1 13 14 package org.ejbca.core.ejb.authorization; 15 16 import java.security.cert.X509Certificate ; 17 import java.sql.Connection ; 18 import java.sql.PreparedStatement ; 19 import java.sql.ResultSet ; 20 import java.util.ArrayList ; 21 import java.util.Collection ; 22 import java.util.HashSet ; 23 import java.util.Iterator ; 24 import java.util.Random ; 25 26 import javax.ejb.CreateException ; 27 import javax.ejb.EJBException ; 28 import javax.ejb.FinderException ; 29 30 import org.apache.commons.lang.StringUtils; 31 import org.ejbca.core.ejb.BaseSessionBean; 32 import org.ejbca.core.ejb.JNDINames; 33 import org.ejbca.core.ejb.ServiceLocator; 34 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal; 35 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocalHome; 36 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal; 37 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocalHome; 38 import org.ejbca.core.ejb.log.ILogSessionLocal; 39 import org.ejbca.core.ejb.log.ILogSessionLocalHome; 40 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal; 41 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocalHome; 42 import org.ejbca.core.model.InternalResources; 43 import org.ejbca.core.model.authorization.AccessRule; 44 import org.ejbca.core.model.authorization.AdminEntity; 45 import org.ejbca.core.model.authorization.AdminGroup; 46 import org.ejbca.core.model.authorization.AdminGroupExistsException; 47 import org.ejbca.core.model.authorization.AuthenticationFailedException; 48 import org.ejbca.core.model.authorization.AuthorizationDeniedException; 49 import org.ejbca.core.model.authorization.Authorizer; 50 import org.ejbca.core.model.authorization.AvailableAccessRules; 51 import org.ejbca.core.model.log.Admin; 52 import org.ejbca.core.model.log.LogConstants; 53 import org.ejbca.core.model.log.LogEntry; 54 import org.ejbca.util.JDBCUtil; 55 56 57 157 public class LocalAuthorizationSessionBean extends BaseSessionBean { 158 159 162 public static final long MIN_TIME_BETWEEN_UPDATES = 60000 * 1; 163 164 165 private static final InternalResources intres = InternalResources.getInstance(); 166 167 170 private AdminGroupDataLocalHome admingrouphome = null; 171 172 175 private AuthorizationTreeUpdateDataLocalHome authorizationtreeupdatehome = null; 176 177 180 private int authorizationtreeupdate = -1; 181 182 185 private long lastupdatetime = -1; 186 187 190 private ILogSessionLocal logsession = null; 191 192 195 private IRaAdminSessionLocal raadminsession = null; 196 197 200 private ICAAdminSessionLocal caadminsession = null; 201 202 205 private ICertificateStoreSessionLocal certificatestoresession = null; 206 207 private Authorizer authorizer = null; 208 209 private String [] customaccessrules = null; 210 211 private static final String DEFAULTGROUPNAME = "DEFAULT"; 212 protected static final String PUBLICWEBGROUPNAME = "Public Web Users"; 214 219 public void ejbCreate() throws CreateException { 220 debug(">ejbCreate()"); 221 ServiceLocator locator = ServiceLocator.getInstance(); 222 admingrouphome = (AdminGroupDataLocalHome) locator.getLocalHome(AdminGroupDataLocalHome.COMP_NAME); 223 authorizationtreeupdatehome = (AuthorizationTreeUpdateDataLocalHome) locator.getLocalHome(AuthorizationTreeUpdateDataLocalHome.COMP_NAME); 224 String customrules = locator.getString("java:comp/env/CustomAvailableAccessRules"); 225 if (customrules == null) { 226 customrules = ""; 227 } 228 customaccessrules = StringUtils.split(customrules, ';'); 229 230 try { 231 authorizer = new Authorizer(getAdminGroups(), admingrouphome, 232 getLogSession(), getCertificateStoreSession(), getRaAdminSession(), getCAAdminSession(), new Admin(Admin.TYPE_INTERNALUSER), LogEntry.MODULE_AUTHORIZATION); 233 } catch (Exception e) { 234 throw new EJBException (e); 235 } 236 237 debug("<ejbCreate()"); 238 } 239 240 241 246 private ILogSessionLocal getLogSession() { 247 if (logsession == null) { 248 try { 249 ILogSessionLocalHome logsessionhome = (ILogSessionLocalHome) ServiceLocator.getInstance().getLocalHome(ILogSessionLocalHome.COMP_NAME); 250 logsession = logsessionhome.create(); 251 } catch (Exception e) { 252 throw new EJBException (e); 253 } 254 } 255 return logsession; 256 } 258 259 264 private IRaAdminSessionLocal getRaAdminSession() { 265 if (raadminsession == null) { 266 try { 267 IRaAdminSessionLocalHome home = (IRaAdminSessionLocalHome) ServiceLocator.getInstance() 268 .getLocalHome(IRaAdminSessionLocalHome.COMP_NAME); 269 raadminsession = home.create(); 270 } catch (Exception e) { 271 throw new EJBException (e); 272 } 273 } 274 return raadminsession; 275 } 277 282 private ICertificateStoreSessionLocal getCertificateStoreSession() { 283 if (certificatestoresession == null) { 284 try { 285 ICertificateStoreSessionLocalHome home = (ICertificateStoreSessionLocalHome) ServiceLocator.getInstance() 286 .getLocalHome(ICertificateStoreSessionLocalHome.COMP_NAME); 287 certificatestoresession = home.create(); 288 } catch (Exception e) { 289 throw new EJBException (e); 290 } 291 } 292 return certificatestoresession; 293 } 295 296 301 private ICAAdminSessionLocal getCAAdminSession() { 302 if (caadminsession == null) { 303 try { 304 ICAAdminSessionLocalHome home = (ICAAdminSessionLocalHome) ServiceLocator.getInstance() 305 .getLocalHome(ICAAdminSessionLocalHome.COMP_NAME); 306 caadminsession = home.create(); 307 } catch (Exception e) { 308 throw new EJBException (e); 309 } 310 } 311 return caadminsession; 312 } 313 314 316 321 public void initialize(Admin admin, int caid) throws AdminGroupExistsException { 322 if (log.isDebugEnabled()) { 323 log.debug(">initialize, caid: "+caid); 324 } 325 try { 328 Collection result = admingrouphome.findAll(); 329 if (result.size() == 0) { 330 String admingroupname = "Temporary Super Administrator Group"; 332 addAdminGroup(admin, admingroupname, caid); 333 ArrayList adminentities = new ArrayList (); 334 adminentities.add(new AdminEntity(AdminEntity.WITH_COMMONNAME, AdminEntity.TYPE_EQUALCASEINS, "SuperAdmin", caid)); 335 addAdminEntities(admin, admingroupname, caid, adminentities); 336 ArrayList accessrules = new ArrayList (); 337 accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false)); 338 addAccessRules(admin, admingroupname, caid, accessrules); 339 } 340 } catch (FinderException e) { 341 debug("initialize: FinderEx, findAll failed."); 342 } 343 try { 346 admingrouphome.findByGroupNameAndCAId(DEFAULTGROUPNAME, LogConstants.INTERNALCAID); 347 } catch (FinderException e) { 348 debug("initialize: FinderEx, add default group."); 349 try { 351 AdminGroupDataLocal agdl = admingrouphome.create(new Integer (findFreeAdminGroupId()), DEFAULTGROUPNAME, LogConstants.INTERNALCAID); 352 353 ArrayList adminentities = new ArrayList (); 354 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_BATCHCOMMANDLINEADMIN)); 355 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_CACOMMANDLINEADMIN)); 356 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_RAADMIN)); 357 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_INTERNALUSER)); 358 agdl.addAdminEntities(adminentities); 359 360 ArrayList accessrules = new ArrayList (); 361 accessrules.add(new AccessRule("/administrator", AccessRule.RULE_ACCEPT, true)); 362 accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false)); 363 364 accessrules.add(new AccessRule("/ca_functionality", AccessRule.RULE_ACCEPT, true)); 365 accessrules.add(new AccessRule("/ra_functionality", AccessRule.RULE_ACCEPT, true)); 366 accessrules.add(new AccessRule("/log_functionality", AccessRule.RULE_ACCEPT, true)); 367 accessrules.add(new AccessRule("/system_functionality", AccessRule.RULE_ACCEPT, true)); 368 accessrules.add(new AccessRule("/hardtoken_functionality", AccessRule.RULE_ACCEPT, true)); 369 accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true)); 370 accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true)); 371 372 agdl.addAccessRules(accessrules); 373 374 signalForAuthorizationTreeUpdate(); 375 } catch (CreateException ce) { 376 error("initialize continues after Exception: ", ce); 377 } 378 } 379 try { 381 AdminGroupDataLocal agl = admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid); 382 removeAndAddDefaultPublicWebGroupRules(agl); 383 } catch (FinderException e) { 384 debug("initialize: FinderEx, can't find public web group for caid "+caid); 385 debug("initialize: FinderEx, create public web group for caid "+caid); 386 try { 387 AdminGroupDataLocal agdl = admingrouphome.create(new Integer (findFreeAdminGroupId()), PUBLICWEBGROUPNAME, caid); 388 addDefaultPublicWebGroupRules(agdl); 389 signalForAuthorizationTreeUpdate(); 390 } catch (CreateException ce) { 391 error("initialize continues after Exception: ", ce); 392 } 393 } 394 395 if (log.isDebugEnabled()) { 396 log.debug("<initialize, caid: "+caid); 397 } 398 } 399 400 401 private void addDefaultPublicWebGroupRules(AdminGroupDataLocal agdl) { 402 debug("create public web group for caid "+agdl.getCaId()); 403 ArrayList adminentities = new ArrayList (); 404 adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_PUBLICWEBUSER)); 405 agdl.addAdminEntities(adminentities); 406 407 ArrayList accessrules = new ArrayList (); 408 accessrules.add(new AccessRule("/public_web_user", AccessRule.RULE_ACCEPT, false)); 409 410 accessrules.add(new AccessRule("/ca_functionality/basic_functions", AccessRule.RULE_ACCEPT, false)); 411 accessrules.add(new AccessRule("/ca_functionality/view_certificate", AccessRule.RULE_ACCEPT, false)); 412 accessrules.add(new AccessRule("/ca_functionality/create_certificate", AccessRule.RULE_ACCEPT, false)); 413 accessrules.add(new AccessRule("/ca_functionality/store_certificate", AccessRule.RULE_ACCEPT, false)); 414 accessrules.add(new AccessRule("/ra_functionality/view_end_entity", AccessRule.RULE_ACCEPT, false)); 415 accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true)); 416 accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true)); 417 418 agdl.addAccessRules(accessrules); 419 } 420 421 422 424 private void removeAndAddDefaultPublicWebGroupRules(AdminGroupDataLocal agl) { 425 if (log.isDebugEnabled()) { 426 debug("Removing old and adding new accessrules and admin entitites to admin group "+agl.getAdminGroupName()+" for caid "+agl.getCaId()); 427 } 428 removeEntitiesAndRulesFromGroup(agl); 429 addDefaultPublicWebGroupRules(agl); 430 signalForAuthorizationTreeUpdate(); 431 } 432 433 441 public boolean isAuthorized(Admin admin, String resource) throws AuthorizationDeniedException { 442 if (updateNeccessary()) 443 updateAuthorizationTree(); 444 445 return authorizer.isAuthorized(admin, resource); 446 } 447 448 456 public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException { 457 if (updateNeccessary()) 458 updateAuthorizationTree(); 459 return authorizer.isAuthorizedNoLog(admin, resource); 460 } 461 462 468 public boolean isGroupAuthorized(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException { 469 if (updateNeccessary()) 470 updateAuthorizationTree(); 471 return authorizer.isGroupAuthorized(admin, admingrouppk, resource); 472 } 473 474 480 public boolean isGroupAuthorizedNoLog(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException { 481 if (updateNeccessary()) 482 updateAuthorizationTree(); 483 return authorizer.isGroupAuthorizedNoLog(admin, admingrouppk, resource); 484 } 485 486 492 public boolean existsAdministratorInGroup(Admin admin, int admingrouppk) { 493 boolean returnval = false; 494 if (updateNeccessary()) 495 updateAuthorizationTree(); 496 497 try { 498 AdminGroupDataLocal agdl = admingrouphome.findByPrimaryKey(new Integer (admingrouppk)); 499 Iterator adminentitites = agdl.getAdminGroup().getAdminEntities().iterator(); 500 while (adminentitites.hasNext()) { 501 AdminEntity ae = (AdminEntity) adminentitites.next(); 502 returnval = returnval || ae.match(admin.getAdminInformation()); 503 } 504 } catch (FinderException fe) { 505 } 506 507 return returnval; 508 } 509 510 511 518 519 public void authenticate(X509Certificate certificate) throws AuthenticationFailedException { 520 authorizer.authenticate(certificate); 521 } 522 523 530 public void addAdminGroup(Admin admin, String admingroupname, int caid) throws AdminGroupExistsException { 531 if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 532 533 boolean success = true; 534 try { 535 admingrouphome.findByGroupNameAndCAId(admingroupname, caid); 536 success = false; 537 } catch (FinderException e) { 538 } 539 if (success) { 540 try { 541 admingrouphome.create(new Integer (findFreeAdminGroupId()), admingroupname, caid); 542 success = true; 543 } catch (CreateException e) { 544 String msg = intres.getLocalizedMessage("authorization.erroraddadmingroup", admingroupname); 545 error(msg, e); 546 success = false; 547 } 548 } 549 550 551 if (success) { 552 String msg = intres.getLocalizedMessage("authorization.admingroupadded", admingroupname); 553 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 554 } else { 555 String msg = intres.getLocalizedMessage("authorization.erroraddadmingroup", admingroupname); 556 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg); 557 throw new AdminGroupExistsException(); 558 } 559 } 560 } 562 567 public void removeAdminGroup(Admin admin, String admingroupname, int caid) { 568 if (log.isDebugEnabled()) { 569 debug("Removing admin group "+admingroupname+" for caid "+caid); 570 } 571 if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 572 try { 573 AdminGroupDataLocal agl = admingrouphome.findByGroupNameAndCAId(admingroupname, caid); 574 removeEntitiesAndRulesFromGroup(agl); 575 576 agl.remove(); 577 signalForAuthorizationTreeUpdate(); 578 579 String msg = intres.getLocalizedMessage("authorization.admingroupremoved", admingroupname); 580 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 581 } catch (Exception e) { 582 String msg = intres.getLocalizedMessage("authorization.errorremoveadmingroup", admingroupname); 583 error(msg, e); 584 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg); 585 } 586 } 587 } 589 590 private void removeEntitiesAndRulesFromGroup(AdminGroupDataLocal agl) { 591 debug("removing entities and rules for caid "+agl.getCaId()); 592 agl.removeAdminEntities(agl.getAdminEntityObjects()); 594 595 Iterator iter = agl.getAccessRuleObjects().iterator(); 597 ArrayList remove = new ArrayList (); 598 while (iter.hasNext()) { 599 remove.add(((AccessRule) iter.next()).getAccessRule()); 600 } 601 agl.removeAccessRules(remove); 602 } 603 604 610 public void renameAdminGroup(Admin admin, String oldname, int caid, String newname) throws AdminGroupExistsException { 611 if (!(oldname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 612 boolean success = false; 613 AdminGroupDataLocal agl = null; 614 try { 615 agl = admingrouphome.findByGroupNameAndCAId(newname, caid); 616 throw new AdminGroupExistsException(); 617 } catch (FinderException e) { 618 success = true; 619 } 620 if (success) { 621 try { 622 agl = admingrouphome.findByGroupNameAndCAId(oldname, caid); 623 agl.setAdminGroupName(newname); 624 agl.setCaId(caid); 625 signalForAuthorizationTreeUpdate(); 626 } catch (Exception e) { 627 error("Can't rename admingroup: ", e); 628 success = false; 629 } 630 } 631 632 if (success) { 633 String msg = intres.getLocalizedMessage("authorization.admingrouprenamed", oldname, newname); 634 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 635 } else { 636 String msg = intres.getLocalizedMessage("authorization.errorrenameadmingroup", oldname, newname); 637 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg); 638 } 639 } 640 } 642 643 649 650 public AdminGroup getAdminGroup(Admin admin, String admingroupname, int caid) { 651 AdminGroup returnval = null; 652 try { 653 returnval = (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).getAdminGroup(); 654 } catch (Exception e) { 655 error("Can't get admingroup: ", e); 656 } 657 return returnval; 658 } 660 661 664 private Collection getAdminGroups() { 665 ArrayList returnval = new ArrayList (); 666 try { 667 Iterator iter = admingrouphome.findAll().iterator(); 668 while (iter.hasNext()) 669 returnval.add(((AdminGroupDataLocal) iter.next()).getAdminGroup()); 670 } catch (FinderException e) { 671 } 672 673 return returnval; 674 } 676 677 689 690 public Collection getAuthorizedAdminGroupNames(Admin admin) { 691 ArrayList returnval = new ArrayList (); 692 693 694 boolean issuperadmin = false; 695 try { 696 issuperadmin = this.isAuthorizedNoLog(admin, AvailableAccessRules.ROLE_SUPERADMINISTRATOR); 697 } catch (AuthorizationDeniedException e1) { 698 } 699 HashSet authorizedcaids = new HashSet (); 700 HashSet allcaids = new HashSet (); 701 if (!issuperadmin) { 702 authorizedcaids.addAll(authorizer.getAuthorizedCAIds(admin)); 703 allcaids.addAll(getCAAdminSession().getAvailableCAs(admin)); 704 } 705 706 try { 707 Collection result = admingrouphome.findAll(); 708 Iterator i = result.iterator(); 709 710 while (i.hasNext()) { 711 AdminGroupDataLocal agdl = (AdminGroupDataLocal) i.next(); 712 713 boolean allauthorized = false; 714 boolean carecursive = false; 715 boolean superadmingroup = false; 716 boolean authtogroup = false; 717 718 ArrayList groupcaids = new ArrayList (); 719 if (!issuperadmin) { 720 if (authorizedcaids.contains(new Integer (agdl.getCaId()))) { 722 authtogroup = true; 723 Iterator iter = agdl.getAccessRuleObjects().iterator(); 725 while (iter.hasNext()) { 726 AccessRule accessrule = ((AccessRule) iter.next()); 727 String rule = accessrule.getAccessRule(); 728 if (rule.equals(AvailableAccessRules.ROLE_SUPERADMINISTRATOR) && accessrule.getRule() == AccessRule.RULE_ACCEPT) { 729 superadmingroup = true; 730 break; 731 } 732 if (rule.equals(AvailableAccessRules.CABASE)) { 733 if (accessrule.getRule() == AccessRule.RULE_ACCEPT && accessrule.isRecursive()) { 734 if (authorizedcaids.containsAll(allcaids)) { 735 carecursive = true; 736 } 737 } 738 } else { 739 if (rule.startsWith(AvailableAccessRules.CAPREFIX) && accessrule.getRule() == AccessRule.RULE_ACCEPT) { 740 groupcaids.add(new Integer (rule.substring(AvailableAccessRules.CAPREFIX.length()))); 741 } 742 } 743 } 744 } 745 } 746 747 allauthorized = authorizedcaids.containsAll(groupcaids); 748 749 if (issuperadmin || ((allauthorized || carecursive) && authtogroup && !superadmingroup)) { 750 if (!agdl.getAdminGroupName().equals(PUBLICWEBGROUPNAME) && !(agdl.getAdminGroupName().equals(DEFAULTGROUPNAME) && agdl.getCaId() == LogConstants.INTERNALCAID)) 751 returnval.add(agdl.getAdminGroupNames()); 752 } 753 } 754 } catch (FinderException e) { 755 } 756 return returnval; 757 } 759 764 public void addAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules) { 765 if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 766 try { 767 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).addAccessRules(accessrules); 768 signalForAuthorizationTreeUpdate(); 769 String msg = intres.getLocalizedMessage("authorization.accessrulesadded", admingroupname); 770 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 771 } catch (Exception e) { 772 String msg = intres.getLocalizedMessage("authorization.erroraddaccessrules", admingroupname); 773 error(msg, e); 774 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg); 775 } 776 } 777 } 779 780 785 public void removeAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules) { 786 if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 787 try { 788 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).removeAccessRules(accessrules); 789 signalForAuthorizationTreeUpdate(); 790 String msg = intres.getLocalizedMessage("authorization.accessrulesremoved", admingroupname); 791 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 792 } catch (Exception e) { 793 String msg = intres.getLocalizedMessage("authorization.errorremoveaccessrules", admingroupname); 794 error(msg, e); 795 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 796 } 797 } 798 } 800 805 public void replaceAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules) { 806 if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 807 try { 808 AdminGroupDataLocal agdl = admingrouphome.findByGroupNameAndCAId(admingroupname, caid); 809 Collection currentrules = agdl.getAdminGroup().getAccessRules(); 810 ArrayList removerules = new ArrayList (); 811 Iterator iter = currentrules.iterator(); 812 while (iter.hasNext()) { 813 removerules.add(((AccessRule) iter.next()).getAccessRule()); 814 } 815 agdl.removeAccessRules(removerules); 816 agdl.addAccessRules(accessrules); 817 signalForAuthorizationTreeUpdate(); 818 String msg = intres.getLocalizedMessage("authorization.accessrulesreplaced", admingroupname); 819 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 820 } catch (Exception e) { 821 String msg = intres.getLocalizedMessage("authorization.errorreplaceaccessrules", admingroupname); 822 error(msg, e); 823 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 824 } 825 } 826 } 828 833 834 public void addAdminEntities(Admin admin, String admingroupname, int caid, Collection adminentities) { 835 if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 836 try { 837 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).addAdminEntities(adminentities); 838 signalForAuthorizationTreeUpdate(); 839 String msg = intres.getLocalizedMessage("authorization.adminadded", admingroupname); 840 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 841 } catch (Exception e) { 842 String msg = intres.getLocalizedMessage("authorization.erroraddadmin", admingroupname); 843 error(msg, e); 844 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg); 845 } 846 } 847 } 849 850 855 public void removeAdminEntities(Admin admin, String admingroupname, int caid, Collection adminentities) { 856 if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { 857 try { 858 (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).removeAdminEntities(adminentities); 859 signalForAuthorizationTreeUpdate(); 860 String msg = intres.getLocalizedMessage("authorization.adminremoved", admingroupname); 861 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg); 862 } catch (Exception e) { 863 String msg = intres.getLocalizedMessage("authorization.errorremoveadmin", admingroupname); 864 error(msg, e); 865 logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date (), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg); 866 } 867 } 868 } 870 871 880 881 public Collection getAuthorizedAvailableAccessRules(Admin admin) { 882 AvailableAccessRules aar = null; 883 try { 884 aar = new AvailableAccessRules(admin, authorizer, getRaAdminSession(), customaccessrules); 885 } catch (Exception e) { 886 throw new EJBException (e); 887 } 888 889 return aar.getAvailableAccessRules(admin); 890 } 891 892 899 public Collection getAuthorizedCAIds(Admin admin) { 900 return authorizer.getAuthorizedCAIds(admin); 901 } 902 903 904 913 public Collection getAuthorizedEndEntityProfileIds(Admin admin, String rapriviledge) { 914 return authorizer.getAuthorizedEndEntityProfileIds(admin, rapriviledge); 915 } 916 917 925 public boolean existsEndEntityProfileInRules(Admin admin, int profileid) { 926 debug(">existsEndEntityProfileInRules()"); 927 Connection con = null; 928 PreparedStatement ps = null; 929 ResultSet rs = null; 930 int count = 1; 932 String whereclause = "accessRule LIKE '" + AvailableAccessRules.ENDENTITYPROFILEPREFIX + profileid + "%'"; 933 934 try { 935 con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE); 937 ps = con.prepareStatement("select COUNT(*) from AccessRulesData where " + whereclause); 938 rs = ps.executeQuery(); 940 if (rs.next()) { 942 count = rs.getInt(1); 943 } 944 debug("<existsEndEntityProfileInRules()"); 945 return count > 0; 946 947 } catch (Exception e) { 948 throw new EJBException (e); 949 } finally { 950 JDBCUtil.close(con, ps, rs); 951 } 952 } 954 962 963 public boolean existsCAInRules(Admin admin, int caid) { 964 return existsCAInAdminGroups(caid) && existsCAInAccessRules(caid); 965 } 967 973 974 public void forceRuleUpdate(Admin admin) { 975 signalForAuthorizationTreeUpdate(); 976 updateAuthorizationTree(); 977 } 979 980 983 private boolean existsCAInAdminGroups(int caid) { 984 debug(">existsCAInAdminGroups()"); 985 Connection con = null; 986 PreparedStatement ps = null; 987 ResultSet rs = null; 988 int count = 1; 990 String whereclause = "cAId = '" + caid + "'"; 991 992 try { 993 con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE); 995 ps = con.prepareStatement("select COUNT(*) from AdminGroupData where " + whereclause); 996 rs = ps.executeQuery(); 998 if (rs.next()) { 1000 count = rs.getInt(1); 1001 } 1002 debug("<existsCAInAdminGroupss()"); 1003 return count > 0; 1004 1005 } catch (Exception e) { 1006 throw new EJBException (e); 1007 } finally { 1008 JDBCUtil.close(con, ps, rs); 1009 } 1010 } 1011 1012 1015 private boolean existsCAInAccessRules(int caid) { 1016 debug(">existsCAInAccessRules()"); 1017 Connection con = null; 1018 PreparedStatement ps = null; 1019 ResultSet rs = null; 1020 int count = 1; 1022 String whereclause = "accessRule LIKE '" + AvailableAccessRules.CABASE + "/" + caid + "%'"; 1023 1024 try { 1025 con = JDBCUtil.getDBConnection(JNDINames.DATASOURCE); 1027 ps = con.prepareStatement("select COUNT(*) from AccessRulesData where " + whereclause); 1028 rs = ps.executeQuery(); 1030 if (rs.next()) { 1032 count = rs.getInt(1); 1033 } 1034 debug("<existsCAInAccessRules()"); 1035 return count > 0; 1036 1037 } catch (Exception e) { 1038 throw new EJBException (e); 1039 } finally { 1040 JDBCUtil.close(con, ps, rs); 1041 } 1042 } 1044 1047 private AuthorizationTreeUpdateDataLocal getAuthorizationTreeUpdateData() { 1048 AuthorizationTreeUpdateDataLocal atu = null; 1049 try { 1050 atu = authorizationtreeupdatehome.findByPrimaryKey(AuthorizationTreeUpdateDataBean.AUTHORIZATIONTREEUPDATEDATA); 1051 } catch (FinderException e) { 1052 try { 1053 atu = authorizationtreeupdatehome.create(); 1054 } catch (CreateException ce) { 1055 String msg = intres.getLocalizedMessage("authorization.errorcreateauthtree"); 1056 error(msg, ce); 1057 throw new EJBException (ce); 1058 } 1059 } 1060 return atu; 1061 } 1062 1063 1064 1070 1071 private boolean updateNeccessary() { 1072 return getAuthorizationTreeUpdateData().updateNeccessary(this.authorizationtreeupdate) && lastupdatetime < ((new java.util.Date ()).getTime() - MIN_TIME_BETWEEN_UPDATES); 1073 } 1075 1078 private void updateAuthorizationTree() { 1079 authorizer.buildAccessTree(getAdminGroups()); 1080 this.authorizationtreeupdate = getAuthorizationTreeUpdateData().getAuthorizationTreeUpdateNumber(); 1081 this.lastupdatetime = (new java.util.Date ()).getTime(); 1082 } 1083 1084 1088 private void signalForAuthorizationTreeUpdate() { 1089 if (log.isDebugEnabled()) { 1090 log.debug(">signalForAuthorizationTreeUpdate"); 1091 } 1092 getAuthorizationTreeUpdateData().incrementAuthorizationTreeUpdateNumber(); 1093 if (log.isDebugEnabled()) { 1094 log.debug("<signalForAuthorizationTreeUpdate"); 1095 } 1096 } 1097 1098 private int findFreeAdminGroupId() { 1099 Random random = new Random (); 1100 int id = random.nextInt(); 1101 boolean foundfree = false; 1102 1103 while (!foundfree) { 1104 try { 1105 this.admingrouphome.findByPrimaryKey(new Integer (id)); 1106 id = random.nextInt(); 1107 } catch (FinderException e) { 1108 foundfree = true; 1109 } 1110 } 1111 return id; 1112 } 1114} 1116 | Popular Tags |