Filters in Liferay

For the security reasons we need to provide the " Secured URL Filters " as per our requirements rather than default filters in Liferay.

To override that we need use Hook.

Step 1 : Create the Filter class in which you want to write the logic extending "BaseFilter "

             ex : public class SecureURLFilter extends BaseFilter

Step 2 : In liferay-hook.xml give the details about the Filter.( In Liferay, Hook can be create in two ways one is by using the plugin and the another way is Inside the portlet itself we can create the " WEB-INF/liferay-hook.xml" )

         <servlet-filter>
<servlet-filter-name>Secure URL Filter</servlet-filter-name>
<servlet-filter-impl>com.portal.filter.SecureURLFilter</servlet-filter-impl>
</servlet-filter>

Step 3 : Write the logic inside SecureURLFilter.java based upon your requirement

/**
 *
 */
package com.portal.filter;

import java.io.IOException;

import javax.portlet.PortletException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.servlet.BaseFilter;
import com.liferay.portal.kernel.util.HttpUtil;
import com.liferay.portal.util.PortalUtil;

public class SecureURLFilter extends BaseFilter {

private static Log _log = LogFactoryUtil.getLog(
SecureURLFilter.class);

public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;

try {
processFilter(request, response, filterChain);
} catch (Exception e) {
e.printStackTrace();
}
}


protected void processFilter(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws Exception {

if (_log.isDebugEnabled()) {
_log.debug("");
}

String currentCompleteURL = PortalUtil.getCurrentCompleteURL(request);

boolean isSecureURL = isSecureURL(currentCompleteURL);

if(!isSecureURL) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
//response.sendRedirect("/home");
return;
}

processFilter(SecureURLFilter.class, request, response, filterChain);

}

/**
* @param currentURL
* @return
* @throws PortletException
*/
private static boolean isSecureURL(String currentURL)
throws PortletException {

String script = HttpUtil.encodeURL("<script>");

String script1 = HttpUtil.encodeURL("<script");

String script2 = "<script>";
String script3 = "<script";

String xmlEncoded = HttpUtil.encodeURL("<!");
String xml = HttpUtil.encodeURL("<")+"!";

String filePath = HttpUtil.encodeURL("../");
String filePathTraversal = "../";

String strangeString = HttpUtil.encodeURL("\"(\" \"Select\" \")\"");
String strangeString1 = "\"(\" \"Select\" \")\"";

String selectString = HttpUtil.encodeURL("(select 1)");
String selectString1 = HttpUtil.encodeURL("(select 1,2)");

String selectString2 =  "(select 1,2)";
String selectString3 = "(select 1,2)";

String selectString4 = "(select";
String selectString5 = HttpUtil.encodeURL("(select");

if (currentURL.contains(script) || currentURL.contains(script1)
|| currentURL.contains(filePath) || currentURL.contains(filePathTraversal)
|| currentURL.contains(xml) || currentURL.contains(xmlEncoded)
|| currentURL.contains(strangeString) || currentURL.contains(strangeString1)
|| currentURL.contains(selectString) || currentURL.contains(selectString1)
|| currentURL.contains(selectString2) || currentURL.contains(selectString3)
|| currentURL.contains(script2) || currentURL.contains(script3)
|| currentURL.contains(selectString4) || currentURL.contains(selectString5)) {

return false;
}
return true;
}

public boolean isFilterEnabled() {
return _FILTER_ENABLED;
}

private static final boolean _FILTER_ENABLED = true;

protected Log getLog() {

return _log;
}
}