public static long getAuthenticatedUserId(
HttpServletRequest request, String login, String password, String authType)
throws PortalException, SystemException {
long userId = GetterUtil.getLong(login);
Company company = PortalUtil.getCompany(request);
String requestURI = request.getRequestURI();
if (requestURI.startsWith("/tunnel-web/liferay")
|| requestURI.startsWith("/tunnel-web/secure/liferay")) {
// Tunnel requests are serialized objects and cannot manipulate the
// request input stream in any way. Do not use the auth pipeline to
// authenticate tunnel requests.
long companyId = company.getCompanyId();
userId =
UserLocalServiceUtil.authenticateForBasic(
companyId, CompanyConstants.AUTH_TYPE_EA, login, password);
if (userId > 0) {
return userId;
}
userId =
UserLocalServiceUtil.authenticateForBasic(
companyId, CompanyConstants.AUTH_TYPE_SN, login, password);
if (userId > 0) {
return userId;
}
userId =
UserLocalServiceUtil.authenticateForBasic(
companyId, CompanyConstants.AUTH_TYPE_ID, login, password);
if (userId <= 0) {
throw new AuthException();
}
} else {
Map<String, String[]> headerMap = new HashMap<String, String[]>();
Enumeration<String> enu1 = request.getHeaderNames();
while (enu1.hasMoreElements()) {
String name = enu1.nextElement();
Enumeration<String> enu2 = request.getHeaders(name);
List<String> headers = new ArrayList<String>();
while (enu2.hasMoreElements()) {
String value = enu2.nextElement();
headers.add(value);
}
headerMap.put(name, headers.toArray(new String[headers.size()]));
}
Map<String, String[]> parameterMap = request.getParameterMap();
Map<String, Object> resultsMap = new HashMap<String, Object>();
if (Validator.isNull(authType)) {
authType = company.getAuthType();
}
int authResult = Authenticator.FAILURE;
if (authType.equals(CompanyConstants.AUTH_TYPE_EA)) {
authResult =
UserLocalServiceUtil.authenticateByEmailAddress(
company.getCompanyId(), login, password, headerMap, parameterMap, resultsMap);
userId = MapUtil.getLong(resultsMap, "userId", userId);
} else if (authType.equals(CompanyConstants.AUTH_TYPE_SN)) {
authResult =
UserLocalServiceUtil.authenticateByScreenName(
company.getCompanyId(), login, password, headerMap, parameterMap, resultsMap);
userId = MapUtil.getLong(resultsMap, "userId", userId);
} else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) {
authResult =
UserLocalServiceUtil.authenticateByUserId(
company.getCompanyId(), userId, password, headerMap, parameterMap, resultsMap);
}
if (authResult != Authenticator.SUCCESS) {
throw new AuthException();
}
}
return userId;
}
public static void login(
HttpServletRequest request,
HttpServletResponse response,
String login,
String password,
boolean rememberMe,
String authType)
throws Exception {
CookieKeys.validateSupportCookie(request);
HttpSession session = request.getSession();
Company company = PortalUtil.getCompany(request);
long userId = getAuthenticatedUserId(request, login, password, authType);
if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
Map<String, UserTracker> sessionUsers = LiveUsers.getSessionUsers(company.getCompanyId());
List<UserTracker> userTrackers = new ArrayList<UserTracker>(sessionUsers.values());
for (UserTracker userTracker : userTrackers) {
if (userId == userTracker.getUserId()) {
HttpSession userTrackerSession = PortalSessionContext.get(userTracker.getSessionId());
if (userTrackerSession != null) {
userTrackerSession.invalidate();
}
}
}
}
if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
// Invalidate the previous session to prevent phishing
String[] protectedAttributeNames = PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;
Map<String, Object> protectedAttributes = new HashMap<String, Object>();
for (String protectedAttributeName : protectedAttributeNames) {
Object protectedAttributeValue = session.getAttribute(protectedAttributeName);
if (protectedAttributeValue == null) {
continue;
}
protectedAttributes.put(protectedAttributeName, protectedAttributeValue);
}
try {
session.invalidate();
} catch (IllegalStateException ise) {
// This only happens in Geronimo
if (_log.isWarnEnabled()) {
_log.warn(ise.getMessage());
}
}
session = request.getSession(true);
for (String protectedAttributeName : protectedAttributeNames) {
Object protectedAttributeValue = protectedAttributes.get(protectedAttributeName);
if (protectedAttributeValue == null) {
continue;
}
session.setAttribute(protectedAttributeName, protectedAttributeValue);
}
}
// Set cookies
String domain = CookieKeys.getDomain(request);
User user = UserLocalServiceUtil.getUserById(userId);
String userIdString = String.valueOf(userId);
session.setAttribute("j_username", userIdString);
session.setAttribute("j_password", user.getPassword());
session.setAttribute("j_remoteuser", userIdString);
if (PropsValues.SESSION_STORE_PASSWORD) {
session.setAttribute(WebKeys.USER_PASSWORD, password);
}
Cookie companyIdCookie =
new Cookie(CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
if (Validator.isNotNull(domain)) {
companyIdCookie.setDomain(domain);
}
companyIdCookie.setPath(StringPool.SLASH);
Cookie idCookie =
new Cookie(CookieKeys.ID, Encryptor.encrypt(company.getKeyObj(), userIdString));
if (Validator.isNotNull(domain)) {
idCookie.setDomain(domain);
}
idCookie.setPath(StringPool.SLASH);
Cookie passwordCookie =
new Cookie(CookieKeys.PASSWORD, Encryptor.encrypt(company.getKeyObj(), password));
if (Validator.isNotNull(domain)) {
passwordCookie.setDomain(domain);
}
passwordCookie.setPath(StringPool.SLASH);
Cookie rememberMeCookie = new Cookie(CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
if (Validator.isNotNull(domain)) {
rememberMeCookie.setDomain(domain);
}
rememberMeCookie.setPath(StringPool.SLASH);
int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
if (PropsValues.SESSION_DISABLED) {
rememberMe = true;
}
if (rememberMe) {
companyIdCookie.setMaxAge(loginMaxAge);
idCookie.setMaxAge(loginMaxAge);
passwordCookie.setMaxAge(loginMaxAge);
rememberMeCookie.setMaxAge(loginMaxAge);
} else {
// This was explicitly changed from 0 to -1 so that the cookie lasts
// as long as the browser. This allows an external servlet wrapped
// in AutoLoginFilter to work throughout the client connection. The
// cookies ARE removed on an actual logout, so there is no security
// issue. See LEP-4678 and LEP-5177.
companyIdCookie.setMaxAge(-1);
idCookie.setMaxAge(-1);
passwordCookie.setMaxAge(-1);
rememberMeCookie.setMaxAge(0);
}
Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
if (Validator.isNotNull(domain)) {
loginCookie.setDomain(domain);
}
loginCookie.setMaxAge(loginMaxAge);
loginCookie.setPath(StringPool.SLASH);
Cookie screenNameCookie =
new Cookie(
CookieKeys.SCREEN_NAME, Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
if (Validator.isNotNull(domain)) {
screenNameCookie.setDomain(domain);
}
screenNameCookie.setMaxAge(loginMaxAge);
screenNameCookie.setPath(StringPool.SLASH);
boolean secure = request.isSecure();
if (secure) {
Boolean httpsInitial = (Boolean) session.getAttribute(WebKeys.HTTPS_INITIAL);
if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
secure = false;
}
}
CookieKeys.addCookie(request, response, companyIdCookie, secure);
CookieKeys.addCookie(request, response, idCookie, secure);
if (rememberMe) {
CookieKeys.addCookie(request, response, passwordCookie, secure);
CookieKeys.addCookie(request, response, rememberMeCookie, secure);
CookieKeys.addCookie(request, response, loginCookie, secure);
CookieKeys.addCookie(request, response, screenNameCookie, secure);
}
}
