protected void invalidateSession(ActionRequest actionRequest) throws Exception {
String sessionId = ParamUtil.getString(actionRequest, "sessionId");
HttpSession userSession = PortalSessionContext.get(sessionId);
if (userSession != null) {
try {
if (!actionRequest.getPortletSession().getId().equals(sessionId)) {
userSession.invalidate();
}
} catch (Exception e) {
_log.error(e);
}
}
}
public static void login(
HttpServletRequest request,
HttpServletResponse response,
String login,
String password,
boolean rememberMe,
String authType)
throws Exception {
CookieKeys.validateSupportCookie(request);
HttpSession session = request.getSession();
Company company = PortalUtil.getCompany(request);
long userId = getAuthenticatedUserId(request, login, password, authType);
if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
Map<String, UserTracker> sessionUsers = LiveUsers.getSessionUsers(company.getCompanyId());
List<UserTracker> userTrackers = new ArrayList<UserTracker>(sessionUsers.values());
for (UserTracker userTracker : userTrackers) {
if (userId == userTracker.getUserId()) {
HttpSession userTrackerSession = PortalSessionContext.get(userTracker.getSessionId());
if (userTrackerSession != null) {
userTrackerSession.invalidate();
}
}
}
}
if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
// Invalidate the previous session to prevent phishing
String[] protectedAttributeNames = PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;
Map<String, Object> protectedAttributes = new HashMap<String, Object>();
for (String protectedAttributeName : protectedAttributeNames) {
Object protectedAttributeValue = session.getAttribute(protectedAttributeName);
if (protectedAttributeValue == null) {
continue;
}
protectedAttributes.put(protectedAttributeName, protectedAttributeValue);
}
try {
session.invalidate();
} catch (IllegalStateException ise) {
// This only happens in Geronimo
if (_log.isWarnEnabled()) {
_log.warn(ise.getMessage());
}
}
session = request.getSession(true);
for (String protectedAttributeName : protectedAttributeNames) {
Object protectedAttributeValue = protectedAttributes.get(protectedAttributeName);
if (protectedAttributeValue == null) {
continue;
}
session.setAttribute(protectedAttributeName, protectedAttributeValue);
}
}
// Set cookies
String domain = CookieKeys.getDomain(request);
User user = UserLocalServiceUtil.getUserById(userId);
String userIdString = String.valueOf(userId);
session.setAttribute("j_username", userIdString);
session.setAttribute("j_password", user.getPassword());
session.setAttribute("j_remoteuser", userIdString);
if (PropsValues.SESSION_STORE_PASSWORD) {
session.setAttribute(WebKeys.USER_PASSWORD, password);
}
Cookie companyIdCookie =
new Cookie(CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
if (Validator.isNotNull(domain)) {
companyIdCookie.setDomain(domain);
}
companyIdCookie.setPath(StringPool.SLASH);
Cookie idCookie =
new Cookie(CookieKeys.ID, Encryptor.encrypt(company.getKeyObj(), userIdString));
if (Validator.isNotNull(domain)) {
idCookie.setDomain(domain);
}
idCookie.setPath(StringPool.SLASH);
Cookie passwordCookie =
new Cookie(CookieKeys.PASSWORD, Encryptor.encrypt(company.getKeyObj(), password));
if (Validator.isNotNull(domain)) {
passwordCookie.setDomain(domain);
}
passwordCookie.setPath(StringPool.SLASH);
Cookie rememberMeCookie = new Cookie(CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
if (Validator.isNotNull(domain)) {
rememberMeCookie.setDomain(domain);
}
rememberMeCookie.setPath(StringPool.SLASH);
int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
if (PropsValues.SESSION_DISABLED) {
rememberMe = true;
}
if (rememberMe) {
companyIdCookie.setMaxAge(loginMaxAge);
idCookie.setMaxAge(loginMaxAge);
passwordCookie.setMaxAge(loginMaxAge);
rememberMeCookie.setMaxAge(loginMaxAge);
} else {
// This was explicitly changed from 0 to -1 so that the cookie lasts
// as long as the browser. This allows an external servlet wrapped
// in AutoLoginFilter to work throughout the client connection. The
// cookies ARE removed on an actual logout, so there is no security
// issue. See LEP-4678 and LEP-5177.
companyIdCookie.setMaxAge(-1);
idCookie.setMaxAge(-1);
passwordCookie.setMaxAge(-1);
rememberMeCookie.setMaxAge(0);
}
Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
if (Validator.isNotNull(domain)) {
loginCookie.setDomain(domain);
}
loginCookie.setMaxAge(loginMaxAge);
loginCookie.setPath(StringPool.SLASH);
Cookie screenNameCookie =
new Cookie(
CookieKeys.SCREEN_NAME, Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
if (Validator.isNotNull(domain)) {
screenNameCookie.setDomain(domain);
}
screenNameCookie.setMaxAge(loginMaxAge);
screenNameCookie.setPath(StringPool.SLASH);
boolean secure = request.isSecure();
if (secure) {
Boolean httpsInitial = (Boolean) session.getAttribute(WebKeys.HTTPS_INITIAL);
if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
secure = false;
}
}
CookieKeys.addCookie(request, response, companyIdCookie, secure);
CookieKeys.addCookie(request, response, idCookie, secure);
if (rememberMe) {
CookieKeys.addCookie(request, response, passwordCookie, secure);
CookieKeys.addCookie(request, response, rememberMeCookie, secure);
CookieKeys.addCookie(request, response, loginCookie, secure);
CookieKeys.addCookie(request, response, screenNameCookie, secure);
}
}