
296 
297             screenNameCookie.setMaxAge(loginMaxAge);
298             screenNameCookie.setPath(StringPool.SLASH);
299 
300             CookieKeys.addCookie(response, companyIdCookie);
301             CookieKeys.addCookie(response, idCookie);
302             CookieKeys.addCookie(response, passwordCookie);
303             CookieKeys.addCookie(response, rememberMeCookie);
304             CookieKeys.addCookie(response, loginCookie);
305             CookieKeys.addCookie(response, screenNameCookie);
306         }
307         else {
308             throw new AuthException();
309         }
310     }
311 
312     public ActionForward execute(
313             ActionMapping mapping, ActionForm form, HttpServletRequest request,
314             HttpServletResponse response)
315         throws Exception {
316 
317         if (PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS &&
318             !request.isSecure()) {
319 
320             ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
321                 WebKeys.THEME_DISPLAY);
322 
323             StringBuilder sb = new StringBuilder();
324 
325             sb.append(PortalUtil.getPortalURL(request, true));
326             sb.append(themeDisplay.getURLSignIn());
327 
328             response.sendRedirect(sb.toString());
329 
330             return null;
331         }
332 
333         HttpSession session = request.getSession();
334 
335         ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
336             WebKeys.THEME_DISPLAY);
337 
338         if (session.getAttribute("j_username") != null &&
339             session.getAttribute("j_password") != null) {
340 
341             if (PropsValues.PORTAL_JAAS_ENABLE) {
342                 return mapping.findForward("/portal/touch_protected.jsp");
343             }
344             else {
345                 response.sendRedirect(themeDisplay.getPathMain());
346 
347                 return null;
348             }
349         }
350 
351         String cmd = ParamUtil.getString(request, Constants.CMD);
352 
353         if (cmd.equals("already-registered")) {
354             try {
355                 login(request, response);
356 
357                 if (PropsValues.PORTAL_JAAS_ENABLE) {
358                     return mapping.findForward("/portal/touch_protected.jsp");
359                 }
360                 else {
361                     String redirect = ParamUtil.getString(request, "redirect");
362 
363                     if (Validator.isNotNull(redirect)) {
364                         response.sendRedirect(redirect);
365                     }
366                     else {
367                         response.sendRedirect(themeDisplay.getPathMain());
368                     }
369 
370                     return null;
371                 }
372             }
373             catch (Exception e) {
374                 if (e instanceof AuthException) {
375                     Throwable cause = e.getCause();
376 
377                     if (cause instanceof PasswordExpiredException ||
378                         cause instanceof UserLockoutException) {
379 
380                         SessionErrors.add(request, cause.getClass().getName());
381                     }
382                     else {
383                         SessionErrors.add(request, e.getClass().getName());
384                     }
385 
386                     return mapping.findForward("portal.login");
387                 }
388                 else if (e instanceof CookieNotSupportedException ||
389                          e instanceof NoSuchUserException ||
390                          e instanceof PasswordExpiredException ||
391                          e instanceof UserEmailAddressException ||
392                          e instanceof UserIdException ||
393                          e instanceof UserLockoutException ||
394                          e instanceof UserPasswordException ||
395                          e instanceof UserScreenNameException) {
396 
397                     SessionErrors.add(request, e.getClass().getName());
398 
399                     return mapping.findForward("portal.login");
400                 }
401                 else {
402                     PortalUtil.sendError(e, request, response);
403 
404                     return null;
405                 }
406             }
407         }
408         else if (cmd.equals("forgot-password")) {
409             try {
410                 sendPassword(request);
411 
412                 return mapping.findForward("portal.login");
413             }
414             catch (Exception e) {
415                 if (e instanceof CaptchaTextException ||
416                     e instanceof NoSuchUserException ||
417                     e instanceof SendPasswordException ||
418                     e instanceof UserEmailAddressException) {
419 
420                     SessionErrors.add(request, e.getClass().getName());
421 
422                     return mapping.findForward("portal.login");
423                 }
424                 else {
425                     PortalUtil.sendError(e, request, response);
426 
427                     return null;
428                 }
429             }
430         }
431         else {
432             String authLoginURL = PortalUtil.getCommunityLoginURL(themeDisplay);
433 
434             if (Validator.isNull(authLoginURL)) {
435                 authLoginURL = PropsValues.AUTH_LOGIN_URL;
436             }
437 
438             if (Validator.isNotNull(authLoginURL)) {
439                 response.sendRedirect(authLoginURL);
440 
441                 return null;
442             }
443             else {
444                 return mapping.findForward("portal.login");
445             }
446         }
447     }
448 
449     protected void login(
450             HttpServletRequest request, HttpServletResponse response)
451         throws Exception {
452 
453         String login = ParamUtil.getString(request, "login").toLowerCase();
454         String password = ParamUtil.getString(
455             request, SessionParameters.get(request, "password"));
456         boolean rememberMe = ParamUtil.getBoolean(request, "rememberMe");
457 
458         login(request, response, login, password, rememberMe);
459     }
460 
461     protected void sendPassword(HttpServletRequest request) throws Exception {
462         ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
463             WebKeys.THEME_DISPLAY);
464 
465         Company company = themeDisplay.getCompany();
466 
467         if (!company.isSendPassword()) {
468             return;
469         }
470 
471         if (PropsValues.CAPTCHA_CHECK_PORTAL_SEND_PASSWORD) {
472             CaptchaUtil.check(request);
473         }
474 
475         String emailAddress = ParamUtil.getString(request, "emailAddress");
476 
477         String remoteAddr = request.getRemoteAddr();
478         String remoteHost = request.getRemoteHost();
479         String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
480 
481         UserLocalServiceUtil.sendPassword(
482             PortalUtil.getCompanyId(request), emailAddress, remoteAddr,
483             remoteHost, userAgent);
484 
485         SessionMessages.add(request, "request_processed", emailAddress);
486     }
487 
488     private static Log _log = LogFactory.getLog(LoginAction.class);
489 
490 }