KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > ejbca > core > model > authorization > Authorizer


1 /*************************************************************************
2  * *
3  * EJBCA: The OpenSource Certificate Authority *
4  * *
5  * This software is free software; you can redistribute it and/or *
6  * modify it under the terms of the GNU Lesser General Public *
7  * License as published by the Free Software Foundation; either *
8  * version 2.1 of the License, or any later version. *
9  * *
10  * See terms of license at gnu.org. *
11  * *
12  *************************************************************************/

13
14 package org.ejbca.core.model.authorization;
15
16 import java.security.cert.X509Certificate JavaDoc;
17 import java.util.ArrayList JavaDoc;
18 import java.util.Collection JavaDoc;
19 import java.util.Iterator JavaDoc;
20
21 import org.ejbca.core.ejb.authorization.AdminGroupDataLocalHome;
22 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal;
23 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal;
24 import org.ejbca.core.ejb.log.ILogSessionLocal;
25 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal;
26 import org.ejbca.core.model.ca.crl.RevokedCertInfo;
27 import org.ejbca.core.model.log.Admin;
28 import org.ejbca.core.model.log.LogConstants;
29 import org.ejbca.core.model.log.LogEntry;
30 import org.ejbca.util.CertTools;
31
32 /**
33  * A java bean handling the athorization to ejbca.
34  *
35  * The main metod are isAthorized and authenticate.
36  *
37  * @version $Id: Authorizer.java,v 1.1 2006/01/17 20:30:56 anatom Exp $
38  */

39 public class Authorizer extends Object JavaDoc implements java.io.Serializable JavaDoc{
40     
41     
42     
43     /** Creates new EjbcaAthorization */
44     public Authorizer(Collection JavaDoc admingroups, AdminGroupDataLocalHome admingrouphome,
45             ILogSessionLocal logsession, ICertificateStoreSessionLocal certificatestoresession,
46             IRaAdminSessionLocal raadminsession, ICAAdminSessionLocal caadminsession, Admin admin, int module) {
47         accesstree = new AccessTree();
48         authorizationproxy = new AuthorizationProxy(admingrouphome, accesstree);
49         buildAccessTree(admingroups);
50         this.logsession = logsession;
51         this.module=module;
52         this.certificatesession = certificatestoresession;
53         this.raadminsession = raadminsession;
54         this.caadminsession = caadminsession;
55     }
56     
57     // Public methods.
58

59     /**
60      * Method to check if a user is authorized to a resource
61      *
62      * @param admininformation information about the user to be authorized.
63      * @param resource the resource to look up.
64      * @return true if authorizes
65      * @throws AuthorizationDeniedException when authorization is denied.
66      */

67     public boolean isAuthorized(Admin admin, String JavaDoc resource) throws AuthorizationDeniedException {
68         
69         if(admin == null)
70             throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource);
71         
72         AdminInformation admininformation = admin.getAdminInformation();
73         
74         if(!authorizationproxy.isAuthorized(admininformation, resource) && !authorizationproxy.isAuthorized(admininformation, "/super_administrator")){
75             if(!admininformation.isSpecialUser()) {
76                 logsession.log(admin, admininformation.getX509Certificate(), module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Resource : " + resource);
77             } else {
78                 logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Resource : " + resource);
79             }
80             throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource);
81         }
82         if(!admininformation.isSpecialUser()) {
83             logsession.log(admin,admininformation.getX509Certificate(), module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Resource : " + resource);
84         } else {
85             logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Resource : " + resource);
86         }
87         
88         return true;
89     }
90     
91     
92     /**
93      * Method to check if a user is authorized to a resource without performing any logging
94      *
95      * @param AdminInformation information about the user to be authorized.
96      * @param resource the resource to look up.
97      * @return true if authorizes
98      * @throws AuthorizationDeniedException when authorization is denied.
99      */

100     public boolean isAuthorizedNoLog(Admin admin, String JavaDoc resource) throws AuthorizationDeniedException {
101         if(admin == null)
102             throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource);
103         
104         // Check in accesstree.
105
if(!authorizationproxy.isAuthorized(admin.getAdminInformation(), resource) && !authorizationproxy.isAuthorized(admin.getAdminInformation(), "/super_administrator")){
106             throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource);
107         }
108         return true;
109     }
110     
111     /**
112      * Method to check if a group is authorized to a resource
113      *
114      * @param admininformation information about the user to be authorized.
115      * @param resource the resource to look up.
116      * @return true if authorizes
117      * @throws AuthorizationDeniedException when authorization is denied.
118      */

119     public boolean isGroupAuthorized(Admin admin, int pk, String JavaDoc resource) throws AuthorizationDeniedException {
120         if(admin == null)
121             throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource);
122         
123         AdminInformation admininformation = admin.getAdminInformation();
124         
125         if(!authorizationproxy.isGroupAuthorized(admininformation, pk, resource)){
126             if(!admininformation.isSpecialUser()) {
127                 logsession.log(admin, admininformation.getX509Certificate(), module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource);
128             } else {
129                 logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource);
130             }
131             throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource);
132         }
133         if(!admininformation.isSpecialUser()) {
134             logsession.log(admin,admininformation.getX509Certificate(), module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource);
135         } else {
136             logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date JavaDoc(),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource);
137         }
138         
139         return true;
140     }
141     
142     
143     /**
144      * Method to check if a group is authorized to a resource without performing any logging
145      *
146      * @param AdminInformation information about the user to be authorized.
147      * @param resource the resource to look up.
148      * @return true if authorizes
149      * @throws AuthorizationDeniedException when authorization is denied.
150      */

151     public boolean isGroupAuthorizedNoLog(Admin admin, int pk, String JavaDoc resource) throws AuthorizationDeniedException {
152         if(admin == null)
153             throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource);
154         
155         // Check in accesstree.
156
if(!authorizationproxy.isGroupAuthorized(admin.getAdminInformation(), pk, resource)) {
157             throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource);
158         }
159         return true;
160     }
161     
162     
163     
164     /**
165      * Method that authenticates a certificate by verifying signature, checking validity and lookup if certificate is revoked.
166      *
167      * @param certificate the certificate to be authenticated.
168      * @throws AuthenticationFailedException if authentication failed.
169      */

170     public void authenticate(X509Certificate JavaDoc certificate) throws AuthenticationFailedException {
171         
172         // Check Validity
173
try{
174             certificate.checkValidity();
175         }catch(Exception JavaDoc e){
176             throw new AuthenticationFailedException("Your certificates vality has expired.");
177         }
178         
179         // TODO
180
/* // Vertify Signature
181          boolean verified = false;
182          for(int i=0; i < this.cacertificatechain.length; i++){
183          try{
184          // log.debug("Authorizer: authenticate : Comparing : " + CertTools.getIssuerDN(certificate) + " With " + CertTools.getSubjectDN((X509Certificate) cacertificatechain[i]));
185           // if(LDAPDN.equals(CertTools.getIssuerDN(certificate), CertTools.getSubjectDN((X509Certificate) cacertificatechain[i]))){
186            certificate.verify(cacertificatechain[i].getPublicKey());
187            verified = true;
188            // }
189             }catch(Exception e){}
190             }
191             if(!verified)
192             throw new AuthenticationFailedException("Your certificate cannot be verified by CA certificate chain.");
193             */

194         // Check if certificate is revoked.
195
RevokedCertInfo revinfo = certificatesession.isRevoked(new Admin(certificate), CertTools.getIssuerDN(certificate),certificate.getSerialNumber());
196         if (revinfo == null) {
197             // Certificate missing
198
throw new AuthenticationFailedException("Your certificate cannot be found in database.");
199         } else if (revinfo.getReason() != RevokedCertInfo.NOT_REVOKED) {
200             // Certificate revoked
201
throw new AuthenticationFailedException("Your certificate have been revoked.");
202         }
203     }
204     
205     /**
206      * Method used to return an ArrayList of Integers indicating which CAids a administrator
207      * is authorized to access.
208      */

209     
210     public Collection JavaDoc getAuthorizedCAIds(Admin admin){
211         ArrayList JavaDoc returnval = new ArrayList JavaDoc();
212         Iterator JavaDoc iter = caadminsession.getAvailableCAs(admin).iterator();
213         
214         while(iter.hasNext()){
215             Integer JavaDoc caid = (Integer JavaDoc) iter.next();
216             try{
217                 isAuthorizedNoLog(admin, AvailableAccessRules.CAPREFIX + caid.toString());
218                 returnval.add(caid);
219             }catch(AuthorizationDeniedException e){}
220         }
221         return returnval;
222     }
223     
224     /**
225      * Method used to return an Collection of Integers indicating which end entity profiles
226      * the administrator is authorized to view.
227      *
228      * @param admin, the administrator
229      * @rapriviledge should be one of the end entity profile authorization constans defined in AvailableAccessRules.
230      */

231     
232     public Collection JavaDoc getAuthorizedEndEntityProfileIds(Admin admin, String JavaDoc rapriviledge){
233         ArrayList JavaDoc returnval = new ArrayList JavaDoc();
234         Iterator JavaDoc iter = raadminsession.getEndEntityProfileIdToNameMap(admin).keySet().iterator();
235         
236         while(iter.hasNext()){
237             Integer JavaDoc profileid = (Integer JavaDoc) iter.next();
238             try{
239                 isAuthorizedNoLog(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX + profileid + rapriviledge);
240                 returnval.add(profileid);
241             }catch(AuthorizationDeniedException e){}
242             
243         }
244         
245         return returnval;
246     }
247     
248     /** Metod to load the access data from database. */
249     public void buildAccessTree(Collection JavaDoc admingroups){
250         accesstree.buildTree(admingroups);
251         authorizationproxy.clear();
252     }
253     
254     // Private metods
255

256     
257     // Private fields.
258
private AccessTree accesstree;
259     private int module;
260     
261     private ICertificateStoreSessionLocal certificatesession;
262     private ILogSessionLocal logsession;
263     private IRaAdminSessionLocal raadminsession;
264     private ICAAdminSessionLocal caadminsession;
265     private AuthorizationProxy authorizationproxy;
266 }
267
Popular Tags