1   /**
2    * Copyright (c) 2000-2010 Liferay, Inc. All rights reserved.
3    *
4    * This library is free software; you can redistribute it and/or modify it under
5    * the terms of the GNU Lesser General Public License as published by the Free
6    * Software Foundation; either version 2.1 of the License, or (at your option)
7    * any later version.
8    *
9    * This library is distributed in the hope that it will be useful, but WITHOUT
10   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
11   * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
12   * details.
13   */
14  
15  package com.liferay.portal.security.auth;
16  
17  import com.liferay.portal.kernel.util.ParamUtil;
18  import com.liferay.portal.kernel.util.PropsKeys;
19  import com.liferay.portal.kernel.util.SetUtil;
20  import com.liferay.portal.kernel.util.Validator;
21  import com.liferay.portal.kernel.util.WebKeys;
22  import com.liferay.portal.service.permission.PortletPermissionUtil;
23  import com.liferay.portal.util.PortalUtil;
24  import com.liferay.portal.util.PropsUtil;
25  import com.liferay.util.PwdGenerator;
26  
27  import java.util.HashMap;
28  import java.util.Map;
29  import java.util.Set;
30  
31  import javax.servlet.http.HttpServletRequest;
32  import javax.servlet.http.HttpSession;
33  
34  /**
35   * <a href="SessionAuthToken.java.html"><b><i>View Source</i></b></a>
36   *
37   * @author Amos Fong
38   */
39  public class SessionAuthToken implements AuthToken {
40  
41      public SessionAuthToken() {
42          _ignoreActions = SetUtil.fromArray(
43              PropsUtil.getArray(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS));
44      }
45  
46      public void check(HttpServletRequest request) throws PrincipalException {
47          if (isIgnoreAction(request)) {
48              return;
49          }
50  
51          String requestAuthenticationToken = ParamUtil.getString(
52              request, "p_auth");
53  
54          String sessionAuthenticationToken = getSessionAuthenticationToken(
55              request, _PORTAL);
56  
57          if (!requestAuthenticationToken.equals(sessionAuthenticationToken)) {
58              throw new PrincipalException("Invalid authentication token");
59          }
60      }
61  
62      public String getToken(HttpServletRequest request) {
63          return getSessionAuthenticationToken(request, _PORTAL);
64      }
65  
66      public String getToken(
67          HttpServletRequest request, long plid, String portletId) {
68  
69          return getSessionAuthenticationToken(
70              request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
71      }
72  
73      protected String getSessionAuthenticationToken(
74          HttpServletRequest request, String key) {
75  
76          Map<String, String> sessionAuthenticationTokensMap =
77              getSessionAuthenticationTokensMap(request);
78  
79          String sessionAuthenticationToken = sessionAuthenticationTokensMap.get(
80              key);
81  
82          if (Validator.isNull(sessionAuthenticationToken)) {
83              sessionAuthenticationToken = PwdGenerator.getPassword();
84  
85              sessionAuthenticationTokensMap.put(key, sessionAuthenticationToken);
86          }
87  
88          return sessionAuthenticationToken;
89      }
90  
91      protected Map<String, String> getSessionAuthenticationTokensMap(
92          HttpServletRequest request) {
93  
94          HttpSession session = request.getSession();
95  
96          Map<String, String> sessionAuthenticationTokensMap =
97              (Map<String, String>)session.getAttribute(
98                  WebKeys.AUTHENTICATION_TOKEN);
99  
100         if (sessionAuthenticationTokensMap == null) {
101             sessionAuthenticationTokensMap = new HashMap<String, String>();
102 
103             session.setAttribute(
104                 WebKeys.AUTHENTICATION_TOKEN, sessionAuthenticationTokensMap);
105         }
106 
107         return sessionAuthenticationTokensMap;
108     }
109 
110     protected boolean isIgnoreAction(HttpServletRequest request) {
111         String ppid = ParamUtil.getString(request, "p_p_id");
112 
113         String portletNamespace = PortalUtil.getPortletNamespace(ppid);
114 
115         String strutsAction = ParamUtil.getString(
116             request, portletNamespace + "struts_action");
117 
118         return isIgnoreAction(strutsAction);
119     }
120 
121     protected boolean isIgnoreAction(String strutsAction) {
122         return _ignoreActions.contains(strutsAction);
123     }
124 
125     private static final String _PORTAL = "PORTAL";
126 
127     private Set<String> _ignoreActions;
128 
129 }