Issue 15274 login required in html (#15278)

* #15274

* #15274

* #15274

* #15274 Codacy feedback

* #15274

(cherry picked from commit 6c4c451)

dotCMS/src/main/java/com/dotcms/filters/interceptor/dotcms/DefaultBackEndLoginRequiredWebInterceptor.java

@@ -0,0 +1,104 @@
+package com.dotcms.filters.interceptor.dotcms;
+
+import com.dotcms.filters.interceptor.Result;
+import com.dotcms.filters.interceptor.WebInterceptor;
+import com.dotcms.util.SecurityUtils;
+import com.dotmarketing.business.web.WebAPILocator;
+import com.dotmarketing.util.Config;
+import com.dotmarketing.util.Logger;
+import com.dotmarketing.util.PortletURLUtil;
+import com.dotmarketing.util.SecurityLogger;
+import com.dotmarketing.util.WebKeys;
+import java.io.IOException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+/**
+ * Interceptor created mainly to intercept requests to the internal <i>/html</i> folder but can be use
+ * to verify if any internal folder requires authentication just changing the <i>getFilters()</i> method.
+ *
+ * <p>Open access to internal web folders opens the door for XSS attacks.</p>
+ * @author Jonathan Gamba 9/12/18
+ */
+public class DefaultBackEndLoginRequiredWebInterceptor implements WebInterceptor {
+
+    public static final String ALLOWED_HTML_PATHS_WITHOUT_AUTHENTICATION = "ALLOWED_HTML_PATHS_WITHOUT_AUTHENTICATION";
+
+    private static final String LOGIN_URL = String
+            .format("/%s/#/public/login", PortletURLUtil.URL_ADMIN_PREFIX);
+
+    private static final String DEFAULT_ALLOWED_URLS = "/html/js/dojo,"
+            + "/html/images/backgrounds,/html/images/persona";
+    private static String[] ALLOWED_URLS;
+
+    @Override
+    public String[] getFilters() {
+        return new String[]{"/html"};
+    }
+
+    @Override
+    public void init() {
+
+        //Set the list of allowed paths without authentication
+        final String allowedPaths = Config
+                .getStringProperty(ALLOWED_HTML_PATHS_WITHOUT_AUTHENTICATION, DEFAULT_ALLOWED_URLS);
+        ALLOWED_URLS = allowedPaths.split(",");
+    }
+
+    @Override
+    public Result intercept(final HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+
+        Result result = Result.NEXT;
+
+        boolean requiresAuthentication = true;
+
+        //Verify if the requested url requires authentication
+        final String requestedURI = request.getRequestURI();
+        if (null != requestedURI) {
+            for (final String allowedURL : ALLOWED_URLS) {
+
+                if (requestedURI.startsWith(allowedURL)) {
+                    requiresAuthentication = false;
+                    break;
+                }
+            }
+        }
+
+        if (requiresAuthentication) {
+
+            boolean isLoggedToBackend = false;
+            try {
+                isLoggedToBackend = WebAPILocator.getUserWebAPI().isLoggedToBackend(request);
+            } catch (Exception e) {
+                //Do nothing...
+                Logger.warn(this.getClass(), e.getMessage(), e);
+            }
+
+            // if we are not logged in...
+            if (!isLoggedToBackend) {
+
+                final String queryStringToAppend =
+                        null != request.getQueryString() ? "?" + request.getQueryString() : "";
+                final String completeRequestedURL = requestedURI + queryStringToAppend;
+
+                SecurityLogger.logInfo(this.getClass(),
+                        "LoginRequiredFilter for requested url: " + completeRequestedURL);
+
+                final HttpSession session = request.getSession(false);
+                if (null != session) {
+                    session.setAttribute(WebKeys.REDIRECT_AFTER_LOGIN, SecurityUtils
+                            .stripReferer(request, completeRequestedURL));
+                }
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+                response.sendRedirect(LOGIN_URL);
+
+                result = Result.SKIP_NO_CHAIN; // needs to stop the filter chain.
+            }
+        }
+
+        return result; // if it is log in, continue!
+    }
+
+}

dotCMS/src/main/java/com/dotmarketing/filters/LoginRequiredFilter.java

@@ -9,15 +9,15 @@
 package com.dotmarketing.filters;
 
 import com.dotcms.filters.interceptor.AbstractWebInterceptorSupportFilter;
+import com.dotcms.filters.interceptor.WebInterceptorDelegate;
+import com.dotcms.filters.interceptor.dotcms.DefaultBackEndLoginRequiredWebInterceptor;
 import com.dotcms.filters.interceptor.dotcms.DefaultFrontEndLoginRequiredWebInterceptor;
-
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 
 /**
  * This Filter is in charge if checking if the user is logged in or not.
  * By default will use an interceptor that check if the user is logged in, if it is not, will returns a 401 and set a REDIRECT_AFTER_LOGIN
- * it does not apply if ADMIN_MODE is on.
  *
  * In addition you can extends the intercept functionality by implementing your on filter.
  * @author jsanca
@@ -34,8 +34,12 @@ public void init(final FilterConfig config) throws ServletException {
     // add the previous legacy code to be align with the interceptor approach.
     private void addDefaultInterceptors(final FilterConfig config) {
 
-        this.getDelegate(config.getServletContext()).add(
-                new DefaultFrontEndLoginRequiredWebInterceptor());
+        final WebInterceptorDelegate delegate =
+                this.getDelegate(config.getServletContext());
+
+        delegate.add(new DefaultFrontEndLoginRequiredWebInterceptor());
+        delegate.add(new DefaultBackEndLoginRequiredWebInterceptor());
+
     } // addDefaultInterceptors.
 
 } // LoginRequiredFilter.