/**
* Copyright (c) 2000-present Liferay, Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or modify it under
* the terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 2.1 of the License, or (at your option)
* any later version.
*
* This library is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
* details.
*/
package com.liferay.portal.servlet.filters.servletauthorizing;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.PrincipalThreadLocal;
import com.liferay.portal.kernel.security.permission.PermissionChecker;
import com.liferay.portal.kernel.security.permission.PermissionCheckerFactoryUtil;
import com.liferay.portal.kernel.security.permission.PermissionThreadLocal;
import com.liferay.portal.kernel.service.UserLocalServiceUtil;
import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.PortalUtil;
import com.liferay.portal.kernel.util.WebKeys;
import com.liferay.portal.servlet.filters.BasePortalFilter;
import com.liferay.portal.util.PortalInstances;
import com.liferay.portal.util.PropsValues;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.struts.Globals;
/**
* @author Raymond Augé
*/
public class ServletAuthorizingFilter extends BasePortalFilter {
@Override
protected void processFilter(
HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain)
throws Exception {
HttpSession session = request.getSession();
// Company id
PortalInstances.getCompanyId(request);
// Authorize
long userId = PortalUtil.getUserId(request);
String remoteUser = request.getRemoteUser();
if (!PropsValues.PORTAL_JAAS_ENABLE) {
String jRemoteUser = (String)session.getAttribute("j_remoteuser");
if (jRemoteUser != null) {
remoteUser = jRemoteUser;
session.removeAttribute("j_remoteuser");
}
}
if ((userId > 0) && (remoteUser == null)) {
remoteUser = String.valueOf(userId);
}
// WebSphere will not return the remote user unless you are
// authenticated AND accessing a protected path. Other servers will
// return the remote user for all threads associated with an
// authenticated user. We use ProtectedServletRequest to ensure we get
// similar behavior across all servers.
if (remoteUser != null) {
request = new ProtectedServletRequest(request, remoteUser);
}
if ((userId > 0) || (remoteUser != null)) {
// Set the principal associated with this thread
String name = String.valueOf(userId);
if (remoteUser != null) {
name = remoteUser;
}
PrincipalThreadLocal.setName(name);
// User id
userId = GetterUtil.getLong(name);
try {
// User
User user = UserLocalServiceUtil.getUserById(userId);
// Permission checker
PermissionChecker permissionChecker =
PermissionCheckerFactoryUtil.create(user);
PermissionThreadLocal.setPermissionChecker(permissionChecker);
// User id
session.setAttribute(WebKeys.USER_ID, Long.valueOf(userId));
// User locale
session.setAttribute(Globals.LOCALE_KEY, user.getLocale());
}
catch (Exception e) {
_log.error(e, e);
}
}
processFilter(
ServletAuthorizingFilter.class.getName(), request, response,
filterChain);
}
private static final Log _log = LogFactoryUtil.getLog(
ServletAuthorizingFilter.class);
}