Example #1
0
  @Override
  public String[] login(HttpServletRequest request, HttpServletResponse response)
      throws AutoLoginException {
    String emailId = request.getHeader(AUTH_EMAIL_VALUE);
    String extid = request.getHeader(AUTH_EXTID_VALUE);

    log.info("Attempting auto login for email: '" + emailId + "' and external id: '" + extid + "'");

    Enumeration headerNames = request.getHeaderNames();
    while (headerNames.hasMoreElements()) {
      String key = (String) headerNames.nextElement();
      String value = request.getHeader(key);
      log.debug(key + ":" + value);
    }

    if (emailId == null || emailId.isEmpty() || extid == null || extid.isEmpty()) {
      log.error("Empty credentials, auto login impossible.");
      return new String[] {};
    }
    long companyId = PortalUtil.getCompanyId(request);

    User user = null;
    try {
      user = UserLocalServiceUtil.getUserByEmailAddress(companyId, emailId);
    } catch (SystemException | PortalException e) {
      log.error(
          "Exception during get user by email: '"
              + emailId
              + "' and company id: '"
              + companyId
              + "'",
          e);
    }

    // If user was found by liferay
    if (user != null) {
      // Create a return credentials object
      return new String[] {
        String.valueOf(user.getUserId()),
        user.getPassword(), // Encrypted Liferay password
        Boolean.TRUE.toString() // True: password is encrypted
      };
    } else {
      log.error("Could not get user with email: '" + emailId + "'.");
      return new String[] {};
    }
  }
  public void testUpdateExisting() throws Exception {
    long pk = nextLong();

    User newUser = _persistence.create(pk);

    newUser.setUuid(randomString());
    newUser.setCompanyId(nextLong());
    newUser.setCreateDate(nextDate());
    newUser.setModifiedDate(nextDate());
    newUser.setDefaultUser(randomBoolean());
    newUser.setContactId(nextLong());
    newUser.setPassword(randomString());
    newUser.setPasswordEncrypted(randomBoolean());
    newUser.setPasswordReset(randomBoolean());
    newUser.setPasswordModifiedDate(nextDate());
    newUser.setDigest(randomString());
    newUser.setReminderQueryQuestion(randomString());
    newUser.setReminderQueryAnswer(randomString());
    newUser.setGraceLoginCount(nextInt());
    newUser.setScreenName(randomString());
    newUser.setEmailAddress(randomString());
    newUser.setFacebookId(nextLong());
    newUser.setOpenId(randomString());
    newUser.setPortraitId(nextLong());
    newUser.setLanguageId(randomString());
    newUser.setTimeZoneId(randomString());
    newUser.setGreeting(randomString());
    newUser.setComments(randomString());
    newUser.setFirstName(randomString());
    newUser.setMiddleName(randomString());
    newUser.setLastName(randomString());
    newUser.setJobTitle(randomString());
    newUser.setLoginDate(nextDate());
    newUser.setLoginIP(randomString());
    newUser.setLastLoginDate(nextDate());
    newUser.setLastLoginIP(randomString());
    newUser.setLastFailedLoginDate(nextDate());
    newUser.setFailedLoginAttempts(nextInt());
    newUser.setLockout(randomBoolean());
    newUser.setLockoutDate(nextDate());
    newUser.setAgreedToTermsOfUse(randomBoolean());
    newUser.setStatus(nextInt());

    _persistence.update(newUser, false);

    User existingUser = _persistence.findByPrimaryKey(newUser.getPrimaryKey());

    assertEquals(existingUser.getUuid(), newUser.getUuid());
    assertEquals(existingUser.getUserId(), newUser.getUserId());
    assertEquals(existingUser.getCompanyId(), newUser.getCompanyId());
    assertEquals(
        Time.getShortTimestamp(existingUser.getCreateDate()),
        Time.getShortTimestamp(newUser.getCreateDate()));
    assertEquals(
        Time.getShortTimestamp(existingUser.getModifiedDate()),
        Time.getShortTimestamp(newUser.getModifiedDate()));
    assertEquals(existingUser.getDefaultUser(), newUser.getDefaultUser());
    assertEquals(existingUser.getContactId(), newUser.getContactId());
    assertEquals(existingUser.getPassword(), newUser.getPassword());
    assertEquals(existingUser.getPasswordEncrypted(), newUser.getPasswordEncrypted());
    assertEquals(existingUser.getPasswordReset(), newUser.getPasswordReset());
    assertEquals(
        Time.getShortTimestamp(existingUser.getPasswordModifiedDate()),
        Time.getShortTimestamp(newUser.getPasswordModifiedDate()));
    assertEquals(existingUser.getDigest(), newUser.getDigest());
    assertEquals(existingUser.getReminderQueryQuestion(), newUser.getReminderQueryQuestion());
    assertEquals(existingUser.getReminderQueryAnswer(), newUser.getReminderQueryAnswer());
    assertEquals(existingUser.getGraceLoginCount(), newUser.getGraceLoginCount());
    assertEquals(existingUser.getScreenName(), newUser.getScreenName());
    assertEquals(existingUser.getEmailAddress(), newUser.getEmailAddress());
    assertEquals(existingUser.getFacebookId(), newUser.getFacebookId());
    assertEquals(existingUser.getOpenId(), newUser.getOpenId());
    assertEquals(existingUser.getPortraitId(), newUser.getPortraitId());
    assertEquals(existingUser.getLanguageId(), newUser.getLanguageId());
    assertEquals(existingUser.getTimeZoneId(), newUser.getTimeZoneId());
    assertEquals(existingUser.getGreeting(), newUser.getGreeting());
    assertEquals(existingUser.getComments(), newUser.getComments());
    assertEquals(existingUser.getFirstName(), newUser.getFirstName());
    assertEquals(existingUser.getMiddleName(), newUser.getMiddleName());
    assertEquals(existingUser.getLastName(), newUser.getLastName());
    assertEquals(existingUser.getJobTitle(), newUser.getJobTitle());
    assertEquals(
        Time.getShortTimestamp(existingUser.getLoginDate()),
        Time.getShortTimestamp(newUser.getLoginDate()));
    assertEquals(existingUser.getLoginIP(), newUser.getLoginIP());
    assertEquals(
        Time.getShortTimestamp(existingUser.getLastLoginDate()),
        Time.getShortTimestamp(newUser.getLastLoginDate()));
    assertEquals(existingUser.getLastLoginIP(), newUser.getLastLoginIP());
    assertEquals(
        Time.getShortTimestamp(existingUser.getLastFailedLoginDate()),
        Time.getShortTimestamp(newUser.getLastFailedLoginDate()));
    assertEquals(existingUser.getFailedLoginAttempts(), newUser.getFailedLoginAttempts());
    assertEquals(existingUser.getLockout(), newUser.getLockout());
    assertEquals(
        Time.getShortTimestamp(existingUser.getLockoutDate()),
        Time.getShortTimestamp(newUser.getLockoutDate()));
    assertEquals(existingUser.getAgreedToTermsOfUse(), newUser.getAgreedToTermsOfUse());
    assertEquals(existingUser.getStatus(), newUser.getStatus());
  }
Example #3
0
  public static void login(
      HttpServletRequest request,
      HttpServletResponse response,
      String login,
      String password,
      boolean rememberMe,
      String authType)
      throws Exception {

    CookieKeys.validateSupportCookie(request);

    HttpSession session = request.getSession();

    Company company = PortalUtil.getCompany(request);

    long userId = getAuthenticatedUserId(request, login, password, authType);

    if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
      Map<String, UserTracker> sessionUsers = LiveUsers.getSessionUsers(company.getCompanyId());

      List<UserTracker> userTrackers = new ArrayList<UserTracker>(sessionUsers.values());

      for (UserTracker userTracker : userTrackers) {
        if (userId == userTracker.getUserId()) {
          HttpSession userTrackerSession = PortalSessionContext.get(userTracker.getSessionId());

          if (userTrackerSession != null) {
            userTrackerSession.invalidate();
          }
        }
      }
    }

    if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {

      // Invalidate the previous session to prevent phishing

      String[] protectedAttributeNames = PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;

      Map<String, Object> protectedAttributes = new HashMap<String, Object>();

      for (String protectedAttributeName : protectedAttributeNames) {
        Object protectedAttributeValue = session.getAttribute(protectedAttributeName);

        if (protectedAttributeValue == null) {
          continue;
        }

        protectedAttributes.put(protectedAttributeName, protectedAttributeValue);
      }

      try {
        session.invalidate();
      } catch (IllegalStateException ise) {

        // This only happens in Geronimo

        if (_log.isWarnEnabled()) {
          _log.warn(ise.getMessage());
        }
      }

      session = request.getSession(true);

      for (String protectedAttributeName : protectedAttributeNames) {
        Object protectedAttributeValue = protectedAttributes.get(protectedAttributeName);

        if (protectedAttributeValue == null) {
          continue;
        }

        session.setAttribute(protectedAttributeName, protectedAttributeValue);
      }
    }

    // Set cookies

    String domain = CookieKeys.getDomain(request);

    User user = UserLocalServiceUtil.getUserById(userId);

    String userIdString = String.valueOf(userId);

    session.setAttribute("j_username", userIdString);
    session.setAttribute("j_password", user.getPassword());
    session.setAttribute("j_remoteuser", userIdString);

    if (PropsValues.SESSION_STORE_PASSWORD) {
      session.setAttribute(WebKeys.USER_PASSWORD, password);
    }

    Cookie companyIdCookie =
        new Cookie(CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));

    if (Validator.isNotNull(domain)) {
      companyIdCookie.setDomain(domain);
    }

    companyIdCookie.setPath(StringPool.SLASH);

    Cookie idCookie =
        new Cookie(CookieKeys.ID, Encryptor.encrypt(company.getKeyObj(), userIdString));

    if (Validator.isNotNull(domain)) {
      idCookie.setDomain(domain);
    }

    idCookie.setPath(StringPool.SLASH);

    Cookie passwordCookie =
        new Cookie(CookieKeys.PASSWORD, Encryptor.encrypt(company.getKeyObj(), password));

    if (Validator.isNotNull(domain)) {
      passwordCookie.setDomain(domain);
    }

    passwordCookie.setPath(StringPool.SLASH);

    Cookie rememberMeCookie = new Cookie(CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());

    if (Validator.isNotNull(domain)) {
      rememberMeCookie.setDomain(domain);
    }

    rememberMeCookie.setPath(StringPool.SLASH);

    int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;

    if (PropsValues.SESSION_DISABLED) {
      rememberMe = true;
    }

    if (rememberMe) {
      companyIdCookie.setMaxAge(loginMaxAge);
      idCookie.setMaxAge(loginMaxAge);
      passwordCookie.setMaxAge(loginMaxAge);
      rememberMeCookie.setMaxAge(loginMaxAge);
    } else {

      // This was explicitly changed from 0 to -1 so that the cookie lasts
      // as long as the browser. This allows an external servlet wrapped
      // in AutoLoginFilter to work throughout the client connection. The
      // cookies ARE removed on an actual logout, so there is no security
      // issue. See LEP-4678 and LEP-5177.

      companyIdCookie.setMaxAge(-1);
      idCookie.setMaxAge(-1);
      passwordCookie.setMaxAge(-1);
      rememberMeCookie.setMaxAge(0);
    }

    Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);

    if (Validator.isNotNull(domain)) {
      loginCookie.setDomain(domain);
    }

    loginCookie.setMaxAge(loginMaxAge);
    loginCookie.setPath(StringPool.SLASH);

    Cookie screenNameCookie =
        new Cookie(
            CookieKeys.SCREEN_NAME, Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));

    if (Validator.isNotNull(domain)) {
      screenNameCookie.setDomain(domain);
    }

    screenNameCookie.setMaxAge(loginMaxAge);
    screenNameCookie.setPath(StringPool.SLASH);

    boolean secure = request.isSecure();

    if (secure) {
      Boolean httpsInitial = (Boolean) session.getAttribute(WebKeys.HTTPS_INITIAL);

      if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
        secure = false;
      }
    }

    CookieKeys.addCookie(request, response, companyIdCookie, secure);
    CookieKeys.addCookie(request, response, idCookie, secure);

    if (rememberMe) {
      CookieKeys.addCookie(request, response, passwordCookie, secure);
      CookieKeys.addCookie(request, response, rememberMeCookie, secure);
      CookieKeys.addCookie(request, response, loginCookie, secure);
      CookieKeys.addCookie(request, response, screenNameCookie, secure);
    }
  }