@Override
public String[] login(HttpServletRequest request, HttpServletResponse response)
throws AutoLoginException {
String emailId = request.getHeader(AUTH_EMAIL_VALUE);
String extid = request.getHeader(AUTH_EXTID_VALUE);
log.info("Attempting auto login for email: '" + emailId + "' and external id: '" + extid + "'");
Enumeration headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String key = (String) headerNames.nextElement();
String value = request.getHeader(key);
log.debug(key + ":" + value);
}
if (emailId == null || emailId.isEmpty() || extid == null || extid.isEmpty()) {
log.error("Empty credentials, auto login impossible.");
return new String[] {};
}
long companyId = PortalUtil.getCompanyId(request);
User user = null;
try {
user = UserLocalServiceUtil.getUserByEmailAddress(companyId, emailId);
} catch (SystemException | PortalException e) {
log.error(
"Exception during get user by email: '"
+ emailId
+ "' and company id: '"
+ companyId
+ "'",
e);
}
// If user was found by liferay
if (user != null) {
// Create a return credentials object
return new String[] {
String.valueOf(user.getUserId()),
user.getPassword(), // Encrypted Liferay password
Boolean.TRUE.toString() // True: password is encrypted
};
} else {
log.error("Could not get user with email: '" + emailId + "'.");
return new String[] {};
}
}
public void testUpdateExisting() throws Exception {
long pk = nextLong();
User newUser = _persistence.create(pk);
newUser.setUuid(randomString());
newUser.setCompanyId(nextLong());
newUser.setCreateDate(nextDate());
newUser.setModifiedDate(nextDate());
newUser.setDefaultUser(randomBoolean());
newUser.setContactId(nextLong());
newUser.setPassword(randomString());
newUser.setPasswordEncrypted(randomBoolean());
newUser.setPasswordReset(randomBoolean());
newUser.setPasswordModifiedDate(nextDate());
newUser.setDigest(randomString());
newUser.setReminderQueryQuestion(randomString());
newUser.setReminderQueryAnswer(randomString());
newUser.setGraceLoginCount(nextInt());
newUser.setScreenName(randomString());
newUser.setEmailAddress(randomString());
newUser.setFacebookId(nextLong());
newUser.setOpenId(randomString());
newUser.setPortraitId(nextLong());
newUser.setLanguageId(randomString());
newUser.setTimeZoneId(randomString());
newUser.setGreeting(randomString());
newUser.setComments(randomString());
newUser.setFirstName(randomString());
newUser.setMiddleName(randomString());
newUser.setLastName(randomString());
newUser.setJobTitle(randomString());
newUser.setLoginDate(nextDate());
newUser.setLoginIP(randomString());
newUser.setLastLoginDate(nextDate());
newUser.setLastLoginIP(randomString());
newUser.setLastFailedLoginDate(nextDate());
newUser.setFailedLoginAttempts(nextInt());
newUser.setLockout(randomBoolean());
newUser.setLockoutDate(nextDate());
newUser.setAgreedToTermsOfUse(randomBoolean());
newUser.setStatus(nextInt());
_persistence.update(newUser, false);
User existingUser = _persistence.findByPrimaryKey(newUser.getPrimaryKey());
assertEquals(existingUser.getUuid(), newUser.getUuid());
assertEquals(existingUser.getUserId(), newUser.getUserId());
assertEquals(existingUser.getCompanyId(), newUser.getCompanyId());
assertEquals(
Time.getShortTimestamp(existingUser.getCreateDate()),
Time.getShortTimestamp(newUser.getCreateDate()));
assertEquals(
Time.getShortTimestamp(existingUser.getModifiedDate()),
Time.getShortTimestamp(newUser.getModifiedDate()));
assertEquals(existingUser.getDefaultUser(), newUser.getDefaultUser());
assertEquals(existingUser.getContactId(), newUser.getContactId());
assertEquals(existingUser.getPassword(), newUser.getPassword());
assertEquals(existingUser.getPasswordEncrypted(), newUser.getPasswordEncrypted());
assertEquals(existingUser.getPasswordReset(), newUser.getPasswordReset());
assertEquals(
Time.getShortTimestamp(existingUser.getPasswordModifiedDate()),
Time.getShortTimestamp(newUser.getPasswordModifiedDate()));
assertEquals(existingUser.getDigest(), newUser.getDigest());
assertEquals(existingUser.getReminderQueryQuestion(), newUser.getReminderQueryQuestion());
assertEquals(existingUser.getReminderQueryAnswer(), newUser.getReminderQueryAnswer());
assertEquals(existingUser.getGraceLoginCount(), newUser.getGraceLoginCount());
assertEquals(existingUser.getScreenName(), newUser.getScreenName());
assertEquals(existingUser.getEmailAddress(), newUser.getEmailAddress());
assertEquals(existingUser.getFacebookId(), newUser.getFacebookId());
assertEquals(existingUser.getOpenId(), newUser.getOpenId());
assertEquals(existingUser.getPortraitId(), newUser.getPortraitId());
assertEquals(existingUser.getLanguageId(), newUser.getLanguageId());
assertEquals(existingUser.getTimeZoneId(), newUser.getTimeZoneId());
assertEquals(existingUser.getGreeting(), newUser.getGreeting());
assertEquals(existingUser.getComments(), newUser.getComments());
assertEquals(existingUser.getFirstName(), newUser.getFirstName());
assertEquals(existingUser.getMiddleName(), newUser.getMiddleName());
assertEquals(existingUser.getLastName(), newUser.getLastName());
assertEquals(existingUser.getJobTitle(), newUser.getJobTitle());
assertEquals(
Time.getShortTimestamp(existingUser.getLoginDate()),
Time.getShortTimestamp(newUser.getLoginDate()));
assertEquals(existingUser.getLoginIP(), newUser.getLoginIP());
assertEquals(
Time.getShortTimestamp(existingUser.getLastLoginDate()),
Time.getShortTimestamp(newUser.getLastLoginDate()));
assertEquals(existingUser.getLastLoginIP(), newUser.getLastLoginIP());
assertEquals(
Time.getShortTimestamp(existingUser.getLastFailedLoginDate()),
Time.getShortTimestamp(newUser.getLastFailedLoginDate()));
assertEquals(existingUser.getFailedLoginAttempts(), newUser.getFailedLoginAttempts());
assertEquals(existingUser.getLockout(), newUser.getLockout());
assertEquals(
Time.getShortTimestamp(existingUser.getLockoutDate()),
Time.getShortTimestamp(newUser.getLockoutDate()));
assertEquals(existingUser.getAgreedToTermsOfUse(), newUser.getAgreedToTermsOfUse());
assertEquals(existingUser.getStatus(), newUser.getStatus());
}
public static void login(
HttpServletRequest request,
HttpServletResponse response,
String login,
String password,
boolean rememberMe,
String authType)
throws Exception {
CookieKeys.validateSupportCookie(request);
HttpSession session = request.getSession();
Company company = PortalUtil.getCompany(request);
long userId = getAuthenticatedUserId(request, login, password, authType);
if (!PropsValues.AUTH_SIMULTANEOUS_LOGINS) {
Map<String, UserTracker> sessionUsers = LiveUsers.getSessionUsers(company.getCompanyId());
List<UserTracker> userTrackers = new ArrayList<UserTracker>(sessionUsers.values());
for (UserTracker userTracker : userTrackers) {
if (userId == userTracker.getUserId()) {
HttpSession userTrackerSession = PortalSessionContext.get(userTracker.getSessionId());
if (userTrackerSession != null) {
userTrackerSession.invalidate();
}
}
}
}
if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
// Invalidate the previous session to prevent phishing
String[] protectedAttributeNames = PropsValues.SESSION_PHISHING_PROTECTED_ATTRIBUTES;
Map<String, Object> protectedAttributes = new HashMap<String, Object>();
for (String protectedAttributeName : protectedAttributeNames) {
Object protectedAttributeValue = session.getAttribute(protectedAttributeName);
if (protectedAttributeValue == null) {
continue;
}
protectedAttributes.put(protectedAttributeName, protectedAttributeValue);
}
try {
session.invalidate();
} catch (IllegalStateException ise) {
// This only happens in Geronimo
if (_log.isWarnEnabled()) {
_log.warn(ise.getMessage());
}
}
session = request.getSession(true);
for (String protectedAttributeName : protectedAttributeNames) {
Object protectedAttributeValue = protectedAttributes.get(protectedAttributeName);
if (protectedAttributeValue == null) {
continue;
}
session.setAttribute(protectedAttributeName, protectedAttributeValue);
}
}
// Set cookies
String domain = CookieKeys.getDomain(request);
User user = UserLocalServiceUtil.getUserById(userId);
String userIdString = String.valueOf(userId);
session.setAttribute("j_username", userIdString);
session.setAttribute("j_password", user.getPassword());
session.setAttribute("j_remoteuser", userIdString);
if (PropsValues.SESSION_STORE_PASSWORD) {
session.setAttribute(WebKeys.USER_PASSWORD, password);
}
Cookie companyIdCookie =
new Cookie(CookieKeys.COMPANY_ID, String.valueOf(company.getCompanyId()));
if (Validator.isNotNull(domain)) {
companyIdCookie.setDomain(domain);
}
companyIdCookie.setPath(StringPool.SLASH);
Cookie idCookie =
new Cookie(CookieKeys.ID, Encryptor.encrypt(company.getKeyObj(), userIdString));
if (Validator.isNotNull(domain)) {
idCookie.setDomain(domain);
}
idCookie.setPath(StringPool.SLASH);
Cookie passwordCookie =
new Cookie(CookieKeys.PASSWORD, Encryptor.encrypt(company.getKeyObj(), password));
if (Validator.isNotNull(domain)) {
passwordCookie.setDomain(domain);
}
passwordCookie.setPath(StringPool.SLASH);
Cookie rememberMeCookie = new Cookie(CookieKeys.REMEMBER_ME, Boolean.TRUE.toString());
if (Validator.isNotNull(domain)) {
rememberMeCookie.setDomain(domain);
}
rememberMeCookie.setPath(StringPool.SLASH);
int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;
if (PropsValues.SESSION_DISABLED) {
rememberMe = true;
}
if (rememberMe) {
companyIdCookie.setMaxAge(loginMaxAge);
idCookie.setMaxAge(loginMaxAge);
passwordCookie.setMaxAge(loginMaxAge);
rememberMeCookie.setMaxAge(loginMaxAge);
} else {
// This was explicitly changed from 0 to -1 so that the cookie lasts
// as long as the browser. This allows an external servlet wrapped
// in AutoLoginFilter to work throughout the client connection. The
// cookies ARE removed on an actual logout, so there is no security
// issue. See LEP-4678 and LEP-5177.
companyIdCookie.setMaxAge(-1);
idCookie.setMaxAge(-1);
passwordCookie.setMaxAge(-1);
rememberMeCookie.setMaxAge(0);
}
Cookie loginCookie = new Cookie(CookieKeys.LOGIN, login);
if (Validator.isNotNull(domain)) {
loginCookie.setDomain(domain);
}
loginCookie.setMaxAge(loginMaxAge);
loginCookie.setPath(StringPool.SLASH);
Cookie screenNameCookie =
new Cookie(
CookieKeys.SCREEN_NAME, Encryptor.encrypt(company.getKeyObj(), user.getScreenName()));
if (Validator.isNotNull(domain)) {
screenNameCookie.setDomain(domain);
}
screenNameCookie.setMaxAge(loginMaxAge);
screenNameCookie.setPath(StringPool.SLASH);
boolean secure = request.isSecure();
if (secure) {
Boolean httpsInitial = (Boolean) session.getAttribute(WebKeys.HTTPS_INITIAL);
if ((httpsInitial == null) || !httpsInitial.booleanValue()) {
secure = false;
}
}
CookieKeys.addCookie(request, response, companyIdCookie, secure);
CookieKeys.addCookie(request, response, idCookie, secure);
if (rememberMe) {
CookieKeys.addCookie(request, response, passwordCookie, secure);
CookieKeys.addCookie(request, response, rememberMeCookie, secure);
CookieKeys.addCookie(request, response, loginCookie, secure);
CookieKeys.addCookie(request, response, screenNameCookie, secure);
}
}
