Beispiel #1
0
  public static long getAuthenticatedUserId(
      HttpServletRequest request, String login, String password, String authType)
      throws PortalException, SystemException {

    long userId = GetterUtil.getLong(login);

    Company company = PortalUtil.getCompany(request);

    String requestURI = request.getRequestURI();

    if (requestURI.startsWith("/tunnel-web/liferay")
        || requestURI.startsWith("/tunnel-web/secure/liferay")) {

      // Tunnel requests are serialized objects and cannot manipulate the
      // request input stream in any way. Do not use the auth pipeline to
      // authenticate tunnel requests.

      long companyId = company.getCompanyId();

      userId =
          UserLocalServiceUtil.authenticateForBasic(
              companyId, CompanyConstants.AUTH_TYPE_EA, login, password);

      if (userId > 0) {
        return userId;
      }

      userId =
          UserLocalServiceUtil.authenticateForBasic(
              companyId, CompanyConstants.AUTH_TYPE_SN, login, password);

      if (userId > 0) {
        return userId;
      }

      userId =
          UserLocalServiceUtil.authenticateForBasic(
              companyId, CompanyConstants.AUTH_TYPE_ID, login, password);

      if (userId <= 0) {
        throw new AuthException();
      }
    } else {
      Map<String, String[]> headerMap = new HashMap<String, String[]>();

      Enumeration<String> enu1 = request.getHeaderNames();

      while (enu1.hasMoreElements()) {
        String name = enu1.nextElement();

        Enumeration<String> enu2 = request.getHeaders(name);

        List<String> headers = new ArrayList<String>();

        while (enu2.hasMoreElements()) {
          String value = enu2.nextElement();

          headers.add(value);
        }

        headerMap.put(name, headers.toArray(new String[headers.size()]));
      }

      Map<String, String[]> parameterMap = request.getParameterMap();
      Map<String, Object> resultsMap = new HashMap<String, Object>();

      if (Validator.isNull(authType)) {
        authType = company.getAuthType();
      }

      int authResult = Authenticator.FAILURE;

      if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
        authResult =
            UserLocalServiceUtil.authenticateByEmailAddress(
                company.getCompanyId(), login, password, headerMap, parameterMap, resultsMap);

        userId = MapUtil.getLong(resultsMap, "userId", userId);
      } else if (authType.equals(CompanyConstants.AUTH_TYPE_SN)) {
        authResult =
            UserLocalServiceUtil.authenticateByScreenName(
                company.getCompanyId(), login, password, headerMap, parameterMap, resultsMap);

        userId = MapUtil.getLong(resultsMap, "userId", userId);
      } else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) {
        authResult =
            UserLocalServiceUtil.authenticateByUserId(
                company.getCompanyId(), userId, password, headerMap, parameterMap, resultsMap);
      }

      if (authResult != Authenticator.SUCCESS) {
        throw new AuthException();
      }
    }

    return userId;
  }
Beispiel #2
0
  public static void login(
      HttpServletRequest request,
      HttpServletResponse response,
      String login,
      String password,
      boolean rememberMe,
      String authType)
      throws Exception {

    CookieKeys.validateSupportCookie(request);

    HttpSession session = request.getSession();

    Company company = PortalUtil.getCompany(request);

    long userId = getAuthenticatedUserId(request, login, password, authType);

    if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
      Map<String, UserTracker> sessionUsers = LiveUsers.getSessionUsers(company.getCompanyId());

      List<UserTracker> userTrackers = new ArrayList<UserTracker>(sessionUsers.values());

      for (UserTracker userTracker : userTrackers) {
        if (userId == userTracker.getUserId()) {
          HttpSession userTrackerSession = PortalSessionContext.get(userTracker.getSessionId());

          if (userTrackerSession != null) {
            userTrackerSession.invalidate();
          }
        }
      }
    }

    if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {

      // Invalidate the previous session to prevent phishing

      String[] protectedAttributeNames = PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;

      Map<String, Object> protectedAttributes = new HashMap<String, Object>();

      for (String protectedAttributeName : protectedAttributeNames) {
        Object protectedAttributeValue = session.getAttribute(protectedAttributeName);

        if (protectedAttributeValue == null) {
          continue;
        }

        protectedAttributes.put(protectedAttributeName, protectedAttributeValue);
      }

      try {
        session.invalidate();
      } catch (IllegalStateException ise) {

        // This only happens in Geronimo

        if (_log.isWarnEnabled()) {
          _log.warn(ise.getMessage());
        }
      }

      session = request.getSession(true);

      for (String protectedAttributeName : protectedAttributeNames) {
        Object protectedAttributeValue = protectedAttributes.get(protectedAttributeName);

        if (protectedAttributeValue == null) {
          continue;
        }

        session.setAttribute(protectedAttributeName, protectedAttributeValue);
      }
    }

    // Set cookies

    String domain = CookieKeys.getDomain(request);

    User user = UserLocalServiceUtil.getUserById(userId);

    String userIdString = String.valueOf(userId);

    session.setAttribute("j_username", userIdString);
    session.setAttribute("j_password", user.getPassword());
    session.setAttribute("j_remoteuser", userIdString);

    if (PropsValues.SESSION_STORE_PASSWORD) {
      session.setAttribute(WebKeys.USER_PASSWORD, password);
    }

    Cookie companyIdCookie =
        new Cookie(CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));

    if (Validator.isNotNull(domain)) {
      companyIdCookie.setDomain(domain);
    }

    companyIdCookie.setPath(StringPool.SLASH);

    Cookie idCookie =
        new Cookie(CookieKeys.ID, Encryptor.encrypt(company.getKeyObj(), userIdString));

    if (Validator.isNotNull(domain)) {
      idCookie.setDomain(domain);
    }

    idCookie.setPath(StringPool.SLASH);

    Cookie passwordCookie =
        new Cookie(CookieKeys.PASSWORD, Encryptor.encrypt(company.getKeyObj(), password));

    if (Validator.isNotNull(domain)) {
      passwordCookie.setDomain(domain);
    }

    passwordCookie.setPath(StringPool.SLASH);

    Cookie rememberMeCookie = new Cookie(CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());

    if (Validator.isNotNull(domain)) {
      rememberMeCookie.setDomain(domain);
    }

    rememberMeCookie.setPath(StringPool.SLASH);

    int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;

    if (PropsValues.SESSION_DISABLED) {
      rememberMe = true;
    }

    if (rememberMe) {
      companyIdCookie.setMaxAge(loginMaxAge);
      idCookie.setMaxAge(loginMaxAge);
      passwordCookie.setMaxAge(loginMaxAge);
      rememberMeCookie.setMaxAge(loginMaxAge);
    } else {

      // This was explicitly changed from 0 to -1 so that the cookie lasts
      // as long as the browser. This allows an external servlet wrapped
      // in AutoLoginFilter to work throughout the client connection. The
      // cookies ARE removed on an actual logout, so there is no security
      // issue. See LEP-4678 and LEP-5177.

      companyIdCookie.setMaxAge(-1);
      idCookie.setMaxAge(-1);
      passwordCookie.setMaxAge(-1);
      rememberMeCookie.setMaxAge(0);
    }

    Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);

    if (Validator.isNotNull(domain)) {
      loginCookie.setDomain(domain);
    }

    loginCookie.setMaxAge(loginMaxAge);
    loginCookie.setPath(StringPool.SLASH);

    Cookie screenNameCookie =
        new Cookie(
            CookieKeys.SCREEN_NAME, Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));

    if (Validator.isNotNull(domain)) {
      screenNameCookie.setDomain(domain);
    }

    screenNameCookie.setMaxAge(loginMaxAge);
    screenNameCookie.setPath(StringPool.SLASH);

    boolean secure = request.isSecure();

    if (secure) {
      Boolean httpsInitial = (Boolean) session.getAttribute(WebKeys.HTTPS_INITIAL);

      if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
        secure = false;
      }
    }

    CookieKeys.addCookie(request, response, companyIdCookie, secure);
    CookieKeys.addCookie(request, response, idCookie, secure);

    if (rememberMe) {
      CookieKeys.addCookie(request, response, passwordCookie, secure);
      CookieKeys.addCookie(request, response, rememberMeCookie, secure);
      CookieKeys.addCookie(request, response, loginCookie, secure);
      CookieKeys.addCookie(request, response, screenNameCookie, secure);
    }
  }