-
Type:
Bug
-
Status: Closed
-
Resolution: Won't Fix
-
Affects Version/s: 6.0.6 GA
-
Fix Version/s: 6.0.6 GA
-
Component/s: Application Security
-
Labels:
Overview
Inconsistent use of user authentication "do as user" impersonation for requests and struts actions.
Method "getUserId(HttpServletRequest)" in class "com.liferay.portal.util.PortalImpl" contains hard-coded request and struts action paths that are used to test for user impersonation with request parameter "doAsUser".
public long getUserId(HttpServletRequest request) { ... String path = GetterUtil.getString(request.getPathInfo()); String strutsAction = getStrutsAction(request); String actionName = _getPortletParam(request, "actionName"); boolean alwaysAllowDoAsUser = false; if (path.equals("/portal/session_click") || strutsAction.equals("/document_library/edit_file_entry") || strutsAction.equals("/image_gallery/edit_image") || strutsAction.equals("/wiki/edit_page_attachment") || strutsAction.equals("/wiki_admin/edit_page_attachment") || actionName.equals("addFile")) { alwaysAllowDoAsUser = true; } ... }
The only way to update these paths is by over-riding the PortalImpl class in the EXT plugin.
This is inconsistent with other paths, such as those defined by property
PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS (auth.token.ignore.actions)
and made available to PortalImpl via
PropsValues#AUTH_TOKEN_IGNORE_ACTIONS
and exposed to the Portal runtime via
Portal#getAuthTokenIgnoreActions.
The inconsistency issue can arise where new paths are added to property
"auth.token.ignore.actions"
in the "portal-ext.properties" file, but the same paths
cannot be over-ridden in class
"PortalImpl#getUser(HttpServletRequest)"
unless the class is over-ridden in the EXT plugin.
The user authentication "do as user" paths should be refactored as properties to enable consistent usage and configuration.
Suggested Changes
Suggested changes are below.
Portal Properties Changes
Suggested property names and values which represent the values in "PortalImpl" are as follows:
# Struts action paths that enable impersonation of a user. # See related class "com.liferay.portal.util.PortalImpl". # See related property "auth.token.ignore.actions". auth.do-as-user.action.paths=\ /document_library/edit_file_entry,\ \ /resource_library/add_file_entry,\ /resource_library/edit_file_entry,\ \ /image_gallery/edit_image,\ \ /wiki/edit_page_attachment,\ /wiki_admin/edit_page_attachment # Struts action names that enable impersonation of a user. # See related class "com.liferay.portal.util.PortalImpl". auth.do-as-user.action.names=\ addFile # Request paths names that enable impersonation of a user. # See related class "com.liferay.portal.util.PortalImpl". auth.do-as-user.paths=\ /portal/session_click
Props Keys and Props Values Changes
Suggested properties (see above) can be exposed to the Portal via classes "PropsKeys" and "PropsValues" as follows:
public interface ExtPropsKeys { public static final String AUTH_DO_AS_USER_ACTION_PATHS = "auth.do-as-user.action.paths"; public static final String AUTH_DO_AS_USER_ACTION_NAMES = "auth.do-as-user.action.names"; public static final String AUTH_DO_AS_USER_PATHS = "auth.do-as-user.paths"; }
public class ExtPropsValues { public static final String[] AUTH_DO_AS_USER_ACTION_NAMES = PropsUtil.getArray(ExtPropsKeys.AUTH_DO_AS_USER_ACTION_NAMES); public static final String[] AUTH_DO_AS_USER_ACTION_PATHS = PropsUtil.getArray(ExtPropsKeys.AUTH_DO_AS_USER_ACTION_PATHS); public static final String[] AUTH_DO_AS_USER_PATHS = PropsUtil.getArray(ExtPropsKeys.AUTH_DO_AS_USER_PATHS); }
Portal Impl Changes
Suggested Portal Impl changes which use the new properties (see above) are as follows:
public class PortalImpl implements Portal { private Set<String> _authDoAsUserActionNamesSet; private Set<String> _authDoAsUserActionPathsSet; private Set<String> _authDoAsUserPathsSet; public PortalImpl() { ... initAuthDoAsUserSets(); ... } protected void initAuthDoAsUserSets() { _authDoAsUserActionNamesSet = SetUtil.fromArray(PropsValues.AUTH_DO_AS_USER_ACTION_NAMES); _authDoAsUserActionPathsSet = SetUtil.fromArray(PropsValues.AUTH_DO_AS_USER_ACTION_PATHS); _authDoAsUserPathsSet = SetUtil.fromArray(PropsValues.AUTH_DO_AS_USER_PATHS); } public long getUserId(HttpServletRequest request) { ... String path = GetterUtil.getString(request.getPathInfo()); String strutsAction = getStrutsAction(request); String actionName = _getPortletParam(request, "actionName"); boolean alwaysAllowDoAsUser = false; // REMOVE THIS HARD-CODED PATH TEST /* if (path.equals("/portal/session_click") || strutsAction.equals("/document_library/edit_file_entry") || strutsAction.equals("/resource_library/add_file_entry") || strutsAction.equals("/resource_library/edit_file_entry") || strutsAction.equals("/image_gallery/edit_image") || strutsAction.equals("/wiki/edit_page_attachment") || strutsAction.equals("/wiki_admin/edit_page_attachment") || actionName.equals("addFile")) { alwaysAllowDoAsUser = true; } */ // ADD THIS CONFIGURABLE PATH TEST if (_authDoAsUserPathsSet.contains(path) || _authDoAsUserActionPathsSet.contains(strutsAction) || _authDoAsUserActionNamesSet.contains(actionName)) { alwaysAllowDoAsUser = true; } ... } public Set<String> getAuthDoAsUserPathsSet() { return _authDoAsUserPathsSet; } public Set<String> getAuthDoAsUserActionPathsSet() { return _authDoAsUserActionPathsSet; } public Set<String> getAuthDoAsUserActionNamesSet() { return _authDoAsUserActionNamesSet; } }
These revisions make the declaration and usage of user authentication "do as user" impersonation consistent with other configurable aspects of the Portal.