PageRenderTime 60ms CodeModel.GetById 36ms RepoModel.GetById 0ms app.codeStats 1ms

/modules/apps/archived/portal-security-sso-cas-impl/src/main/java/com/liferay/portal/security/sso/cas/internal/servlet/filter/CASFilter.java

https://github.com/danielreuther/liferay-portal
Java | 296 lines | 186 code | 64 blank | 46 comment | 14 complexity | 57444e129188913aa7824a38f3983e1f MD5 | raw file
    

  1. /**
    2. 

  2.  * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
    3. 

  3.  *
    4. 

  4.  * This library is free software; you can redistribute it and/or modify it under
    5. 

  5.  * the terms of the GNU Lesser General Public License as published by the Free
    6. 

  6.  * Software Foundation; either version 2.1 of the License, or (at your option)
    7. 

  7.  * any later version.
    8. 

  8.  *
    9. 

  9.  * This library is distributed in the hope that it will be useful, but WITHOUT
    10. 

  10.  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
    11. 

  11.  * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
    12. 

  12.  * details.
    13. 

  13.  */
    14. 

  14. 

  15. package com.liferay.portal.security.sso.cas.internal.servlet.filter;
    16. 

  16. 

  17. import com.liferay.portal.kernel.exception.PortalException;
    18. 

  18. import com.liferay.portal.kernel.log.Log;
    19. 

  19. import com.liferay.portal.kernel.log.LogFactoryUtil;
    20. 

  20. import com.liferay.portal.kernel.module.configuration.ConfigurationProvider;
    21. 

  21. import com.liferay.portal.kernel.servlet.BaseFilter;
    22. 

  22. import com.liferay.portal.kernel.settings.CompanyServiceSettingsLocator;
    23. 

  23. import com.liferay.portal.kernel.util.HashMapBuilder;
    24. 

  24. import com.liferay.portal.kernel.util.HttpComponentsUtil;
    25. 

  25. import com.liferay.portal.kernel.util.ParamUtil;
    26. 

  26. import com.liferay.portal.kernel.util.Portal;
    27. 

  27. import com.liferay.portal.kernel.util.Validator;
    28. 

  28. import com.liferay.portal.security.sso.cas.configuration.CASConfiguration;
    29. 

  29. import com.liferay.portal.security.sso.cas.constants.CASConstants;
    30. 

  30. import com.liferay.portal.security.sso.cas.internal.constants.CASWebKeys;
    31. 

  31. 

  32. import java.util.Map;
    33. 

  33. import java.util.concurrent.ConcurrentHashMap;
    34. 

  34. 

  35. import javax.servlet.Filter;
    36. 

  36. import javax.servlet.FilterChain;
    37. 

  37. import javax.servlet.http.HttpServletRequest;
    38. 

  38. import javax.servlet.http.HttpServletResponse;
    39. 

  39. import javax.servlet.http.HttpSession;
    40. 

  40. 

  41. import org.jasig.cas.client.authentication.AttributePrincipal;
    42. 

  42. import org.jasig.cas.client.util.CommonUtils;
    43. 

  43. import org.jasig.cas.client.validation.Assertion;
    44. 

  44. import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
    45. 

  45. import org.jasig.cas.client.validation.TicketValidationException;
    46. 

  46. import org.jasig.cas.client.validation.TicketValidator;
    47. 

  47. 

  48. import org.osgi.service.component.annotations.Component;
    49. 

  49. import org.osgi.service.component.annotations.Reference;
    50. 

  50. 

  51. /**
    52. 

  52.  * Participates in every login and logout that triggers an HTTP request to
    53. 

  53.  * Liferay Portal.
    54. 

  54.  *
    55. 

  55.  * <p>
    56. 

  56.  * This class checks if the HTTP session attribute <code>CAS_FORCE_LOGOUT</code>
    57. 

  57.  * is set by CASAutoLogin and, if so, redirects the browser to the configured
    58. 

  58.  * CAS Logout URL.
    59. 

  59.  * </p>
    60. 

  60.  *
    61. 

  61.  * <p>
    62. 

  62.  * Next, if the session attribute <code>CAS_LOGIN</code> has not already been
    63. 

  63.  * set and no ticket parameter is received via the HTTP servlet request, the CAS
    64. 

  64.  * server login URL is constructed based on the configuration of the Login URL,
    65. 

  65.  * the Server name, and the Service URL and the browser is redirected to this
    66. 

  66.  * URL. If a ticket parameter was received, it will be validated.
    67. 

  67.  * </p>
    68. 

  68.  *
    69. 

  69.  * <p>
    70. 

  70.  * Validation includes sending a SAML request containing the ticket to the CAS
    71. 

  71.  * server, and in return receiving an assertion of user attributes. However,
    72. 

  72.  * only the principal attribute is used and it is set as the session attribute
    73. 

  73.  * <code>CAS_LOGIN</code> as mentioned earlier. It is important that the CAS
    74. 

  74.  * server issues a principal of the same type that the portal instance is
    75. 

  75.  * configured to use (e.g., screen name versus email address).
    76. 

  76.  * </p>
    77. 

  77.  *
    78. 

  78.  * @author Michael Young
    79. 

  79.  * @author Brian Wing Shun Chan
    80. 

  80.  * @author Raymond Augé
    81. 

  81.  * @author Tina Tian
    82. 

  82.  * @author Zsolt Balogh
    83. 

  83.  */
    84. 

  84. @Component(
    85. 

  85. 	configurationPid = "com.liferay.portal.security.sso.cas.configuration.CASConfiguration",
    86. 

  86. 	immediate = true,
    87. 

  87. 	property = {
    88. 

  88. 		"before-filter=Auto Login Filter", "dispatcher=FORWARD",
    89. 

  89. 		"dispatcher=REQUEST", "servlet-context-name=",
    90. 

  90. 		"servlet-filter-name=SSO CAS Filter", "url-pattern=/c/portal/login",
    91. 

  91. 		"url-pattern=/c/portal/logout"
    92. 

  92. 	},
    93. 

  93. 	service = Filter.class
    94. 

  94. )
    95. 

  95. public class CASFilter extends BaseFilter {
    96. 

  96. 

  97. 	public static void reload(long companyId) {
    98. 

  98. 		_ticketValidators.remove(companyId);
    99. 

  99. 	}
    100. 

  100. 

  101. 	@Override
    102. 

  102. 	public boolean isFilterEnabled(
    103. 

  103. 		HttpServletRequest httpServletRequest,
    104. 

  104. 		HttpServletResponse httpServletResponse) {
    105. 

  105. 

  106. 		try {
    107. 

  107. 			CASConfiguration casConfiguration =
    108. 

  108. 				_configurationProvider.getConfiguration(
    109. 

  109. 					CASConfiguration.class,
    110. 

  110. 					new CompanyServiceSettingsLocator(
    111. 

  111. 						_portal.getCompanyId(httpServletRequest),
    112. 

  112. 						CASConstants.SERVICE_NAME));
    113. 

  113. 

  114. 			if (casConfiguration.enabled()) {
    115. 

  115. 				return true;
    116. 

  116. 			}
    117. 

  117. 		}
    118. 

  118. 		catch (Exception exception) {
    119. 

  119. 			_log.error(exception);
    120. 

  120. 		}
    121. 

  121. 

  122. 		return false;
    123. 

  123. 	}
    124. 

  124. 

  125. 	@Override
    126. 

  126. 	protected Log getLog() {
    127. 

  127. 		return _log;
    128. 

  128. 	}
    129. 

  129. 

  130. 	@Override
    131. 

  131. 	protected void processFilter(
    132. 

  132. 			HttpServletRequest httpServletRequest,
    133. 

  133. 			HttpServletResponse httpServletResponse, FilterChain filterChain)
    134. 

  134. 		throws Exception {
    135. 

  135. 

  136. 		HttpSession httpSession = httpServletRequest.getSession();
    137. 

  137. 

  138. 		long companyId = _portal.getCompanyId(httpServletRequest);
    139. 

  139. 

  140. 		CASConfiguration casConfiguration =
    141. 

  141. 			_configurationProvider.getConfiguration(
    142. 

  142. 				CASConfiguration.class,
    143. 

  143. 				new CompanyServiceSettingsLocator(
    144. 

  144. 					companyId, CASConstants.SERVICE_NAME));
    145. 

  145. 

  146. 		Object forceLogout = httpSession.getAttribute(
    147. 

  147. 			CASWebKeys.CAS_FORCE_LOGOUT);
    148. 

  148. 

  149. 		if (forceLogout != null) {
    150. 

  150. 			httpSession.removeAttribute(CASWebKeys.CAS_FORCE_LOGOUT);
    151. 

  151. 

  152. 			String logoutUrl = casConfiguration.logoutURL();
    153. 

  153. 

  154. 			httpServletResponse.sendRedirect(logoutUrl);
    155. 

  155. 

  156. 			return;
    157. 

  157. 		}
    158. 

  158. 

  159. 		String pathInfo = httpServletRequest.getPathInfo();
    160. 

  160. 

  161. 		if (Validator.isNotNull(pathInfo) &&
    162. 

  162. 			pathInfo.contains("/portal/logout")) {
    163. 

  163. 

  164. 			httpSession.invalidate();
    165. 

  165. 

  166. 			String logoutUrl = casConfiguration.logoutURL();
    167. 

  167. 

  168. 			httpServletResponse.sendRedirect(logoutUrl);
    169. 

  169. 

  170. 			return;
    171. 

  171. 		}
    172. 

  172. 

  173. 		String login = (String)httpSession.getAttribute(CASWebKeys.CAS_LOGIN);
    174. 

  174. 

  175. 		if (Validator.isNotNull(login)) {
    176. 

  176. 			processFilter(
    177. 

  177. 				CASFilter.class.getName(), httpServletRequest,
    178. 

  178. 				httpServletResponse, filterChain);
    179. 

  179. 

  180. 			return;
    181. 

  181. 		}
    182. 

  182. 

  183. 		String serverName = casConfiguration.serverName();
    184. 

  184. 

  185. 		String serviceURL = casConfiguration.serviceURL();
    186. 

  186. 

  187. 		if (Validator.isNull(serviceURL)) {
    188. 

  188. 			serviceURL = CommonUtils.constructServiceUrl(
    189. 

  189. 				httpServletRequest, httpServletResponse, serviceURL, serverName,
    190. 

  190. 				"service", "ticket", true);
    191. 

  191. 		}
    192. 

  192. 

  193. 		String ticket = ParamUtil.getString(httpServletRequest, "ticket");
    194. 

  194. 

  195. 		if (Validator.isNull(ticket)) {
    196. 

  196. 			String loginUrl = casConfiguration.loginURL();
    197. 

  197. 

  198. 			loginUrl = HttpComponentsUtil.addParameter(
    199. 

  199. 				loginUrl, "service", serviceURL);
    200. 

  200. 

  201. 			httpServletResponse.sendRedirect(loginUrl);
    202. 

  202. 

  203. 			return;
    204. 

  204. 		}
    205. 

  205. 

  206. 		TicketValidator ticketValidator = _getTicketValidator(companyId);
    207. 

  207. 

  208. 		Assertion assertion = null;
    209. 

  209. 

  210. 		try {
    211. 

  211. 			assertion = ticketValidator.validate(ticket, serviceURL);
    212. 

  212. 		}
    213. 

  213. 		catch (TicketValidationException ticketValidationException) {
    214. 

  214. 			if (_log.isDebugEnabled()) {
    215. 

  215. 				_log.debug(ticketValidationException);
    216. 

  216. 			}
    217. 

  217. 			else if (_log.isInfoEnabled()) {
    218. 

  218. 				_log.info(ticketValidationException);
    219. 

  219. 			}
    220. 

  220. 

  221. 			_portal.sendError(
    222. 

  222. 				new PortalException(
    223. 

  223. 					"Unable to validate CAS ticket: " + ticket,
    224. 

  224. 					ticketValidationException),
    225. 

  225. 				httpServletRequest, httpServletResponse);
    226. 

  226. 

  227. 			return;
    228. 

  228. 		}
    229. 

  229. 

  230. 		if (assertion != null) {
    231. 

  231. 			AttributePrincipal attributePrincipal = assertion.getPrincipal();
    232. 

  232. 

  233. 			login = attributePrincipal.getName();
    234. 

  234. 

  235. 			httpSession.setAttribute(CASWebKeys.CAS_LOGIN, login);
    236. 

  236. 		}
    237. 

  237. 

  238. 		processFilter(
    239. 

  239. 			CASFilter.class.getName(), httpServletRequest, httpServletResponse,
    240. 

  240. 			filterChain);
    241. 

  241. 	}
    242. 

  242. 

  243. 	@Reference(unbind = "-")
    244. 

  244. 	protected void setConfigurationProvider(
    245. 

  245. 		ConfigurationProvider configurationProvider) {
    246. 

  246. 

  247. 		_configurationProvider = configurationProvider;
    248. 

  248. 	}
    249. 

  249. 

  250. 	private TicketValidator _getTicketValidator(long companyId)
    251. 

  251. 		throws Exception {
    252. 

  252. 

  253. 		TicketValidator ticketValidator = _ticketValidators.get(companyId);
    254. 

  254. 

  255. 		if (ticketValidator != null) {
    256. 

  256. 			return ticketValidator;
    257. 

  257. 		}
    258. 

  258. 

  259. 		CASConfiguration casConfiguration =
    260. 

  260. 			_configurationProvider.getConfiguration(
    261. 

  261. 				CASConfiguration.class,
    262. 

  262. 				new CompanyServiceSettingsLocator(
    263. 

  263. 					companyId, CASConstants.SERVICE_NAME));
    264. 

  264. 

  265. 		String serverUrl = casConfiguration.serverURL();
    266. 

  266. 

  267. 		Cas20ProxyTicketValidator cas20ProxyTicketValidator =
    268. 

  268. 			new Cas20ProxyTicketValidator(serverUrl);
    269. 

  269. 

  270. 		cas20ProxyTicketValidator.setCustomParameters(
    271. 

  271. 			HashMapBuilder.put(
    272. 

  272. 				"casServerLoginUrl", casConfiguration.loginURL()
    273. 

  273. 			).put(
    274. 

  274. 				"casServerUrlPrefix", serverUrl
    275. 

  275. 			).put(
    276. 

  276. 				"redirectAfterValidation", "false"
    277. 

  277. 			).put(
    278. 

  278. 				"serverName", casConfiguration.serverName()
    279. 

  279. 			).build());
    280. 

  280. 

  281. 		_ticketValidators.put(companyId, cas20ProxyTicketValidator);
    282. 

  282. 

  283. 		return cas20ProxyTicketValidator;
    284. 

  284. 	}
    285. 

  285. 

  286. 	private static final Log _log = LogFactoryUtil.getLog(CASFilter.class);
    287. 

  287. 

  288. 	private static final Map<Long, TicketValidator> _ticketValidators =
    289. 

  289. 		new ConcurrentHashMap<>();
    290. 

  290. 

  291. 	private ConfigurationProvider _configurationProvider;
    292. 

  292. 

  293. 	@Reference
    294. 

  294. 	private Portal _portal;
    295. 

  295. 

  296. }
    297.