1   /**
2    * Copyright (c) 2000-2010 Liferay, Inc. All rights reserved.
3    *
4    * This library is free software; you can redistribute it and/or modify it under
5    * the terms of the GNU Lesser General Public License as published by the Free
6    * Software Foundation; either version 2.1 of the License, or (at your option)
7    * any later version.
8    *
9    * This library is distributed in the hope that it will be useful, but WITHOUT
10   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
11   * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
12   * details.
13   */
14  
15  package com.liferay.portal.servlet.filters.servletauthorizing;
16  
17  import com.liferay.portal.kernel.log.Log;
18  import com.liferay.portal.kernel.log.LogFactoryUtil;
19  import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
20  import com.liferay.portal.kernel.util.GetterUtil;
21  import com.liferay.portal.model.User;
22  import com.liferay.portal.security.auth.PrincipalThreadLocal;
23  import com.liferay.portal.security.permission.PermissionChecker;
24  import com.liferay.portal.security.permission.PermissionCheckerFactoryUtil;
25  import com.liferay.portal.security.permission.PermissionThreadLocal;
26  import com.liferay.portal.service.UserLocalServiceUtil;
27  import com.liferay.portal.servlet.filters.BasePortalFilter;
28  import com.liferay.portal.util.PortalInstances;
29  import com.liferay.portal.util.PortalUtil;
30  import com.liferay.portal.util.PropsValues;
31  import com.liferay.portal.util.WebKeys;
32  
33  import javax.servlet.FilterChain;
34  import javax.servlet.http.HttpServletRequest;
35  import javax.servlet.http.HttpServletResponse;
36  import javax.servlet.http.HttpSession;
37  
38  import org.apache.struts.Globals;
39  
40  /**
41   * <a href="ServletAuthorizingFilter.java.html"><b><i>View Source</i></b></a>
42   *
43   * @author Raymond Augé
44   */
45  public class ServletAuthorizingFilter extends BasePortalFilter {
46  
47      protected void processFilter(
48              HttpServletRequest request, HttpServletResponse response,
49              FilterChain filterChain)
50          throws Exception {
51  
52          HttpSession session = request.getSession();
53  
54          // Company id
55  
56          PortalInstances.getCompanyId(request);
57  
58          // Authorize
59  
60          long userId = PortalUtil.getUserId(request);
61          String remoteUser = request.getRemoteUser();
62  
63          if (!PropsValues.PORTAL_JAAS_ENABLE) {
64              String jRemoteUser = (String)session.getAttribute("j_remoteuser");
65  
66              if (jRemoteUser != null) {
67                  remoteUser = jRemoteUser;
68  
69                  session.removeAttribute("j_remoteuser");
70              }
71          }
72  
73          if ((userId > 0) && (remoteUser == null)) {
74              remoteUser = String.valueOf(userId);
75          }
76  
77          // WebSphere will not return the remote user unless you are
78          // authenticated AND accessing a protected path. Other servers will
79          // return the remote user for all threads associated with an
80          // authenticated user. We use ProtectedServletRequest to ensure we get
81          // similar behavior across all servers.
82  
83          request = new ProtectedServletRequest(request, remoteUser);
84  
85          if ((userId > 0) || (remoteUser != null)) {
86  
87              // Set the principal associated with this thread
88  
89              String name = String.valueOf(userId);
90  
91              if (remoteUser != null) {
92                  name = remoteUser;
93              }
94  
95              PrincipalThreadLocal.setName(name);
96  
97              // User id
98  
99              userId = GetterUtil.getLong(name);
100 
101             try {
102 
103                 // User
104 
105                 User user = UserLocalServiceUtil.getUserById(userId);
106 
107                 // Permission checker
108 
109                 PermissionChecker permissionChecker =
110                     PermissionCheckerFactoryUtil.create(user, true);
111 
112                 PermissionThreadLocal.setPermissionChecker(permissionChecker);
113 
114                 // User id
115 
116                 session.setAttribute(WebKeys.USER_ID, new Long(userId));
117 
118                 // User locale
119 
120                 session.setAttribute(Globals.LOCALE_KEY, user.getLocale());
121             }
122             catch (Exception e) {
123                 _log.error(e, e);
124             }
125         }
126 
127         processFilter(
128             ServletAuthorizingFilter.class, request, response, filterChain);
129     }
130 
131     private static Log _log = LogFactoryUtil.getLog(
132         ServletAuthorizingFilter.class);
133 
134 }