1   /**
2    * Copyright (c) 2000-2010 Liferay, Inc. All rights reserved.
3    *
4    * This library is free software; you can redistribute it and/or modify it under
5    * the terms of the GNU Lesser General Public License as published by the Free
6    * Software Foundation; either version 2.1 of the License, or (at your option)
7    * any later version.
8    *
9    * This library is distributed in the hope that it will be useful, but WITHOUT
10   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
11   * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
12   * details.
13   */
14  
15  package com.liferay.portlet.login.util;
16  
17  import com.liferay.portal.kernel.exception.SystemException;
18  import com.liferay.portal.kernel.log.Log;
19  import com.liferay.portal.kernel.log.LogFactoryUtil;
20  import com.liferay.portal.kernel.servlet.HttpHeaders;
21  import com.liferay.portal.kernel.servlet.SessionMessages;
22  import com.liferay.portal.kernel.util.GetterUtil;
23  import com.liferay.portal.kernel.util.ParamUtil;
24  import com.liferay.portal.kernel.util.StringPool;
25  import com.liferay.portal.kernel.util.Validator;
26  import com.liferay.portal.model.Company;
27  import com.liferay.portal.model.CompanyConstants;
28  import com.liferay.portal.model.User;
29  import com.liferay.portal.security.auth.AuthException;
30  import com.liferay.portal.security.auth.Authenticator;
31  import com.liferay.portal.service.UserLocalServiceUtil;
32  import com.liferay.portal.theme.ThemeDisplay;
33  import com.liferay.portal.util.CookieKeys;
34  import com.liferay.portal.util.PortalUtil;
35  import com.liferay.portal.util.PortletKeys;
36  import com.liferay.portal.util.PropsValues;
37  import com.liferay.portal.util.WebKeys;
38  import com.liferay.portlet.PortletURLImpl;
39  import com.liferay.util.Encryptor;
40  
41  import java.util.ArrayList;
42  import java.util.Enumeration;
43  import java.util.HashMap;
44  import java.util.List;
45  import java.util.Map;
46  
47  import javax.portlet.ActionRequest;
48  import javax.portlet.PortletMode;
49  import javax.portlet.PortletModeException;
50  import javax.portlet.PortletRequest;
51  import javax.portlet.PortletURL;
52  import javax.portlet.WindowState;
53  import javax.portlet.WindowStateException;
54  
55  import javax.servlet.http.Cookie;
56  import javax.servlet.http.HttpServletRequest;
57  import javax.servlet.http.HttpServletResponse;
58  import javax.servlet.http.HttpSession;
59  
60  /**
61   * <a href="LoginUtil.java.html"><b><i>View Source</i></b></a>
62   *
63   * @author Brian Wing Shun Chan
64   * @author Scott Lee
65   */
66  public class LoginUtil {
67  
68      public static String getLogin(
69              HttpServletRequest request, String paramName, Company company)
70          throws SystemException {
71  
72          String login = request.getParameter(paramName);
73  
74          if ((login == null) || (login.equals(StringPool.NULL))) {
75              login = GetterUtil.getString(
76                  CookieKeys.getCookie(request, CookieKeys.LOGIN));
77  
78              if (PropsValues.COMPANY_LOGIN_PREPOPULATE_DOMAIN &&
79                  Validator.isNull(login) &&
80                  company.getAuthType().equals(CompanyConstants.AUTH_TYPE_EA)) {
81  
82                  login = "@" + company.getMx();
83              }
84          }
85  
86          return login;
87      }
88  
89      public static PortletURL getLoginURL(
90              HttpServletRequest request, long plid)
91          throws PortletModeException, WindowStateException {
92  
93          PortletURL portletURL = new PortletURLImpl(
94              request, PortletKeys.LOGIN, plid, PortletRequest.RENDER_PHASE);
95  
96          portletURL.setWindowState(WindowState.MAXIMIZED);
97          portletURL.setPortletMode(PortletMode.VIEW);
98  
99          portletURL.setParameter("saveLastPath", "0");
100         portletURL.setParameter("struts_action", "/login/login");
101 
102         return portletURL;
103     }
104 
105     public static void login(
106             HttpServletRequest request, HttpServletResponse response,
107             String login, String password, boolean rememberMe, String authType)
108         throws Exception {
109 
110         CookieKeys.validateSupportCookie(request);
111 
112         HttpSession session = request.getSession();
113 
114         long userId = GetterUtil.getLong(login);
115 
116         int authResult = Authenticator.FAILURE;
117 
118         Company company = PortalUtil.getCompany(request);
119 
120         Map<String, String[]> headerMap = new HashMap<String, String[]>();
121 
122         Enumeration<String> enu1 = request.getHeaderNames();
123 
124         while (enu1.hasMoreElements()) {
125             String name = enu1.nextElement();
126 
127             Enumeration<String> enu2 = request.getHeaders(name);
128 
129             List<String> headers = new ArrayList<String>();
130 
131             while (enu2.hasMoreElements()) {
132                 String value = enu2.nextElement();
133 
134                 headers.add(value);
135             }
136 
137             headerMap.put(name, headers.toArray(new String[headers.size()]));
138         }
139 
140         Map<String, String[]> parameterMap = request.getParameterMap();
141 
142         if (Validator.isNull(authType)) {
143             authType = company.getAuthType();
144         }
145 
146         if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
147             authResult = UserLocalServiceUtil.authenticateByEmailAddress(
148                 company.getCompanyId(), login, password, headerMap,
149                 parameterMap);
150 
151             userId = UserLocalServiceUtil.getUserIdByEmailAddress(
152                 company.getCompanyId(), login);
153         }
154         else if (authType.equals(CompanyConstants.AUTH_TYPE_SN)) {
155             authResult = UserLocalServiceUtil.authenticateByScreenName(
156                 company.getCompanyId(), login, password, headerMap,
157                 parameterMap);
158 
159             userId = UserLocalServiceUtil.getUserIdByScreenName(
160                 company.getCompanyId(), login);
161         }
162         else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) {
163             authResult = UserLocalServiceUtil.authenticateByUserId(
164                 company.getCompanyId(), userId, password, headerMap,
165                 parameterMap);
166         }
167 
168         if (authResult == Authenticator.SUCCESS) {
169             if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
170 
171                 // Invalidate the previous session to prevent phishing
172 
173                 String[] protectedAttributeNames =
174                     PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;
175 
176                 Map<String, Object> protectedAttributes =
177                     new HashMap<String, Object>();
178 
179                 for (String protectedAttributeName : protectedAttributeNames) {
180                     Object protectedAttributeValue = session.getAttribute(
181                         protectedAttributeName);
182 
183                     if (protectedAttributeValue == null) {
184                         continue;
185                     }
186 
187                     protectedAttributes.put(
188                         protectedAttributeName, protectedAttributeValue);
189                 }
190 
191                 try {
192                     session.invalidate();
193                 }
194                 catch (IllegalStateException ise) {
195 
196                     // This only happens in Geronimo
197 
198                     if (_log.isWarnEnabled()) {
199                         _log.warn(ise.getMessage());
200                     }
201                 }
202 
203                 session = request.getSession(true);
204 
205                 for (String protectedAttributeName : protectedAttributeNames) {
206                     Object protectedAttributeValue = protectedAttributes.get(
207                         protectedAttributeName);
208 
209                     if (protectedAttributeValue == null) {
210                         continue;
211                     }
212 
213                     session.setAttribute(
214                         protectedAttributeName, protectedAttributeValue);
215                 }
216             }
217 
218             // Set cookies
219 
220             String domain = CookieKeys.getDomain(request);
221 
222             User user = UserLocalServiceUtil.getUserById(userId);
223 
224             String userIdString = String.valueOf(userId);
225 
226             session.setAttribute("j_username", userIdString);
227             session.setAttribute("j_password", user.getPassword());
228             session.setAttribute("j_remoteuser", userIdString);
229 
230             session.setAttribute(WebKeys.USER_PASSWORD, password);
231 
232             Cookie companyIdCookie = new Cookie(
233                 CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
234 
235             if (Validator.isNotNull(domain)) {
236                 companyIdCookie.setDomain(domain);
237             }
238 
239             companyIdCookie.setPath(StringPool.SLASH);
240 
241             Cookie idCookie = new Cookie(
242                 CookieKeys.ID,
243                 UserLocalServiceUtil.encryptUserId(userIdString));
244 
245             if (Validator.isNotNull(domain)) {
246                 idCookie.setDomain(domain);
247             }
248 
249             idCookie.setPath(StringPool.SLASH);
250 
251             Cookie passwordCookie = new Cookie(
252                 CookieKeys.PASSWORD,
253                 Encryptor.encrypt(company.getKeyObj(), password));
254 
255             if (Validator.isNotNull(domain)) {
256                 passwordCookie.setDomain(domain);
257             }
258 
259             passwordCookie.setPath(StringPool.SLASH);
260 
261             Cookie rememberMeCookie = new Cookie(
262                 CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
263 
264             if (Validator.isNotNull(domain)) {
265                 rememberMeCookie.setDomain(domain);
266             }
267 
268             rememberMeCookie.setPath(StringPool.SLASH);
269 
270             int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
271 
272             if (PropsValues.SESSION_DISABLED) {
273                 rememberMe = true;
274             }
275 
276             if (rememberMe) {
277                 companyIdCookie.setMaxAge(loginMaxAge);
278                 idCookie.setMaxAge(loginMaxAge);
279                 passwordCookie.setMaxAge(loginMaxAge);
280                 rememberMeCookie.setMaxAge(loginMaxAge);
281             }
282             else {
283 
284                 // This was explicitly changed from 0 to -1 so that the cookie
285                 // lasts as long as the browser. This allows an external servlet
286                 // wrapped in AutoLoginFilter to work throughout the client
287                 // connection. The cookies ARE removed on an actual logout, so
288                 // there is no security issue. See LEP-4678 and LEP-5177.
289 
290                 companyIdCookie.setMaxAge(-1);
291                 idCookie.setMaxAge(-1);
292                 passwordCookie.setMaxAge(-1);
293                 rememberMeCookie.setMaxAge(0);
294             }
295 
296             Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
297 
298             if (Validator.isNotNull(domain)) {
299                 loginCookie.setDomain(domain);
300             }
301 
302             loginCookie.setMaxAge(loginMaxAge);
303             loginCookie.setPath(StringPool.SLASH);
304 
305             Cookie screenNameCookie = new Cookie(
306                 CookieKeys.SCREEN_NAME,
307                 Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
308 
309             if (Validator.isNotNull(domain)) {
310                 screenNameCookie.setDomain(domain);
311             }
312 
313             screenNameCookie.setMaxAge(loginMaxAge);
314             screenNameCookie.setPath(StringPool.SLASH);
315 
316             boolean secure = request.isSecure();
317 
318             if (secure) {
319                 Boolean httpsInitial = (Boolean)session.getAttribute(
320                     WebKeys.HTTPS_INITIAL);
321 
322                 if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
323                     secure = false;
324                 }
325             }
326 
327             CookieKeys.addCookie(request, response, companyIdCookie, secure);
328             CookieKeys.addCookie(request, response, idCookie, secure);
329             CookieKeys.addCookie(request, response, passwordCookie, secure);
330             CookieKeys.addCookie(request, response, rememberMeCookie, secure);
331             CookieKeys.addCookie(request, response, loginCookie, secure);
332             CookieKeys.addCookie(request, response, screenNameCookie, secure);
333         }
334         else {
335             throw new AuthException();
336         }
337     }
338 
339     public static void sendPassword(ActionRequest actionRequest)
340         throws Exception {
341 
342         String toAddress = ParamUtil.getString(actionRequest, "emailAddress");
343 
344         sendPassword(actionRequest, null, null, toAddress, null, null);
345     }
346 
347     public static void sendPassword(
348             ActionRequest actionRequest, String fromName, String fromAddress,
349             String toAddress, String subject, String body)
350         throws Exception {
351 
352         HttpServletRequest request = PortalUtil.getHttpServletRequest(
353             actionRequest);
354 
355         ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
356             WebKeys.THEME_DISPLAY);
357 
358         Company company = themeDisplay.getCompany();
359 
360         if (!company.isSendPassword()) {
361             return;
362         }
363 
364         String remoteAddr = request.getRemoteAddr();
365         String remoteHost = request.getRemoteHost();
366         String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
367 
368         UserLocalServiceUtil.sendPassword(
369             company.getCompanyId(), toAddress, remoteAddr, remoteHost,
370             userAgent, fromName, fromAddress, subject, body);
371 
372         SessionMessages.add(actionRequest, "request_processed", toAddress);
373     }
374 
375     private static Log _log = LogFactoryUtil.getLog(LoginUtil.class);
376 
377 }