1
22
23 package com.liferay.filters.secure;
24
25 import com.liferay.portal.kernel.util.GetterUtil;
26 import com.liferay.portal.kernel.util.StringMaker;
27 import com.liferay.portal.kernel.util.StringPool;
28 import com.liferay.portal.kernel.util.StringUtil;
29 import com.liferay.portal.kernel.util.Validator;
30 import com.liferay.portal.util.PropsUtil;
31 import com.liferay.util.CollectionFactory;
32 import com.liferay.util.Http;
33
34 import java.io.IOException;
35
36 import java.util.Set;
37
38 import javax.servlet.Filter;
39 import javax.servlet.FilterChain;
40 import javax.servlet.FilterConfig;
41 import javax.servlet.ServletException;
42 import javax.servlet.ServletRequest;
43 import javax.servlet.ServletResponse;
44 import javax.servlet.http.HttpServletRequest;
45 import javax.servlet.http.HttpServletResponse;
46
47 import org.apache.commons.logging.Log;
48 import org.apache.commons.logging.LogFactory;
49
50
56 public class SecureFilter implements Filter {
57
58 public void init(FilterConfig config) {
59 String propertyPrefix =
60 config.getInitParameter("portal_property_prefix");
61
62 String[] hostsAllowedArray = null;
63
64 if (Validator.isNull(propertyPrefix)) {
65 hostsAllowedArray = StringUtil.split(
66 config.getInitParameter("hosts.allowed"));
67 _httpsRequired = GetterUtil.getBoolean(
68 config.getInitParameter("https.required"));
69 }
70 else {
71 hostsAllowedArray = PropsUtil.getArray(
72 propertyPrefix + "hosts.allowed");
73 _httpsRequired = GetterUtil.getBoolean(
74 PropsUtil.get(propertyPrefix + "https.required"));
75 }
76
77 for (int i = 0; i < hostsAllowedArray.length; i++) {
78 _hostsAllowed.add(hostsAllowedArray[i]);
79 }
80 }
81
82 public void doFilter(
83 ServletRequest req, ServletResponse res, FilterChain chain)
84 throws IOException, ServletException {
85
86 String remoteAddr = req.getRemoteAddr();
87
88 if (isAccessAllowed(req)) {
89 if (_log.isDebugEnabled()) {
90 _log.debug("Access allowed for " + remoteAddr);
91 }
92 }
93 else {
94 if (_log.isErrorEnabled()) {
95 _log.error("Access denied for " + remoteAddr);
96 }
97
98 return;
99 }
100
101 if (_log.isDebugEnabled()) {
102 if (_httpsRequired) {
103 _log.debug("https is required");
104 }
105 else {
106 _log.debug("https is not required");
107 }
108 }
109
110 HttpServletRequest httpReq = (HttpServletRequest)req;
111 HttpServletResponse httpRes = (HttpServletResponse)res;
112
113 String completeURL = Http.getCompleteURL(httpReq);
114
115 if (_httpsRequired && !httpReq.isSecure()) {
116 if (_log.isDebugEnabled()) {
117 _log.debug("Securing " + completeURL);
118 }
119
120 StringMaker redirectURL = new StringMaker();
121
122 redirectURL.append(Http.HTTPS_WITH_SLASH);
123 redirectURL.append(httpReq.getServerName());
124 redirectURL.append(httpReq.getServletPath());
125
126 String queryString = httpReq.getQueryString();
127
128 if (Validator.isNotNull(queryString)) {
129 redirectURL.append(StringPool.QUESTION);
130 redirectURL.append(httpReq.getQueryString());
131 }
132
133 if (_log.isDebugEnabled()) {
134 _log.debug("Redirect to " + redirectURL);
135 }
136
137 httpRes.sendRedirect(redirectURL.toString());
138 }
139 else {
140 if (_log.isDebugEnabled()) {
141 _log.debug("Not securing " + completeURL);
142 }
143
144 chain.doFilter(req, res);
145 }
146 }
147
148 public void destroy() {
149 }
150
151 protected boolean isAccessAllowed(ServletRequest req) {
152 String remoteAddr = req.getRemoteAddr();
153 String serverIp = req.getServerName();
154
155 if ((_hostsAllowed.size() > 0) &&
156 (!_hostsAllowed.contains(remoteAddr))) {
157
158 if ((serverIp.equals(remoteAddr)) &&
159 (_hostsAllowed.contains(_SERVER_IP))) {
160
161 return true;
162 }
163
164 return false;
165 }
166 else {
167 return true;
168 }
169 }
170
171 private static final String _SERVER_IP = "SERVER_IP";
172
173 private static Log _log = LogFactory.getLog(SecureFilter.class);
174
175 private Set _hostsAllowed = CollectionFactory.getHashSet();
176 private boolean _httpsRequired;
177
178 }