1   /**
2    * Copyright (c) 2000-2008 Liferay, Inc. All rights reserved.
3    *
4    * Permission is hereby granted, free of charge, to any person obtaining a copy
5    * of this software and associated documentation files (the "Software"), to deal
6    * in the Software without restriction, including without limitation the rights
7    * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8    * copies of the Software, and to permit persons to whom the Software is
9    * furnished to do so, subject to the following conditions:
10   *
11   * The above copyright notice and this permission notice shall be included in
12   * all copies or substantial portions of the Software.
13   *
14   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
20   * SOFTWARE.
21   */
22  
23  package com.liferay.portal.action;
24  
25  import com.liferay.portal.CookieNotSupportedException;
26  import com.liferay.portal.NoSuchUserException;
27  import com.liferay.portal.PasswordExpiredException;
28  import com.liferay.portal.PortalException;
29  import com.liferay.portal.SendPasswordException;
30  import com.liferay.portal.SystemException;
31  import com.liferay.portal.UserEmailAddressException;
32  import com.liferay.portal.UserIdException;
33  import com.liferay.portal.UserLockoutException;
34  import com.liferay.portal.UserPasswordException;
35  import com.liferay.portal.UserScreenNameException;
36  import com.liferay.portal.captcha.CaptchaTextException;
37  import com.liferay.portal.captcha.CaptchaUtil;
38  import com.liferay.portal.kernel.servlet.HttpHeaders;
39  import com.liferay.portal.kernel.servlet.SessionErrors;
40  import com.liferay.portal.kernel.servlet.SessionMessages;
41  import com.liferay.portal.kernel.util.Constants;
42  import com.liferay.portal.kernel.util.GetterUtil;
43  import com.liferay.portal.kernel.util.ParamUtil;
44  import com.liferay.portal.kernel.util.StringPool;
45  import com.liferay.portal.kernel.util.Validator;
46  import com.liferay.portal.model.Company;
47  import com.liferay.portal.model.CompanyConstants;
48  import com.liferay.portal.model.User;
49  import com.liferay.portal.security.auth.AuthException;
50  import com.liferay.portal.security.auth.Authenticator;
51  import com.liferay.portal.service.UserLocalServiceUtil;
52  import com.liferay.portal.struts.LastPath;
53  import com.liferay.portal.theme.ThemeDisplay;
54  import com.liferay.portal.util.CookieKeys;
55  import com.liferay.portal.util.PortalUtil;
56  import com.liferay.portal.util.PropsValues;
57  import com.liferay.portal.util.WebKeys;
58  import com.liferay.util.Encryptor;
59  import com.liferay.util.servlet.SessionParameters;
60  
61  import java.util.ArrayList;
62  import java.util.Enumeration;
63  import java.util.HashMap;
64  import java.util.List;
65  import java.util.Map;
66  
67  import javax.servlet.http.Cookie;
68  import javax.servlet.http.HttpServletRequest;
69  import javax.servlet.http.HttpServletResponse;
70  import javax.servlet.http.HttpSession;
71  
72  import org.apache.commons.logging.Log;
73  import org.apache.commons.logging.LogFactory;
74  import org.apache.struts.action.Action;
75  import org.apache.struts.action.ActionForm;
76  import org.apache.struts.action.ActionForward;
77  import org.apache.struts.action.ActionMapping;
78  
79  /**
80   * <a href="LoginAction.java.html"><b><i>View Source</i></b></a>
81   *
82   * @author Brian Wing Shun Chan
83   * @author Scott Lee
84   *
85   */
86  public class LoginAction extends Action {
87  
88      public static String getLogin(
89              HttpServletRequest request, String paramName, Company company)
90          throws PortalException, SystemException {
91  
92          String login = request.getParameter(paramName);
93  
94          if ((login == null) || (login.equals(StringPool.NULL))) {
95              login = GetterUtil.getString(
96                  CookieKeys.getCookie(request, CookieKeys.LOGIN));
97  
98              if (PropsValues.COMPANY_LOGIN_PREPOPULATE_DOMAIN &&
99                  Validator.isNull(login) &&
100                 company.getAuthType().equals(CompanyConstants.AUTH_TYPE_EA)) {
101 
102                 login = "@" + company.getMx();
103             }
104         }
105 
106         return login;
107     }
108 
109     public static void login(
110             HttpServletRequest request, HttpServletResponse response,
111             String login, String password, boolean rememberMe)
112         throws Exception {
113 
114         CookieKeys.validateSupportCookie(request);
115 
116         HttpSession session = request.getSession();
117 
118         long userId = GetterUtil.getLong(login);
119 
120         int authResult = Authenticator.FAILURE;
121 
122         Company company = PortalUtil.getCompany(request);
123 
124         Map<String, String[]> headerMap = new HashMap<String, String[]>();
125 
126         Enumeration<String> enu1 = request.getHeaderNames();
127 
128         while (enu1.hasMoreElements()) {
129             String name = enu1.nextElement();
130 
131             Enumeration<String> enu2 = request.getHeaders(name);
132 
133             List<String> headers = new ArrayList<String>();
134 
135             while (enu2.hasMoreElements()) {
136                 String value = enu2.nextElement();
137 
138                 headers.add(value);
139             }
140 
141             headerMap.put(name, headers.toArray(new String[headers.size()]));
142         }
143 
144         Map<String, String[]> parameterMap = request.getParameterMap();
145 
146         if (company.getAuthType().equals(CompanyConstants.AUTH_TYPE_EA)) {
147             authResult = UserLocalServiceUtil.authenticateByEmailAddress(
148                 company.getCompanyId(), login, password, headerMap,
149                 parameterMap);
150 
151             userId = UserLocalServiceUtil.getUserIdByEmailAddress(
152                 company.getCompanyId(), login);
153         }
154         else if (company.getAuthType().equals(CompanyConstants.AUTH_TYPE_SN)) {
155             authResult = UserLocalServiceUtil.authenticateByScreenName(
156                 company.getCompanyId(), login, password, headerMap,
157                 parameterMap);
158 
159             userId = UserLocalServiceUtil.getUserIdByScreenName(
160                 company.getCompanyId(), login);
161         }
162         else if (company.getAuthType().equals(CompanyConstants.AUTH_TYPE_ID)) {
163             authResult = UserLocalServiceUtil.authenticateByUserId(
164                 company.getCompanyId(), userId, password, headerMap,
165                 parameterMap);
166         }
167 
168         if (authResult == Authenticator.SUCCESS) {
169             if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
170 
171                 // Invalidate the previous session to prevent phishing
172 
173                 Boolean httpsInitial = (Boolean)session.getAttribute(
174                     WebKeys.HTTPS_INITIAL);
175 
176                 LastPath lastPath = (LastPath)session.getAttribute(
177                     WebKeys.LAST_PATH);
178 
179                 try {
180                     session.invalidate();
181                 }
182                 catch (IllegalStateException ise) {
183 
184                     // This only happens in Geronimo
185 
186                     if (_log.isWarnEnabled()) {
187                         _log.warn(ise.getMessage());
188                     }
189                 }
190 
191                 session = request.getSession(true);
192 
193                 if (httpsInitial != null) {
194                     session.setAttribute(WebKeys.HTTPS_INITIAL, httpsInitial);
195                 }
196 
197                 if (lastPath != null) {
198                     session.setAttribute(WebKeys.LAST_PATH, lastPath);
199                 }
200             }
201 
202             // Set cookies
203 
204             String domain = CookieKeys.getDomain(request);
205 
206             User user = UserLocalServiceUtil.getUserById(userId);
207 
208             String userIdString = String.valueOf(userId);
209 
210             session.setAttribute("j_username", userIdString);
211             session.setAttribute("j_password", user.getPassword());
212             session.setAttribute("j_remoteuser", userIdString);
213 
214             session.setAttribute(WebKeys.USER_PASSWORD, password);
215 
216             Cookie companyIdCookie = new Cookie(
217                 CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
218 
219             if (Validator.isNotNull(domain)) {
220                 companyIdCookie.setDomain(domain);
221             }
222 
223             companyIdCookie.setPath(StringPool.SLASH);
224 
225             Cookie idCookie = new Cookie(
226                 CookieKeys.ID,
227                 UserLocalServiceUtil.encryptUserId(userIdString));
228 
229             if (Validator.isNotNull(domain)) {
230                 idCookie.setDomain(domain);
231             }
232 
233             idCookie.setPath(StringPool.SLASH);
234 
235             Cookie passwordCookie = new Cookie(
236                 CookieKeys.PASSWORD,
237                 Encryptor.encrypt(company.getKeyObj(), password));
238 
239             if (Validator.isNotNull(domain)) {
240                 passwordCookie.setDomain(domain);
241             }
242 
243             passwordCookie.setPath(StringPool.SLASH);
244 
245             Cookie rememberMeCookie = new Cookie(
246                 CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
247 
248             if (Validator.isNotNull(domain)) {
249                 rememberMeCookie.setDomain(domain);
250             }
251 
252             rememberMeCookie.setPath(StringPool.SLASH);
253 
254             int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
255 
256             if (PropsValues.SESSION_DISABLED) {
257                 rememberMe = true;
258             }
259 
260             if (rememberMe) {
261                 companyIdCookie.setMaxAge(loginMaxAge);
262                 idCookie.setMaxAge(loginMaxAge);
263                 passwordCookie.setMaxAge(loginMaxAge);
264                 rememberMeCookie.setMaxAge(loginMaxAge);
265             }
266             else {
267 
268                 // This was explicitly changed from 0 to -1 so that the cookie
269                 // lasts as long as the browser. This allows an external servlet
270                 // wrapped in AutoLoginFilter to work throughout the client
271                 // connection. The cookies ARE removed on an actual logout, so
272                 // there is no security issue. See LEP-4678 and LEP-5177.
273 
274                 companyIdCookie.setMaxAge(-1);
275                 idCookie.setMaxAge(-1);
276                 passwordCookie.setMaxAge(-1);
277                 rememberMeCookie.setMaxAge(0);
278             }
279 
280             Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
281 
282             if (Validator.isNotNull(domain)) {
283                 loginCookie.setDomain(domain);
284             }
285 
286             loginCookie.setMaxAge(loginMaxAge);
287             loginCookie.setPath(StringPool.SLASH);
288 
289             Cookie screenNameCookie = new Cookie(
290                 CookieKeys.SCREEN_NAME,
291                 Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
292 
293             if (Validator.isNotNull(domain)) {
294                 screenNameCookie.setDomain(domain);
295             }
296 
297             screenNameCookie.setMaxAge(loginMaxAge);
298             screenNameCookie.setPath(StringPool.SLASH);
299 
300             CookieKeys.addCookie(response, companyIdCookie);
301             CookieKeys.addCookie(response, idCookie);
302             CookieKeys.addCookie(response, passwordCookie);
303             CookieKeys.addCookie(response, rememberMeCookie);
304             CookieKeys.addCookie(response, loginCookie);
305             CookieKeys.addCookie(response, screenNameCookie);
306         }
307         else {
308             throw new AuthException();
309         }
310     }
311 
312     public static void sendPassword(HttpServletRequest request)
313         throws Exception {
314 
315         ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
316             WebKeys.THEME_DISPLAY);
317 
318         Company company = themeDisplay.getCompany();
319 
320         if (!company.isSendPassword()) {
321             return;
322         }
323 
324         if (PropsValues.CAPTCHA_CHECK_PORTAL_SEND_PASSWORD) {
325             CaptchaUtil.check(request);
326         }
327 
328         String emailAddress = ParamUtil.getString(request, "emailAddress");
329 
330         String remoteAddr = request.getRemoteAddr();
331         String remoteHost = request.getRemoteHost();
332         String userAgent = request.getHeader(HttpHeaders.USER_AGENT);
333 
334         UserLocalServiceUtil.sendPassword(
335             PortalUtil.getCompanyId(request), emailAddress, remoteAddr,
336             remoteHost, userAgent);
337 
338         SessionMessages.add(request, "request_processed", emailAddress);
339     }
340 
341     public ActionForward execute(
342             ActionMapping mapping, ActionForm form, HttpServletRequest request,
343             HttpServletResponse response)
344         throws Exception {
345 
346         if (PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS &&
347             !request.isSecure()) {
348 
349             ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
350                 WebKeys.THEME_DISPLAY);
351 
352             StringBuilder sb = new StringBuilder();
353 
354             sb.append(PortalUtil.getPortalURL(request, true));
355             sb.append(themeDisplay.getURLSignIn());
356 
357             response.sendRedirect(sb.toString());
358 
359             return null;
360         }
361 
362         HttpSession session = request.getSession();
363 
364         ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(
365             WebKeys.THEME_DISPLAY);
366 
367         if (session.getAttribute("j_username") != null &&
368             session.getAttribute("j_password") != null) {
369 
370             if (PropsValues.PORTAL_JAAS_ENABLE) {
371                 return mapping.findForward("/portal/touch_protected.jsp");
372             }
373             else {
374                 response.sendRedirect(themeDisplay.getPathMain());
375 
376                 return null;
377             }
378         }
379 
380         String cmd = ParamUtil.getString(request, Constants.CMD);
381 
382         if (cmd.equals("already-registered")) {
383             try {
384                 login(request, response);
385 
386                 if (PropsValues.PORTAL_JAAS_ENABLE) {
387                     return mapping.findForward("/portal/touch_protected.jsp");
388                 }
389                 else {
390                     String redirect = ParamUtil.getString(request, "redirect");
391 
392                     if (Validator.isNotNull(redirect)) {
393                         response.sendRedirect(redirect);
394                     }
395                     else {
396                         response.sendRedirect(themeDisplay.getPathMain());
397                     }
398 
399                     return null;
400                 }
401             }
402             catch (Exception e) {
403                 if (e instanceof AuthException) {
404                     Throwable cause = e.getCause();
405 
406                     if (cause instanceof PasswordExpiredException ||
407                         cause instanceof UserLockoutException) {
408 
409                         SessionErrors.add(request, cause.getClass().getName());
410                     }
411                     else {
412                         SessionErrors.add(request, e.getClass().getName());
413                     }
414 
415                     return mapping.findForward("portal.login");
416                 }
417                 else if (e instanceof CookieNotSupportedException ||
418                          e instanceof NoSuchUserException ||
419                          e instanceof PasswordExpiredException ||
420                          e instanceof UserEmailAddressException ||
421                          e instanceof UserIdException ||
422                          e instanceof UserLockoutException ||
423                          e instanceof UserPasswordException ||
424                          e instanceof UserScreenNameException) {
425 
426                     SessionErrors.add(request, e.getClass().getName());
427 
428                     return mapping.findForward("portal.login");
429                 }
430                 else {
431                     PortalUtil.sendError(e, request, response);
432 
433                     return null;
434                 }
435             }
436         }
437         else if (cmd.equals("forgot-password")) {
438             try {
439                 sendPassword(request);
440 
441                 return mapping.findForward("portal.login");
442             }
443             catch (Exception e) {
444                 if (e instanceof CaptchaTextException ||
445                     e instanceof NoSuchUserException ||
446                     e instanceof SendPasswordException ||
447                     e instanceof UserEmailAddressException) {
448 
449                     SessionErrors.add(request, e.getClass().getName());
450 
451                     return mapping.findForward("portal.login");
452                 }
453                 else {
454                     PortalUtil.sendError(e, request, response);
455 
456                     return null;
457                 }
458             }
459         }
460         else {
461             String authLoginURL = PortalUtil.getCommunityLoginURL(themeDisplay);
462 
463             if (Validator.isNull(authLoginURL)) {
464                 authLoginURL = PropsValues.AUTH_LOGIN_URL;
465             }
466 
467             if (Validator.isNotNull(authLoginURL)) {
468                 response.sendRedirect(authLoginURL);
469 
470                 return null;
471             }
472             else {
473                 return mapping.findForward("portal.login");
474             }
475         }
476     }
477 
478     protected void login(
479             HttpServletRequest request, HttpServletResponse response)
480         throws Exception {
481 
482         String login = ParamUtil.getString(request, "login").toLowerCase();
483         String password = ParamUtil.getString(
484             request, SessionParameters.get(request, "password"));
485         boolean rememberMe = ParamUtil.getBoolean(request, "rememberMe");
486 
487         login(request, response, login, password, rememberMe);
488     }
489 
490     private static Log _log = LogFactory.getLog(LoginAction.class);
491 
492 }