Module: Caterpillar::Security::InstanceMethods

Defined in:

lib/caterpillar/security.rb

Instance Method Summary

• #authorize_agent ⇒ Object

  This is a rudimentary protection against simple spoofing in production environment.

• #authorize_request ⇒ Object

  Authorize the request.

• #get_liferay_uid ⇒ Object

  MOVED to Caterpillar::Helpers::Liferay.

Instance Method Details

#authorize_agent ⇒ Object

This is a rudimentary protection against simple spoofing in production environment.

Only accepts HTTP requests from the Java HttpClient.

XHR is a different issue, it is not (yet) supported by the portlet, so it will always pass this check.

Exceptions should be added (for resources such as images) in respective controllers.

This filter will always be passed in RAILS_ENV development and test, because you most likely want to develop portlets sometimes without the Liferay environment. If you want this to change, send in a feature request to the developers or the bugs mailing list.

# File 'lib/caterpillar/security.rb', line 64

def authorize_agent
  # make development and test ENV to pass
  return true if ( RAILS_ENV == 'development' || RAILS_ENV == 'test' )

  # XHR always passes
  return true if request.xhr?

  # check the user agent
  agent = request.env['HTTP_USER_AGENT']
  unless agent=='Jakarta Commons-HttpClient/3.1'
    addr = request.env['REMOTE_ADDR']
    if addr[/^127/] and request.env['HTTP_X_FORWARDED_FOR']
      # serving through virtualhost. obtain true IP addr.
      addr = request.env['HTTP_X_FORWARDED_FOR']
    end
    logger.warn 'Someone from IP %s may be spoofing using agent %s' % [addr, agent]
    render :nothing => true, :status => 404
  end
end

#authorize_request ⇒ Object

Authorize the request.

The request needs to pass in “session_secret” cookie with the value of session secret.

# File 'lib/caterpillar/security.rb', line 89

def authorize_request
  if !cookies.nil? and !cookies[:session_secret].nil?
    config = Util.eval_configuration
    if cookies[:session_secret] == config.session_secret[:secret]
      logger.debug "Passes security check"
      return true
    end
  end
  logger.debug("Session secret is not present in %s" % cookies.inspect)
  logger.warn 'Someone from IP %s may be spoofing' % request.env['REMOTE_ADDR']
  render :nothing => true, :status => 403
end

#get_liferay_uid ⇒ Object

MOVED to Caterpillar::Helpers::Liferay

# File 'lib/caterpillar/security.rb', line 104

def get_liferay_uid
  logger.warn 'DEPRECATION WARNING: get_liferay_uid has been moved to Caterpillar::Helpers::Liferay'
  Caterpillar::Helpers::Liferay.get_liferay_uid
end