1
14
15 package com.liferay.portal.security.auth;
16
17 import com.liferay.portal.kernel.util.ParamUtil;
18 import com.liferay.portal.kernel.util.PropsKeys;
19 import com.liferay.portal.kernel.util.SetUtil;
20 import com.liferay.portal.kernel.util.Validator;
21 import com.liferay.portal.kernel.util.WebKeys;
22 import com.liferay.portal.service.permission.PortletPermissionUtil;
23 import com.liferay.portal.util.PortalUtil;
24 import com.liferay.portal.util.PropsUtil;
25 import com.liferay.util.PwdGenerator;
26
27 import java.util.HashMap;
28 import java.util.Map;
29 import java.util.Set;
30
31 import javax.servlet.http.HttpServletRequest;
32 import javax.servlet.http.HttpSession;
33
34
39 public class SessionAuthToken implements AuthToken {
40
41 public SessionAuthToken() {
42 _ignoreActions = SetUtil.fromArray(
43 PropsUtil.getArray(PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS));
44 }
45
46 public void check(HttpServletRequest request) throws PrincipalException {
47 if (isIgnoreAction(request)) {
48 return;
49 }
50
51 String requestAuthenticationToken = ParamUtil.getString(
52 request, "p_auth");
53
54 String sessionAuthenticationToken = getSessionAuthenticationToken(
55 request, _PORTAL);
56
57 if (!requestAuthenticationToken.equals(sessionAuthenticationToken)) {
58 throw new PrincipalException("Invalid authentication token");
59 }
60 }
61
62 public String getToken(HttpServletRequest request) {
63 return getSessionAuthenticationToken(request, _PORTAL);
64 }
65
66 public String getToken(
67 HttpServletRequest request, long plid, String portletId) {
68
69 return getSessionAuthenticationToken(
70 request, PortletPermissionUtil.getPrimaryKey(plid, portletId));
71 }
72
73 protected String getSessionAuthenticationToken(
74 HttpServletRequest request, String key) {
75
76 Map<String, String> sessionAuthenticationTokensMap =
77 getSessionAuthenticationTokensMap(request);
78
79 String sessionAuthenticationToken = sessionAuthenticationTokensMap.get(
80 key);
81
82 if (Validator.isNull(sessionAuthenticationToken)) {
83 sessionAuthenticationToken = PwdGenerator.getPassword();
84
85 sessionAuthenticationTokensMap.put(key, sessionAuthenticationToken);
86 }
87
88 return sessionAuthenticationToken;
89 }
90
91 protected Map<String, String> getSessionAuthenticationTokensMap(
92 HttpServletRequest request) {
93
94 HttpSession session = request.getSession();
95
96 Map<String, String> sessionAuthenticationTokensMap =
97 (Map<String, String>)session.getAttribute(
98 WebKeys.AUTHENTICATION_TOKEN);
99
100 if (sessionAuthenticationTokensMap == null) {
101 sessionAuthenticationTokensMap = new HashMap<String, String>();
102
103 session.setAttribute(
104 WebKeys.AUTHENTICATION_TOKEN, sessionAuthenticationTokensMap);
105 }
106
107 return sessionAuthenticationTokensMap;
108 }
109
110 protected boolean isIgnoreAction(HttpServletRequest request) {
111 String ppid = ParamUtil.getString(request, "p_p_id");
112
113 String portletNamespace = PortalUtil.getPortletNamespace(ppid);
114
115 String strutsAction = ParamUtil.getString(
116 request, portletNamespace + "struts_action");
117
118 return isIgnoreAction(strutsAction);
119 }
120
121 protected boolean isIgnoreAction(String strutsAction) {
122 return _ignoreActions.contains(strutsAction);
123 }
124
125 private static final String _PORTAL = "PORTAL";
126
127 private Set<String> _ignoreActions;
128
129 }