1   /**
2    * Copyright (c) 2000-2009 Liferay, Inc. All rights reserved.
3    *
4    * The contents of this file are subject to the terms of the Liferay Enterprise
5    * Subscription License ("License"). You may not use this file except in
6    * compliance with the License. You can obtain a copy of the License by
7    * contacting Liferay, Inc. See the License for the specific language governing
8    * permissions and limitations under the License, including but not limited to
9    * distribution rights of the Software.
10   *
11   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
12   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
14   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
15   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
16   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
17   * SOFTWARE.
18   */
19  
20  package com.liferay.portal.servlet.filters.autologin;
21  
22  import com.liferay.portal.NoSuchUserException;
23  import com.liferay.portal.kernel.log.Log;
24  import com.liferay.portal.kernel.log.LogFactoryUtil;
25  import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
26  import com.liferay.portal.kernel.util.GetterUtil;
27  import com.liferay.portal.kernel.util.InstancePool;
28  import com.liferay.portal.kernel.util.StringPool;
29  import com.liferay.portal.kernel.util.Validator;
30  import com.liferay.portal.model.User;
31  import com.liferay.portal.security.auth.AutoLogin;
32  import com.liferay.portal.security.pwd.PwdEncryptor;
33  import com.liferay.portal.service.UserLocalServiceUtil;
34  import com.liferay.portal.servlet.filters.BasePortalFilter;
35  import com.liferay.portal.util.PortalInstances;
36  import com.liferay.portal.util.PortalUtil;
37  import com.liferay.portal.util.PropsValues;
38  import com.liferay.portal.util.WebKeys;
39  
40  import java.io.IOException;
41  
42  import javax.servlet.FilterChain;
43  import javax.servlet.ServletException;
44  import javax.servlet.http.HttpServletRequest;
45  import javax.servlet.http.HttpServletResponse;
46  import javax.servlet.http.HttpSession;
47  
48  /**
49   * <a href="AutoLoginFilter.java.html"><b><i>View Source</i></b></a>
50   *
51   * @author Brian Wing Shun Chan
52   * @author Raymond Augé
53   *
54   */
55  public class AutoLoginFilter extends BasePortalFilter {
56  
57      protected String getLoginRemoteUser(
58              HttpServletRequest request, HttpServletResponse response,
59              HttpSession session, String[] credentials)
60          throws Exception {
61  
62          if ((credentials != null) && (credentials.length == 3)) {
63              String jUsername = credentials[0];
64              String jPassword = credentials[1];
65              boolean encPassword = GetterUtil.getBoolean(credentials[2]);
66  
67              if (Validator.isNotNull(jUsername) &&
68                  Validator.isNotNull(jPassword)) {
69  
70                  try {
71                      long userId = GetterUtil.getLong(jUsername);
72  
73                      if (userId > 0) {
74                          User user = UserLocalServiceUtil.getUserById(userId);
75  
76                          if (user.isLockout()) {
77                              return null;
78                          }
79                      }
80                      else {
81                          return null;
82                      }
83                  }
84                  catch (NoSuchUserException nsue) {
85                      return null;
86                  }
87  
88                  session.setAttribute("j_username", jUsername);
89  
90                  // Not having access to the unencrypted password
91                  // will not allow you to connect to external
92                  // resources that require it (mail server)
93  
94                  if (encPassword) {
95                      session.setAttribute("j_password", jPassword);
96                  }
97                  else {
98                      session.setAttribute(
99                          "j_password", PwdEncryptor.encrypt(jPassword));
100 
101                     session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
102                 }
103 
104                 if (PropsValues.PORTAL_JAAS_ENABLE) {
105                     response.sendRedirect(
106                         PortalUtil.getPathMain() + "/portal/touch_protected");
107                 }
108 
109                 return jUsername;
110             }
111         }
112 
113         return null;
114     }
115 
116     protected void processFilter(
117             HttpServletRequest request, HttpServletResponse response,
118             FilterChain filterChain)
119         throws IOException, ServletException {
120 
121         HttpSession session = request.getSession();
122 
123         String host = PortalUtil.getHost(request);
124 
125         if (PortalInstances.isAutoLoginIgnoreHost(host)) {
126             if (_log.isDebugEnabled()) {
127                 _log.debug("Ignore host " + host);
128             }
129 
130             processFilter(
131                 AutoLoginFilter.class, request, response, filterChain);
132 
133             return;
134         }
135 
136         String contextPath = PortalUtil.getPathContext();
137 
138         String path = request.getRequestURI().toLowerCase();
139 
140         if ((!contextPath.equals(StringPool.SLASH)) &&
141             (path.indexOf(contextPath) != -1)) {
142 
143             path = path.substring(contextPath.length(), path.length());
144         }
145 
146         if (PortalInstances.isAutoLoginIgnorePath(path)) {
147             if (_log.isDebugEnabled()) {
148                 _log.debug("Ignore path " + path);
149             }
150 
151             processFilter(
152                 AutoLoginFilter.class, request, response, filterChain);
153 
154             return;
155         }
156 
157         String remoteUser = request.getRemoteUser();
158         String jUserName = (String)session.getAttribute("j_username");
159 
160         if ((remoteUser == null) && (jUserName == null)) {
161             for (String autoLoginHook : PropsValues.AUTO_LOGIN_HOOKS) {
162                 AutoLogin autoLogin = (AutoLogin)InstancePool.get(
163                     autoLoginHook);
164 
165                 try {
166                     String[] credentials = autoLogin.login(request, response);
167 
168                     String redirect = (String)request.getAttribute(
169                         AutoLogin.AUTO_LOGIN_REDIRECT);
170 
171                     if (redirect != null) {
172                         response.sendRedirect(redirect);
173 
174                         return;
175                     }
176 
177                     String loginRemoteUser = getLoginRemoteUser(
178                         request, response, session, credentials);
179 
180                     if (loginRemoteUser != null) {
181                         request = new ProtectedServletRequest(
182                             request, loginRemoteUser);
183 
184                         if (PropsValues.PORTAL_JAAS_ENABLE) {
185                             return;
186                         }
187                     }
188                 }
189                 catch (Exception e) {
190                     if (_log.isWarnEnabled()) {
191                         _log.warn(e, e);
192                     }
193 
194                     _log.error(e.getMessage());
195                 }
196             }
197         }
198 
199         processFilter(AutoLoginFilter.class, request, response, filterChain);
200     }
201 
202     private static Log _log = LogFactoryUtil.getLog(AutoLoginFilter.class);
203 
204 }