Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-18857

Inconsistent configuration for user authentication "do as user" impersonation for requests and struts actions.

    Details

      Description

      Overview

      Inconsistent use of user authentication "do as user" impersonation for requests and struts actions.

      Method "getUserId(HttpServletRequest)" in class "com.liferay.portal.util.PortalImpl" contains hard-coded request and struts action paths that are used to test for user impersonation with request parameter "doAsUser".

      com.liferay.portal.util.PortalImpl.java
      public long getUserId(HttpServletRequest request) {
      ...
         String path = GetterUtil.getString(request.getPathInfo());
         String strutsAction = getStrutsAction(request);
         String actionName = _getPortletParam(request, "actionName");
      
         boolean alwaysAllowDoAsUser = false;
      
         if (path.equals("/portal/session_click") ||
            strutsAction.equals("/document_library/edit_file_entry") ||
            strutsAction.equals("/image_gallery/edit_image") ||
            strutsAction.equals("/wiki/edit_page_attachment") ||
            strutsAction.equals("/wiki_admin/edit_page_attachment") ||
            actionName.equals("addFile")) {
      
            alwaysAllowDoAsUser = true;
         }
      ...
      }
      

      The only way to update these paths is by over-riding the PortalImpl class in the EXT plugin.

      This is inconsistent with other paths, such as those defined by property

      PropsKeys.AUTH_TOKEN_IGNORE_ACTIONS (auth.token.ignore.actions)

      and made available to PortalImpl via

      PropsValues#AUTH_TOKEN_IGNORE_ACTIONS

      and exposed to the Portal runtime via

      Portal#getAuthTokenIgnoreActions.

      The inconsistency issue can arise where new paths are added to property

      "auth.token.ignore.actions"

      in the "portal-ext.properties" file, but the same paths

      cannot be over-ridden in class

      "PortalImpl#getUser(HttpServletRequest)"

      unless the class is over-ridden in the EXT plugin.

      The user authentication "do as user" paths should be refactored as properties to enable consistent usage and configuration.

      Suggested Changes

      Suggested changes are below.

      Portal Properties Changes

      Suggested property names and values which represent the values in "PortalImpl" are as follows:

      portal(-ext).properties
      # Struts action paths that enable impersonation of a user.
      # See related class "com.liferay.portal.util.PortalImpl".
      # See related property "auth.token.ignore.actions".
      auth.do-as-user.action.paths=\
      		/document_library/edit_file_entry,\
      		\
      		/resource_library/add_file_entry,\
      		/resource_library/edit_file_entry,\
      		\
      		/image_gallery/edit_image,\
      		\
      		/wiki/edit_page_attachment,\
      		/wiki_admin/edit_page_attachment
      
      # Struts action names that enable impersonation of a user.
      # See related class "com.liferay.portal.util.PortalImpl".
      auth.do-as-user.action.names=\
      		addFile
      
      # Request paths names that enable impersonation of a user.
      # See related class "com.liferay.portal.util.PortalImpl".
      auth.do-as-user.paths=\
      		/portal/session_click
      

      Props Keys and Props Values Changes

      Suggested properties (see above) can be exposed to the Portal via classes "PropsKeys" and "PropsValues" as follows:

      com.liferay.portal.kernel.util.PropsKeys.java
      public interface ExtPropsKeys {
      	
      	public static final String AUTH_DO_AS_USER_ACTION_PATHS = "auth.do-as-user.action.paths";
      	
      	public static final String AUTH_DO_AS_USER_ACTION_NAMES = "auth.do-as-user.action.names";
      	
      	public static final String AUTH_DO_AS_USER_PATHS = "auth.do-as-user.paths";	
      }
      
      com.liferay.portal.util.PropsValues.java
      public class ExtPropsValues {
      
      	public static final String[] AUTH_DO_AS_USER_ACTION_NAMES = PropsUtil.getArray(ExtPropsKeys.AUTH_DO_AS_USER_ACTION_NAMES);
      	
      	public static final String[] AUTH_DO_AS_USER_ACTION_PATHS = PropsUtil.getArray(ExtPropsKeys.AUTH_DO_AS_USER_ACTION_PATHS);
      	
      	public static final String[] AUTH_DO_AS_USER_PATHS = PropsUtil.getArray(ExtPropsKeys.AUTH_DO_AS_USER_PATHS);
      }
      

      Portal Impl Changes

      Suggested Portal Impl changes which use the new properties (see above) are as follows:

      com.liferay.portal.util.PortalImpl.java
      public class PortalImpl implements Portal {
      
              private Set<String> _authDoAsUserActionNamesSet;
              private Set<String> _authDoAsUserActionPathsSet;
              private Set<String> _authDoAsUserPathsSet;
      
      	public PortalImpl() {
                 ...
                 initAuthDoAsUserSets();
                 ...
              }
      
      	protected void initAuthDoAsUserSets() {
                 _authDoAsUserActionNamesSet = SetUtil.fromArray(PropsValues.AUTH_DO_AS_USER_ACTION_NAMES);
                 _authDoAsUserActionPathsSet = SetUtil.fromArray(PropsValues.AUTH_DO_AS_USER_ACTION_PATHS);
                 _authDoAsUserPathsSet = SetUtil.fromArray(PropsValues.AUTH_DO_AS_USER_PATHS);
      	}
      
              public long getUserId(HttpServletRequest request) {
                 ...
                 String path = GetterUtil.getString(request.getPathInfo());
                 String strutsAction = getStrutsAction(request);
                 String actionName = _getPortletParam(request, "actionName");
      
                 boolean alwaysAllowDoAsUser = false;
      
                 // REMOVE THIS HARD-CODED PATH TEST
                 /*
                 if (path.equals("/portal/session_click") ||
      			strutsAction.equals("/document_library/edit_file_entry") ||
      			strutsAction.equals("/resource_library/add_file_entry") ||
      			strutsAction.equals("/resource_library/edit_file_entry") ||
      			strutsAction.equals("/image_gallery/edit_image") ||
      			strutsAction.equals("/wiki/edit_page_attachment") ||
      			strutsAction.equals("/wiki_admin/edit_page_attachment") ||
      			actionName.equals("addFile")) {
      
      			alwaysAllowDoAsUser = true;
                 }
                 */
      
                 // ADD THIS CONFIGURABLE PATH TEST
                 if (_authDoAsUserPathsSet.contains(path)
                     || _authDoAsUserActionPathsSet.contains(strutsAction)
                      || _authDoAsUserActionNamesSet.contains(actionName)) 
                 {
                    alwaysAllowDoAsUser = true;
                 }
                 ...
              }
      
              public Set<String> getAuthDoAsUserPathsSet() {
                 return _authDoAsUserPathsSet;
              }
      	
              public Set<String> getAuthDoAsUserActionPathsSet() {
                 return _authDoAsUserActionPathsSet;
              }	
      	
               public Set<String> getAuthDoAsUserActionNamesSet() {
                 return _authDoAsUserActionNamesSet;
              }	
      
      }
      

      These revisions make the declaration and usage of user authentication "do as user" impersonation consistent with other configurable aspects of the Portal.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                6 years, 34 weeks, 4 days ago

                Packages

                Version Package
                6.0.6 GA