1   /**
2    * Copyright (c) 2000-2008 Liferay, Inc. All rights reserved.
3    *
4    * Permission is hereby granted, free of charge, to any person obtaining a copy
5    * of this software and associated documentation files (the "Software"), to deal
6    * in the Software without restriction, including without limitation the rights
7    * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8    * copies of the Software, and to permit persons to whom the Software is
9    * furnished to do so, subject to the following conditions:
10   *
11   * The above copyright notice and this permission notice shall be included in
12   * all copies or substantial portions of the Software.
13   *
14   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
20   * SOFTWARE.
21   */
22  
23  package com.liferay.portal.servlet.filters.autologin;
24  
25  import com.liferay.portal.NoSuchUserException;
26  import com.liferay.portal.kernel.log.Log;
27  import com.liferay.portal.kernel.log.LogFactoryUtil;
28  import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
29  import com.liferay.portal.kernel.util.GetterUtil;
30  import com.liferay.portal.kernel.util.InstancePool;
31  import com.liferay.portal.kernel.util.StringPool;
32  import com.liferay.portal.kernel.util.Validator;
33  import com.liferay.portal.model.User;
34  import com.liferay.portal.security.auth.AutoLogin;
35  import com.liferay.portal.security.pwd.PwdEncryptor;
36  import com.liferay.portal.service.UserLocalServiceUtil;
37  import com.liferay.portal.servlet.filters.BasePortalFilter;
38  import com.liferay.portal.util.PortalInstances;
39  import com.liferay.portal.util.PortalUtil;
40  import com.liferay.portal.util.PropsValues;
41  import com.liferay.portal.util.WebKeys;
42  
43  import java.io.IOException;
44  
45  import javax.servlet.FilterChain;
46  import javax.servlet.ServletException;
47  import javax.servlet.http.HttpServletRequest;
48  import javax.servlet.http.HttpServletResponse;
49  import javax.servlet.http.HttpSession;
50  
51  /**
52   * <a href="AutoLoginFilter.java.html"><b><i>View Source</i></b></a>
53   *
54   * @author Brian Wing Shun Chan
55   * @author Raymond Augé
56   *
57   */
58  public class AutoLoginFilter extends BasePortalFilter {
59  
60      protected String getLoginRemoteUser(
61              HttpServletRequest request, HttpServletResponse response,
62              HttpSession session, String[] credentials)
63          throws Exception {
64  
65          if ((credentials != null) && (credentials.length == 3)) {
66              String jUsername = credentials[0];
67              String jPassword = credentials[1];
68              boolean encPassword = GetterUtil.getBoolean(credentials[2]);
69  
70              if (Validator.isNotNull(jUsername) &&
71                  Validator.isNotNull(jPassword)) {
72  
73                  try {
74                      long userId = GetterUtil.getLong(jUsername);
75  
76                      if (userId > 0) {
77                          User user = UserLocalServiceUtil.getUserById(userId);
78  
79                          if (user.isLockout()) {
80                              return null;
81                          }
82                      }
83                      else {
84                          return null;
85                      }
86                  }
87                  catch (NoSuchUserException nsue) {
88                      return null;
89                  }
90  
91                  session.setAttribute("j_username", jUsername);
92  
93                  // Not having access to the unencrypted password
94                  // will not allow you to connect to external
95                  // resources that require it (mail server)
96  
97                  if (encPassword) {
98                      session.setAttribute("j_password", jPassword);
99                  }
100                 else {
101                     session.setAttribute(
102                         "j_password", PwdEncryptor.encrypt(jPassword));
103 
104                     session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
105                 }
106 
107                 if (PropsValues.PORTAL_JAAS_ENABLE) {
108                     response.sendRedirect(
109                         PortalUtil.getPathMain() + "/portal/touch_protected");
110                 }
111 
112                 return jUsername;
113             }
114         }
115 
116         return null;
117     }
118 
119     protected void processFilter(
120             HttpServletRequest request, HttpServletResponse response,
121             FilterChain filterChain)
122         throws IOException, ServletException {
123 
124         HttpSession session = request.getSession();
125 
126         String host = PortalUtil.getHost(request);
127 
128         if (PortalInstances.isAutoLoginIgnoreHost(host)) {
129             if (_log.isDebugEnabled()) {
130                 _log.debug("Ignore host " + host);
131             }
132 
133             processFilter(
134                 AutoLoginFilter.class, request, response, filterChain);
135 
136             return;
137         }
138 
139         String contextPath = PortalUtil.getPathContext();
140 
141         String path = request.getRequestURI().toLowerCase();
142 
143         if ((!contextPath.equals(StringPool.SLASH)) &&
144             (path.indexOf(contextPath) != -1)) {
145 
146             path = path.substring(contextPath.length(), path.length());
147         }
148 
149         if (PortalInstances.isAutoLoginIgnorePath(path)) {
150             if (_log.isDebugEnabled()) {
151                 _log.debug("Ignore path " + path);
152             }
153 
154             processFilter(
155                 AutoLoginFilter.class, request, response, filterChain);
156 
157             return;
158         }
159 
160         String remoteUser = request.getRemoteUser();
161         String jUserName = (String)session.getAttribute("j_username");
162 
163         if ((remoteUser == null) && (jUserName == null)) {
164             for (String autoLoginHook : PropsValues.AUTO_LOGIN_HOOKS) {
165                 AutoLogin autoLogin = (AutoLogin)InstancePool.get(
166                     autoLoginHook);
167 
168                 try {
169                     String[] credentials = autoLogin.login(request, response);
170 
171                     String redirect = (String)request.getAttribute(
172                         AutoLogin.AUTO_LOGIN_REDIRECT);
173 
174                     if (redirect != null) {
175                         response.sendRedirect(redirect);
176 
177                         return;
178                     }
179 
180                     String loginRemoteUser = getLoginRemoteUser(
181                         request, response, session, credentials);
182 
183                     if (loginRemoteUser != null) {
184                         request = new ProtectedServletRequest(
185                             request, loginRemoteUser);
186 
187                         if (PropsValues.PORTAL_JAAS_ENABLE) {
188                             return;
189                         }
190                     }
191                 }
192                 catch (Exception e) {
193                     _log.warn(e, e);
194                     _log.error(e.getMessage());
195                 }
196             }
197         }
198 
199         processFilter(AutoLoginFilter.class, request, response, filterChain);
200     }
201 
202     private static Log _log = LogFactoryUtil.getLog(AutoLoginFilter.class);
203 
204 }