Java > Open Source Codes > org > ejbca > core > ejb > authorization > LocalAuthorizationSessionBean


1 /*************************************************************************
2  * *
3  * EJBCA: The OpenSource Certificate Authority *
4  * *
5  * This software is free software; you can redistribute it and/or *
6  * modify it under the terms of the GNU Lesser General Public *
7  * License as published by the Free Software Foundation; either *
8  * version 2.1 of the License, or any later version. *
9  * *
10  * See terms of license at gnu.org. *
11  * *
12  *************************************************************************/
13
14 package org.ejbca.core.ejb.authorization;
15
16 import java.security.cert.X509Certificate ;
17 import java.sql.Connection ;
18 import java.sql.PreparedStatement ;
19 import java.sql.ResultSet ;
20 import java.util.ArrayList ;
21 import java.util.Collection ;
22 import java.util.HashSet ;
23 import java.util.Iterator ;
24 import java.util.Random ;
25
26 import javax.ejb.CreateException ;
27 import javax.ejb.EJBException ;
28 import javax.ejb.FinderException ;
29
30 import org.apache.commons.lang.StringUtils;
31 import org.ejbca.core.ejb.BaseSessionBean;
32 import org.ejbca.core.ejb.JNDINames;
33 import org.ejbca.core.ejb.ServiceLocator;
34 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal;
35 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocalHome;
36 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal;
37 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocalHome;
38 import org.ejbca.core.ejb.log.ILogSessionLocal;
39 import org.ejbca.core.ejb.log.ILogSessionLocalHome;
40 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal;
41 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocalHome;
42 import org.ejbca.core.model.InternalResources;
43 import org.ejbca.core.model.authorization.AccessRule;
44 import org.ejbca.core.model.authorization.AdminEntity;
45 import org.ejbca.core.model.authorization.AdminGroup;
46 import org.ejbca.core.model.authorization.AdminGroupExistsException;
47 import org.ejbca.core.model.authorization.AuthenticationFailedException;
48 import org.ejbca.core.model.authorization.AuthorizationDeniedException;
49 import org.ejbca.core.model.authorization.Authorizer;
50 import org.ejbca.core.model.authorization.AvailableAccessRules;
51 import org.ejbca.core.model.log.Admin;
52 import org.ejbca.core.model.log.LogConstants;
53 import org.ejbca.core.model.log.LogEntry;
54 import org.ejbca.util.JDBCUtil;
55
56
57 /**
58  * Stores data used by web server clients.
59  * Uses JNDI name for datasource as defined in env 'Datasource' in ejb-jar.xml.
60  *
61  * @version $Id: LocalAuthorizationSessionBean.java,v 1.10.2.1 2007/05/09 08:11:03 anatom Exp $
62  *
63  * @ejb.bean
64  * description="Session bean handling interface with ra authorization"
65  * display-name="AuthorizationSessionSB"
66  * name="AuthorizationSession"
67  * jndi-name="AuthorizationSession"
68  * local-jndi-name="AuthorizationSessionLocal"
69  * view-type="both"
70  * type="Stateless"
71  * transaction-type="Container"
72  *
73  * @ejb.transaction type="Required"
74  *
75  * @weblogic.enable-call-by-reference True
76  *
77  * @ejb.env-entry
78  * name="DataSource"
79  * type="java.lang.String"
80  * value="${datasource.jndi-name-prefix}${datasource.jndi-name}"
81  *
82  * @ejb.env-entry
83  * description="Custom Available Access Rules, use ';' to separate multiple accessrules"
84  * name="CustomAvailableAccessRules"
85  * type="java.lang.String"
86  * value=""
87  *
88  * @ejb.ejb-external-ref
89  * description="The log session bean"
90  * view-type="local"
91  * ref-name="ejb/LogSessionLocal"
92  * type="Session"
93  * home="org.ejbca.core.ejb.log.ILogSessionLocalHome"
94  * business="org.ejbca.core.ejb.log.ILogSessionLocal"
95  * link="LogSession"
96  *
97  * @ejb.ejb-external-ref
98  * description="The RA Session Bean"
99  * view-type="local"
100  * ref-name="ejb/RaAdminSessionLocal"
101  * type="Session"
102  * home="org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocalHome"
103  * business="org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal"
104  * link="RaAdminSession"
105  *
106  * @ejb.ejb-external-ref
107  * description="The CAAdmin Session Bean"
108  * view-type="local"
109  * ref-name="ejb/CAAdminSessionLocal"
110  * type="Session"
111  * home="org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocalHome"
112  * business="org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal"
113  * link="CAAdminSession"
114  *
115  * @ejb.ejb-external-ref
116  * description="The Certificate Store Session bean"
117  * view-type="local"
118  * ref-name="ejb/CertificateStoreSessionLocal"
119  * type="Session"
120  * home="org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocalHome"
121  * business="org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal"
122  * link="CertificateStoreSession"
123  *
124  * @ejb.ejb-external-ref
125  * description="Authorization Tree Update Bean"
126  * view-type="local"
127  * ref-name="ejb/AuthorizationTreeUpdateDataLocal"
128  * type="Entity"
129  * home="org.ejbca.core.ejb.authorization.AuthorizationTreeUpdateDataLocalHome"
130  * business="org.ejbca.core.ejb.authorization.AuthorizationTreeUpdateDataLocal"
131  * link="AuthorizationTreeUpdateData"
132  *
133  * @ejb.ejb-external-ref
134  * description="Admin Groups"
135  * view-type="local"
136  * ref-name="ejb/AdminGroupDataLocal"
137  * type="Entity"
138  * home="org.ejbca.core.ejb.authorization.AdminGroupDataLocalHome"
139  * business="org.ejbca.core.ejb.authorization.AdminGroupDataLocal"
140  * link="AdminGroupData"
141  *
142  * @ejb.home
143  * extends="javax.ejb.EJBHome"
144  * local-extends="javax.ejb.EJBLocalHome"
145  * local-class="org.ejbca.core.ejb.authorization.IAuthorizationSessionLocalHome"
146  * remote-class="org.ejbca.core.ejb.authorization.IAuthorizationSessionHome"
147  *
148  * @ejb.interface
149  * extends="javax.ejb.EJBObject"
150  * local-extends="javax.ejb.EJBLocalObject"
151  * local-class="org.ejbca.core.ejb.authorization.IAuthorizationSessionLocal"
152  * remote-class="org.ejbca.core.ejb.authorization.IAuthorizationSessionRemote"
153  *
154  * @jonas.bean
155  * ejb-name="AuthorizationSession"
156  */
157 public class LocalAuthorizationSessionBean extends BaseSessionBean {
158
159     /**
160      * Constant indicating minimum time between updates. In milliseconds
161      */
162     public static final long MIN_TIME_BETWEEN_UPDATES = 60000 * 1;
163     
164     /** Internal localization of logs and errors */
165     private static final InternalResources intres = InternalResources.getInstance();
166
167     /**
168      * The home interface of AdminGroupData entity bean
169      */
170     private AdminGroupDataLocalHome admingrouphome = null;
171
172     /**
173      * The home interface of AuthorizationTreeUpdateData entity bean
174      */
175     private AuthorizationTreeUpdateDataLocalHome authorizationtreeupdatehome = null;
176
177     /**
178      * help variable used to check that authorization trees is updated.
179      */
180     private int authorizationtreeupdate = -1;
181
182     /**
183      * help variable used to control that update isn't performed to often.
184      */
185     private long lastupdatetime = -1;
186
187     /**
188      * The local interface of log session bean
189      */
190     private ILogSessionLocal logsession = null;
191
192     /**
193      * The local interface of raadmin session bean
194      */
195     private IRaAdminSessionLocal raadminsession = null;
196
197     /**
198      * The local interface of ca admim session bean
199      */
200     private ICAAdminSessionLocal caadminsession = null;
201
202     /**
203      * The local interface of certificate store session bean
204      */
205     private ICertificateStoreSessionLocal certificatestoresession = null;
206
207     private Authorizer authorizer = null;
208
209     private String [] customaccessrules = null;
210
211     private static final String DEFAULTGROUPNAME = "DEFAULT";
212     protected static final String PUBLICWEBGROUPNAME = "Public Web Users"; // protected so it's available for unit tests
213
214     /**
215      * Default create for SessionBean without any creation Arguments.
216      *
217      * @throws CreateException if bean instance can't be created
218      */
219     public void ejbCreate() throws CreateException {
220         debug(">ejbCreate()");
221         ServiceLocator locator = ServiceLocator.getInstance();
222         admingrouphome = (AdminGroupDataLocalHome) locator.getLocalHome(AdminGroupDataLocalHome.COMP_NAME);
223         authorizationtreeupdatehome = (AuthorizationTreeUpdateDataLocalHome) locator.getLocalHome(AuthorizationTreeUpdateDataLocalHome.COMP_NAME);
224         String customrules = locator.getString("java:comp/env/CustomAvailableAccessRules");
225         if (customrules == null) {
226             customrules = "";
227         }
228         customaccessrules = StringUtils.split(customrules, ';');
229
230         try {
231             authorizer = new Authorizer(getAdminGroups(), admingrouphome,
232                     getLogSession(), getCertificateStoreSession(), getRaAdminSession(), getCAAdminSession(), new Admin(Admin.TYPE_INTERNALUSER), LogEntry.MODULE_AUTHORIZATION);
233         } catch (Exception e) {
234             throw new EJBException (e);
235         }
236
237         debug("<ejbCreate()");
238     }
239
240
241     /**
242      * Gets connection to log session bean
243      *
244      * @return Connection
245      */
246     private ILogSessionLocal getLogSession() {
247         if (logsession == null) {
248             try {
249                 ILogSessionLocalHome logsessionhome = (ILogSessionLocalHome) ServiceLocator.getInstance().getLocalHome(ILogSessionLocalHome.COMP_NAME);
250                 logsession = logsessionhome.create();
251             } catch (Exception e) {
252                 throw new EJBException (e);
253             }
254         }
255         return logsession;
256     } //getLogSession
257
258
259     /**
260      * Gets connection to ra admin session bean
261      *
262      * @return Connection
263      */
264     private IRaAdminSessionLocal getRaAdminSession() {
265         if (raadminsession == null) {
266             try {
267                 IRaAdminSessionLocalHome home = (IRaAdminSessionLocalHome) ServiceLocator.getInstance()
268                         .getLocalHome(IRaAdminSessionLocalHome.COMP_NAME);
269                 raadminsession = home.create();
270             } catch (Exception e) {
271                 throw new EJBException (e);
272             }
273         }
274         return raadminsession;
275     } //getRaAdminSession
276
277     /**
278      * Gets connection to certificate store session bean
279      *
280      * @return ICertificateStoreSessionLocal
281      */
282     private ICertificateStoreSessionLocal getCertificateStoreSession() {
283         if (certificatestoresession == null) {
284             try {
285                 ICertificateStoreSessionLocalHome home = (ICertificateStoreSessionLocalHome) ServiceLocator.getInstance()
286                         .getLocalHome(ICertificateStoreSessionLocalHome.COMP_NAME);
287                 certificatestoresession = home.create();
288             } catch (Exception e) {
289                 throw new EJBException (e);
290             }
291         }
292         return certificatestoresession;
293     } //getCertificateStoreSession
294
295
296     /**
297      * Gets connection to ca admin session bean
298      *
299      * @return ICAAdminSessionLocal
300      */
301     private ICAAdminSessionLocal getCAAdminSession() {
302         if (caadminsession == null) {
303             try {
304                 ICAAdminSessionLocalHome home = (ICAAdminSessionLocalHome) ServiceLocator.getInstance()
305                         .getLocalHome(ICAAdminSessionLocalHome.COMP_NAME);
306                 caadminsession = home.create();
307             } catch (Exception e) {
308                 throw new EJBException (e);
309             }
310         }
311         return caadminsession;
312     }
313
314     // Methods used with AdminGroupData Entity Beans
315
316     /**
317      * Method to initialize authorization bean, must be called directly after creation of bean. Should only be called once.
318      *
319      * @ejb.interface-method view-type="both"
320      */
321     public void initialize(Admin admin, int caid) throws AdminGroupExistsException {
322         if (log.isDebugEnabled()) {
323             log.debug(">initialize, caid: "+caid);
324         }
325         // Check if admingroup table is empty, if so insert default superuser
326 // and create "special edit accessrules count group"
327 try {
328             Collection result = admingrouphome.findAll();
329             if (result.size() == 0) {
330                 // Authorization table is empty, fill with default and special admingroups.
331 String admingroupname = "Temporary Super Administrator Group";
332                 addAdminGroup(admin, admingroupname, caid);
333                 ArrayList adminentities = new ArrayList ();
334                 adminentities.add(new AdminEntity(AdminEntity.WITH_COMMONNAME, AdminEntity.TYPE_EQUALCASEINS, "SuperAdmin", caid));
335                 addAdminEntities(admin, admingroupname, caid, adminentities);
336                 ArrayList accessrules = new ArrayList ();
337                 accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false));
338                 addAccessRules(admin, admingroupname, caid, accessrules);
339             }
340         } catch (FinderException e) {
341             debug("initialize: FinderEx, findAll failed.");
342         }
343         // Add Special Admin Group
344 // Special admin group is a group that is not authenticated with client certificate, such as batch tool etc
345 try {
346             admingrouphome.findByGroupNameAndCAId(DEFAULTGROUPNAME, LogConstants.INTERNALCAID);
347         } catch (FinderException e) {
348             debug("initialize: FinderEx, add default group.");
349             // Add Default Special Admin Group
350 try {
351                 AdminGroupDataLocal agdl = admingrouphome.create(new Integer (findFreeAdminGroupId()), DEFAULTGROUPNAME, LogConstants.INTERNALCAID);
352
353                 ArrayList adminentities = new ArrayList ();
354                 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_BATCHCOMMANDLINEADMIN));
355                 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_CACOMMANDLINEADMIN));
356                 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_RAADMIN));
357                 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_INTERNALUSER));
358                 agdl.addAdminEntities(adminentities);
359
360                 ArrayList accessrules = new ArrayList ();
361                 accessrules.add(new AccessRule("/administrator", AccessRule.RULE_ACCEPT, true));
362                 accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false));
363
364                 accessrules.add(new AccessRule("/ca_functionality", AccessRule.RULE_ACCEPT, true));
365                 accessrules.add(new AccessRule("/ra_functionality", AccessRule.RULE_ACCEPT, true));
366                 accessrules.add(new AccessRule("/log_functionality", AccessRule.RULE_ACCEPT, true));
367                 accessrules.add(new AccessRule("/system_functionality", AccessRule.RULE_ACCEPT, true));
368                 accessrules.add(new AccessRule("/hardtoken_functionality", AccessRule.RULE_ACCEPT, true));
369                 accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true));
370                 accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true));
371
372                 agdl.addAccessRules(accessrules);
373
374                 signalForAuthorizationTreeUpdate();
375             } catch (CreateException ce) {
376                 error("initialize continues after Exception: ", ce);
377             }
378         }
379         // Add Public Web Group
380 try {
381             AdminGroupDataLocal agl = admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid);
382             removeAndAddDefaultPublicWebGroupRules(agl);
383         } catch (FinderException e) {
384             debug("initialize: FinderEx, can't find public web group for caid "+caid);
385             debug("initialize: FinderEx, create public web group for caid "+caid);
386             try {
387                 AdminGroupDataLocal agdl = admingrouphome.create(new Integer (findFreeAdminGroupId()), PUBLICWEBGROUPNAME, caid);
388                 addDefaultPublicWebGroupRules(agdl);
389                 signalForAuthorizationTreeUpdate();
390             } catch (CreateException ce) {
391                 error("initialize continues after Exception: ", ce);
392             }
393         }
394
395         if (log.isDebugEnabled()) {
396             log.debug("<initialize, caid: "+caid);
397         }
398     }
399
400
401     private void addDefaultPublicWebGroupRules(AdminGroupDataLocal agdl) {
402         debug("create public web group for caid "+agdl.getCaId());
403         ArrayList adminentities = new ArrayList ();
404         adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_PUBLICWEBUSER));
405         agdl.addAdminEntities(adminentities);
406
407         ArrayList accessrules = new ArrayList ();
408         accessrules.add(new AccessRule("/public_web_user", AccessRule.RULE_ACCEPT, false));
409
410         accessrules.add(new AccessRule("/ca_functionality/basic_functions", AccessRule.RULE_ACCEPT, false));
411         accessrules.add(new AccessRule("/ca_functionality/view_certificate", AccessRule.RULE_ACCEPT, false));
412         accessrules.add(new AccessRule("/ca_functionality/create_certificate", AccessRule.RULE_ACCEPT, false));
413         accessrules.add(new AccessRule("/ca_functionality/store_certificate", AccessRule.RULE_ACCEPT, false));
414         accessrules.add(new AccessRule("/ra_functionality/view_end_entity", AccessRule.RULE_ACCEPT, false));
415         accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true));
416         accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true));
417
418         agdl.addAccessRules(accessrules);
419     }
420
421
422     /**
423      */
424     private void removeAndAddDefaultPublicWebGroupRules(AdminGroupDataLocal agl) {
425         if (log.isDebugEnabled()) {
426             debug("Removing old and adding new accessrules and admin entitites to admin group "+agl.getAdminGroupName()+" for caid "+agl.getCaId());
427         }
428         removeEntitiesAndRulesFromGroup(agl);
429         addDefaultPublicWebGroupRules(agl);
430         signalForAuthorizationTreeUpdate();
431     }
432
433     /**
434      * Method to check if a user is authorized to a certain resource.
435      *
436      * @param admin the administrator about to be authorized, see org.ejbca.core.model.log.Admin class.
437      * @param resource the resource to check authorization for.
438      * @ejb.interface-method view-type="both"
439      * @ejb.transaction type="Supports"
440      */
441     public boolean isAuthorized(Admin admin, String resource) throws AuthorizationDeniedException {
442         if (updateNeccessary())
443             updateAuthorizationTree();
444         
445         return authorizer.isAuthorized(admin, resource);
446     }
447
448     /**
449      * Method to check if a user is authorized to a certain resource without performing any logging.
450      *
451      * @param admin the administrator about to be authorized, see org.ejbca.core.model.log.Admin class.
452      * @param resource the resource to check authorization for.
453      * @ejb.interface-method view-type="both"
454      * @ejb.transaction type="Supports"
455      */
456     public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException {
457         if (updateNeccessary())
458             updateAuthorizationTree();
459         return authorizer.isAuthorizedNoLog(admin, resource);
460     }
461
462     /**
463      * Method to check if a group is authorized to a resource.
464      *
465      * @ejb.interface-method view-type="both"
466      * @ejb.transaction type="Supports"
467      */
468     public boolean isGroupAuthorized(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException {
469         if (updateNeccessary())
470             updateAuthorizationTree();
471         return authorizer.isGroupAuthorized(admin, admingrouppk, resource);
472     }
473
474     /**
475      * Method to check if a group is authorized to a resource without any logging.
476      *
477      * @ejb.interface-method view-type="both"
478      * @ejb.transaction type="Supports"
479      */
480     public boolean isGroupAuthorizedNoLog(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException {
481         if (updateNeccessary())
482             updateAuthorizationTree();
483         return authorizer.isGroupAuthorizedNoLog(admin, admingrouppk, resource);
484     }
485
486     /**
487      * Method to check if an administrator exists in the specified admingroup.
488      *
489      * @ejb.interface-method view-type="both"
490      * @ejb.transaction type="Supports"
491      */
492     public boolean existsAdministratorInGroup(Admin admin, int admingrouppk) {
493         boolean returnval = false;
494         if (updateNeccessary())
495             updateAuthorizationTree();
496
497         try {
498             AdminGroupDataLocal agdl = admingrouphome.findByPrimaryKey(new Integer (admingrouppk));
499             Iterator adminentitites = agdl.getAdminGroup().getAdminEntities().iterator();
500             while (adminentitites.hasNext()) {
501                 AdminEntity ae = (AdminEntity) adminentitites.next();
502                 returnval = returnval || ae.match(admin.getAdminInformation());
503             }
504         } catch (FinderException fe) {
505         }
506
507         return returnval;
508     }
509
510
511     /**
512      * Method to validate and check revokation status of a users certificate.
513      *
514      * @param certificate the users X509Certificate.
515      * @ejb.interface-method view-type="both"
516      * @ejb.transaction type="Supports"
517      */
518
519     public void authenticate(X509Certificate certificate) throws AuthenticationFailedException {
520         authorizer.authenticate(certificate);
521     }
522
523     /**
524      * Method to add an admingroup.
525      *
526      * @param admingroupname name of new admingroup, have to be unique.
527      * @throws AdminGroupExistsException if admingroup already exists.
528      * @ejb.interface-method view-type="both"
529      */
530     public void addAdminGroup(Admin admin, String admingroupname, int caid) throws AdminGroupExistsException {
531         if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
532
533             boolean success = true;
534             try {
535                 admingrouphome.findByGroupNameAndCAId(admingroupname, caid);
536                 success = false;
537             } catch (FinderException e) {
538             }
539             if (success) {
540                 try {
541                     admingrouphome.create(new Integer (findFreeAdminGroupId()), admingroupname, caid);
542                     success = true;
543                 } catch (CreateException e) {
544                     String msg = intres.getLocalizedMessage("authorization.erroraddadmingroup", admingroupname);
545                     error(msg, e);
546                     success = false;
547                 }
548             }
549
550
551             if (success) {
552                 String msg = intres.getLocalizedMessage("authorization.admingroupadded", admingroupname);
553                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
554             } else {
555                 String msg = intres.getLocalizedMessage("authorization.erroraddadmingroup", admingroupname);
556                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg);
557                 throw new AdminGroupExistsException();
558             }
559         }
560     } // addAdminGroup
561
562     /**
563      * Method to remove a admingroup.
564      *
565      * @ejb.interface-method view-type="both"
566      */
567     public void removeAdminGroup(Admin admin, String admingroupname, int caid) {
568         if (log.isDebugEnabled()) {
569             debug("Removing admin group "+admingroupname+" for caid "+caid);
570         }
571         if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
572             try {
573                 AdminGroupDataLocal agl = admingrouphome.findByGroupNameAndCAId(admingroupname, caid);
574                 removeEntitiesAndRulesFromGroup(agl);
575
576                 agl.remove();
577                 signalForAuthorizationTreeUpdate();
578
579                 String msg = intres.getLocalizedMessage("authorization.admingroupremoved", admingroupname);
580                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
581             } catch (Exception e) {
582                 String msg = intres.getLocalizedMessage("authorization.errorremoveadmingroup", admingroupname);
583                 error(msg, e);
584                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg);
585             }
586         }
587     } // removeAdminGroup
588
589
590     private void removeEntitiesAndRulesFromGroup(AdminGroupDataLocal agl) {
591         debug("removing entities and rules for caid "+agl.getCaId());
592         // Remove groups user entities.
593 agl.removeAdminEntities(agl.getAdminEntityObjects());
594
595         // Remove groups accessrules.
596 Iterator iter = agl.getAccessRuleObjects().iterator();
597         ArrayList remove = new ArrayList ();
598         while (iter.hasNext()) {
599             remove.add(((AccessRule) iter.next()).getAccessRule());
600         }
601         agl.removeAccessRules(remove);
602     }
603
604     /**
605      * Metod to rename a admingroup
606      *
607      * @throws AdminGroupExistsException if admingroup already exists.
608      * @ejb.interface-method view-type="both"
609      */
610     public void renameAdminGroup(Admin admin, String oldname, int caid, String newname) throws AdminGroupExistsException {
611         if (!(oldname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
612             boolean success = false;
613             AdminGroupDataLocal agl = null;
614             try {
615                 agl = admingrouphome.findByGroupNameAndCAId(newname, caid);
616                 throw new AdminGroupExistsException();
617             } catch (FinderException e) {
618                 success = true;
619             }
620             if (success) {
621                 try {
622                     agl = admingrouphome.findByGroupNameAndCAId(oldname, caid);
623                     agl.setAdminGroupName(newname);
624                     agl.setCaId(caid);
625                     signalForAuthorizationTreeUpdate();
626                 } catch (Exception e) {
627                     error("Can't rename admingroup: ", e);
628                     success = false;
629                 }
630             }
631
632             if (success) {
633                 String msg = intres.getLocalizedMessage("authorization.admingrouprenamed", oldname, newname);
634                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
635             } else {
636                 String msg = intres.getLocalizedMessage("authorization.errorrenameadmingroup", oldname, newname);
637                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg);
638             }
639         }
640     } // renameAdminGroup
641
642
643     /**
644      * Method to get a reference to a admingroup.
645      *
646      * @ejb.interface-method view-type="both"
647      * @ejb.transaction type="Supports"
648      */
649
650     public AdminGroup getAdminGroup(Admin admin, String admingroupname, int caid) {
651         AdminGroup returnval = null;
652         try {
653             returnval = (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).getAdminGroup();
654         } catch (Exception e) {
655             error("Can't get admingroup: ", e);
656         }
657         return returnval;
658     } // getAdminGroup
659
660
661     /**
662      * Returns the total number of admingroups
663      */
664     private Collection getAdminGroups() {
665         ArrayList returnval = new ArrayList ();
666         try {
667             Iterator iter = admingrouphome.findAll().iterator();
668             while (iter.hasNext())
669                 returnval.add(((AdminGroupDataLocal) iter.next()).getAdminGroup());
670         } catch (FinderException e) {
671         }
672
673         return returnval;
674     } // getAdminGroups
675
676
677     /**
678      * Returns a Collection of AdminGroup the administrator is authorized to.
679      * <p/>
680      * SuperAdmin is autorized to all groups
681      * Other admins are only authorized to the groups cointaining a subset of authorized CA that the admin
682      * himself is authorized to.
683      * <p/>
684      * The AdminGroup objects only contains only name and caid and no accessdata
685      *
686      * @ejb.interface-method view-type="both"
687      * @ejb.transaction type="Supports"
688      */
689
690     public Collection getAuthorizedAdminGroupNames(Admin admin) {
691         ArrayList returnval = new ArrayList ();
692
693
694         boolean issuperadmin = false;
695         try {
696             issuperadmin = this.isAuthorizedNoLog(admin, AvailableAccessRules.ROLE_SUPERADMINISTRATOR);
697         } catch (AuthorizationDeniedException e1) {
698         }
699         HashSet authorizedcaids = new HashSet ();
700         HashSet allcaids = new HashSet ();
701         if (!issuperadmin) {
702             authorizedcaids.addAll(authorizer.getAuthorizedCAIds(admin));
703             allcaids.addAll(getCAAdminSession().getAvailableCAs(admin));
704         }
705
706         try {
707             Collection result = admingrouphome.findAll();
708             Iterator i = result.iterator();
709
710             while (i.hasNext()) {
711                 AdminGroupDataLocal agdl = (AdminGroupDataLocal) i.next();
712
713                 boolean allauthorized = false;
714                 boolean carecursive = false;
715                 boolean superadmingroup = false;
716                 boolean authtogroup = false;
717
718                 ArrayList groupcaids = new ArrayList ();
719                 if (!issuperadmin) {
720                     // Is admin authorized to group caid.
721 if (authorizedcaids.contains(new Integer (agdl.getCaId()))) {
722                         authtogroup = true;
723                         // check access rules
724 Iterator iter = agdl.getAccessRuleObjects().iterator();
725                         while (iter.hasNext()) {
726                             AccessRule accessrule = ((AccessRule) iter.next());
727                             String rule = accessrule.getAccessRule();
728                             if (rule.equals(AvailableAccessRules.ROLE_SUPERADMINISTRATOR) && accessrule.getRule() == AccessRule.RULE_ACCEPT) {
729                                 superadmingroup = true;
730                                 break;
731                             }
732                             if (rule.equals(AvailableAccessRules.CABASE)) {
733                                 if (accessrule.getRule() == AccessRule.RULE_ACCEPT && accessrule.isRecursive()) {
734                                     if (authorizedcaids.containsAll(allcaids)) {
735                                         carecursive = true;
736                                     }
737                                 }
738                             } else {
739                                 if (rule.startsWith(AvailableAccessRules.CAPREFIX) && accessrule.getRule() == AccessRule.RULE_ACCEPT) {
740                                     groupcaids.add(new Integer (rule.substring(AvailableAccessRules.CAPREFIX.length())));
741                                 }
742                             }
743                         }
744                     }
745                 }
746
747                 allauthorized = authorizedcaids.containsAll(groupcaids);
748
749                 if (issuperadmin || ((allauthorized || carecursive) && authtogroup && !superadmingroup)) {
750                     if (!agdl.getAdminGroupName().equals(PUBLICWEBGROUPNAME) && !(agdl.getAdminGroupName().equals(DEFAULTGROUPNAME) && agdl.getCaId() == LogConstants.INTERNALCAID))
751                         returnval.add(agdl.getAdminGroupNames());
752                 }
753             }
754         } catch (FinderException e) {
755         }
756         return returnval;
757     } // getAuthorizedAdminGroupNames
758
759     /**
760      * Adds a Collection of AccessRule to an an admin group.
761      *
762      * @ejb.interface-method view-type="both"
763      */
764     public void addAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules) {
765         if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
766             try {
767                 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).addAccessRules(accessrules);
768                 signalForAuthorizationTreeUpdate();
769                 String msg = intres.getLocalizedMessage("authorization.accessrulesadded", admingroupname);
770                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
771             } catch (Exception e) {
772                 String msg = intres.getLocalizedMessage("authorization.erroraddaccessrules", admingroupname);
773                 error(msg, e);
774                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg);
775             }
776         }
777     } // addAccessRules
778
779
780     /**
781      * Removes a Collection of (String) containing accessrules to remove from admin group.
782      *
783      * @ejb.interface-method view-type="both"
784      */
785     public void removeAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules) {
786         if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
787             try {
788                 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).removeAccessRules(accessrules);
789                 signalForAuthorizationTreeUpdate();
790                 String msg = intres.getLocalizedMessage("authorization.accessrulesremoved", admingroupname);
791                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
792             } catch (Exception e) {
793                 String msg = intres.getLocalizedMessage("authorization.errorremoveaccessrules", admingroupname);
794                 error(msg, e);
795                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
796             }
797         }
798     } // removeAccessRules
799
800     /**
801      * Replaces a groups accessrules with a new set of rules
802      *
803      * @ejb.interface-method view-type="both"
804      */
805     public void replaceAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules) {
806         if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
807             try {
808                 AdminGroupDataLocal agdl = admingrouphome.findByGroupNameAndCAId(admingroupname, caid);
809                 Collection currentrules = agdl.getAdminGroup().getAccessRules();
810                 ArrayList removerules = new ArrayList ();
811                 Iterator iter = currentrules.iterator();
812                 while (iter.hasNext()) {
813                     removerules.add(((AccessRule) iter.next()).getAccessRule());
814                 }
815                 agdl.removeAccessRules(removerules);
816                 agdl.addAccessRules(accessrules);
817                 signalForAuthorizationTreeUpdate();
818                 String msg = intres.getLocalizedMessage("authorization.accessrulesreplaced", admingroupname);
819                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
820             } catch (Exception e) {
821                 String msg = intres.getLocalizedMessage("authorization.errorreplaceaccessrules", admingroupname);
822                 error(msg, e);
823                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
824             }
825         }
826     } // replaceAccessRules
827
828     /**
829      * Adds a Collection of AdminEnity to the admingroup. Changes their values if they already exists.
830      *
831      * @ejb.interface-method view-type="both"
832      */
833
834     public void addAdminEntities(Admin admin, String admingroupname, int caid, Collection adminentities) {
835         if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
836             try {
837                 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).addAdminEntities(adminentities);
838                 signalForAuthorizationTreeUpdate();
839                 String msg = intres.getLocalizedMessage("authorization.adminadded", admingroupname);
840                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
841             } catch (Exception e) {
842                 String msg = intres.getLocalizedMessage("authorization.erroraddadmin", admingroupname);
843                 error(msg, e);
844                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg);
845             }
846         }
847     } // addAdminEntity
848
849
850     /**
851      * Removes a Collection of AdminEntity from the administrator group.
852      *
853      * @ejb.interface-method view-type="both"
854      */
855     public void removeAdminEntities(Admin admin, String admingroupname, int caid, Collection adminentities) {
856         if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {
857             try {
858                 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).removeAdminEntities(adminentities);
859                 signalForAuthorizationTreeUpdate();
860                 String msg = intres.getLocalizedMessage("authorization.adminremoved", admingroupname);
861                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
862             } catch (Exception e) {
863                 String msg = intres.getLocalizedMessage("authorization.errorremoveadmin", admingroupname);
864                 error(msg, e);
865                 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg);
866             }
867         }
868     } // removeAdminEntity
869
870
871     /**
872      * Method used to collect an administrators available access rules based on which rule
873      * he himself is authorized to.
874      *
875      * @param admin is the administrator calling the method.
876      * @return a Collection of String containing available accessrules.
877      * @ejb.interface-method view-type="both"
878      * @ejb.transaction type="Supports"
879      */
880
881     public Collection getAuthorizedAvailableAccessRules(Admin admin) {
882         AvailableAccessRules aar = null;
883         try {
884             aar = new AvailableAccessRules(admin, authorizer, getRaAdminSession(), customaccessrules);
885         } catch (Exception e) {
886             throw new EJBException (e);
887         }
888
889         return aar.getAvailableAccessRules(admin);
890     }
891
892     /**
893      * Method used to return an Collection of Integers indicating which CAids a administrator
894      * is authorized to access.
895      *
896      * @ejb.interface-method view-type="both"
897      * @ejb.transaction type="Supports"
898      */
899     public Collection getAuthorizedCAIds(Admin admin) {
900         return authorizer.getAuthorizedCAIds(admin);
901     }
902
903
904     /**
905      * Method used to return an Collection of Integers indicating which end entity profiles
906      * the administrator is authorized to view.
907      *
908      * @param admin the administrator
909      * @param rapriviledge should be one of the end entity profile authorization constans defined in AvailableAccessRules.
910      * @ejb.interface-method view-type="both"
911      * @ejb.transaction type="Supports"
912      */
913     public Collection getAuthorizedEndEntityProfileIds(Admin admin, String rapriviledge) {
914         return authorizer.getAuthorizedEndEntityProfileIds(admin, rapriviledge);
915     }
916
917     /**
918      * Method to check if an end entity profile exists in any end entity profile rules. Used to avoid desyncronization of profilerules.
919      *
920      * @param profileid the profile id to search for.
921      * @return true if profile exists in any of the accessrules.
922      * @ejb.interface-method view-type="both"
923      * @ejb.transaction type="Supports"
924      */
925     public boolean existsEndEntityProfileInRules(Admin admin, int profileid) {
926         debug(">existsEndEntityProfileInRules()");
927         Connection con = null;
928         PreparedStatement ps = null;
929         ResultSet rs = null;
930         int count = 1; // return true as default.
931
932         String whereclause = "accessRule LIKE '" + AvailableAccessRules.ENDENTITYPROFILEPREFIX + profileid + "%'";
933
934         try {
935             // Construct SQL query.
936 con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE);
937             ps = con.prepareStatement("select COUNT(*) from AccessRulesData where " + whereclause);
938             // Execute query.
939 rs = ps.executeQuery();
940             // Assemble result.
941 if (rs.next()) {
942                 count = rs.getInt(1);
943             }
944             debug("<existsEndEntityProfileInRules()");
945             return count > 0;
946
947         } catch (Exception e) {
948             throw new EJBException (e);
949         } finally {
950             JDBCUtil.close(con, ps, rs);
951         }
952     } // existsEndEntityProfileInRules
953
954     /**
955      * Method to check if a ca exists in any ca specific rules. Used to avoid desyncronization of CA rules when ca is removed
956      *
957      * @param caid the ca id to search for.
958      * @return true if ca exists in any of the accessrules.
959      * @ejb.interface-method view-type="both"
960      * @ejb.transaction type="Supports"
961      */
962
963     public boolean existsCAInRules(Admin admin, int caid) {
964         return existsCAInAdminGroups(caid) && existsCAInAccessRules(caid);
965     } // existsCAInRules
966
967     /**
968      * Method to force an update of the autorization rules without any wait.
969      *
970      * @ejb.interface-method view-type="both"
971      * @ejb.transaction type="Supports"
972      */
973
974     public void forceRuleUpdate(Admin admin) {
975         signalForAuthorizationTreeUpdate();
976         updateAuthorizationTree();
977     } // existsCAInRules
978
979
980     /**
981      * Help function to existsCAInRules, checks if caid axists among admingroups.
982      */
983     private boolean existsCAInAdminGroups(int caid) {
984         debug(">existsCAInAdminGroups()");
985         Connection con = null;
986         PreparedStatement ps = null;
987         ResultSet rs = null;
988         int count = 1; // return true as default.
989
990         String whereclause = "cAId = '" + caid + "'";
991
992         try {
993             // Construct SQL query.
994 con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE);
995             ps = con.prepareStatement("select COUNT(*) from AdminGroupData where " + whereclause);
996             // Execute query.
997 rs = ps.executeQuery();
998             // Assemble result.
999 if (rs.next()) {
1000                count = rs.getInt(1);
1001            }
1002            debug("<existsCAInAdminGroupss()");
1003            return count > 0;
1004
1005        } catch (Exception e) {
1006            throw new EJBException (e);
1007        } finally {
1008            JDBCUtil.close(con, ps, rs);
1009        }
1010    }
1011
1012    /**
1013     * Help function to existsCAInRules, checks if caid axists among accessrules.
1014     */
1015    private boolean existsCAInAccessRules(int caid) {
1016        debug(">existsCAInAccessRules()");
1017        Connection con = null;
1018        PreparedStatement ps = null;
1019        ResultSet rs = null;
1020        int count = 1; // return true as default.
1021
1022        String whereclause = "accessRule LIKE '" + AvailableAccessRules.CABASE + "/" + caid + "%'";
1023
1024        try {
1025            // Construct SQL query.
1026 con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE);
1027            ps = con.prepareStatement("select COUNT(*) from AccessRulesData where " + whereclause);
1028            // Execute query.
1029 rs = ps.executeQuery();
1030            // Assemble result.
1031 if (rs.next()) {
1032                count = rs.getInt(1);
1033            }
1034            debug("<existsCAInAccessRules()");
1035            return count > 0;
1036
1037        } catch (Exception e) {
1038            throw new EJBException (e);
1039        } finally {
1040            JDBCUtil.close(con, ps, rs);
1041        }
1042    } // existsCAInAccessRules
1043
1044    /**
1045     * Returns a reference to the AuthorizationTreeUpdateDataBean
1046     */
1047    private AuthorizationTreeUpdateDataLocal getAuthorizationTreeUpdateData() {
1048        AuthorizationTreeUpdateDataLocal atu = null;
1049        try {
1050            atu = authorizationtreeupdatehome.findByPrimaryKey(AuthorizationTreeUpdateDataBean.AUTHORIZATIONTREEUPDATEDATA);
1051        } catch (FinderException e) {
1052            try {
1053                atu = authorizationtreeupdatehome.create();
1054            } catch (CreateException ce) {
1055                String msg = intres.getLocalizedMessage("authorization.errorcreateauthtree");
1056                error(msg, ce);
1057                throw new EJBException (ce);
1058            }
1059        }
1060        return atu;
1061    }
1062
1063
1064    /**
1065     * Method used check if a reconstruction of authorization tree is needed in the
1066     * authorization beans.
1067     *
1068     * @return true if update is needed.
1069     */
1070
1071    private boolean updateNeccessary() {
1072        return getAuthorizationTreeUpdateData().updateNeccessary(this.authorizationtreeupdate) && lastupdatetime < ((new java.util.Date ()).getTime() - MIN_TIME_BETWEEN_UPDATES);
1073    } // updateNeccessary
1074
1075    /**
1076     * method updating authorization tree.
1077     */
1078    private void updateAuthorizationTree() {
1079        authorizer.buildAccessTree(getAdminGroups());
1080        this.authorizationtreeupdate = getAuthorizationTreeUpdateData().getAuthorizationTreeUpdateNumber();
1081        this.lastupdatetime = (new java.util.Date ()).getTime();
1082    }
1083
1084    /**
1085     * Method incrementing the authorizationtreeupdatenumber and thereby signaling
1086     * to other beans that they should reconstruct their accesstrees.
1087     */
1088    private void signalForAuthorizationTreeUpdate() {
1089        if (log.isDebugEnabled()) {
1090            log.debug(">signalForAuthorizationTreeUpdate");
1091        }
1092        getAuthorizationTreeUpdateData().incrementAuthorizationTreeUpdateNumber();
1093        if (log.isDebugEnabled()) {
1094            log.debug("<signalForAuthorizationTreeUpdate");
1095        }
1096    }
1097
1098    private int findFreeAdminGroupId() {
1099        Random random = new Random ();
1100        int id = random.nextInt();
1101        boolean foundfree = false;
1102
1103        while (!foundfree) {
1104            try {
1105                this.admingrouphome.findByPrimaryKey(new Integer (id));
1106                id = random.nextInt();
1107            } catch (FinderException e) {
1108                foundfree = true;
1109            }
1110        }
1111        return id;
1112    } // findFreeCertificateProfileId
1113
1114} // LocalAuthorizationSessionBean
1115
1116

A to Z: JavaDoc & Examples

---

Daily Java News & Articles

---

Open Source Projects

---

Open Source Codes

---

Free Computer Books

---

Remove Frame

---

Popular Tags