localauthorizationsessionbean.java

一套JAVA的CA证书签发系统.

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package se.anatom.ejbca.authorization;

import java.security.cert.X509Certificate;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Random;

import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.FinderException;
import javax.naming.NamingException;
import javax.sql.DataSource;

import se.anatom.ejbca.BaseSessionBean;
import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal;
import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocalHome;
import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocal;
import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome;
import se.anatom.ejbca.log.Admin;
import se.anatom.ejbca.log.ILogSessionLocal;
import se.anatom.ejbca.log.ILogSessionLocalHome;
import se.anatom.ejbca.log.LogEntry;
import se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocal;
import se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocalHome;

/**
 * Stores data used by web server clients.
 * Uses JNDI name for datasource as defined in env 'Datasource' in ejb-jar.xml.
 *
 * @version $Id: LocalAuthorizationSessionBean.java,v 1.9 2004/05/10 04:36:32 herrvendil Exp $
 */
public class LocalAuthorizationSessionBean extends BaseSessionBean  {

    /** Var holding JNDI name of datasource */
    private String dataSource = "";

    /** The home interface of  AdminGroupData entity bean */
    private AdminGroupDataLocalHome admingrouphome = null;

    /** The home interface of AuthorizationTreeUpdateData entity bean */
    private AuthorizationTreeUpdateDataLocalHome authorizationtreeupdatehome = null;
    
    /** help variable used to check that authorization trees is updated. */
    private int authorizationtreeupdate = -1;
    
    /** help variable used to control that update isn't performed to often. */    
    private long lastupdatetime = -1;
    
    /** The local interface of  log session bean */
    private ILogSessionLocal logsession = null;

    /** The local interface of  raadmin session bean */
    private IRaAdminSessionLocal raadminsession = null; 

    /** The local interface of  ca admim session bean */
    private ICAAdminSessionLocal caadminsession = null;    
    
    /** The local interface of certificate store session bean */    
    private ICertificateStoreSessionLocal certificatestoresession = null;
    
    private Authorizer authorizer = null;

    private String[] customaccessrules = null;
    
    private static final String DEFAULTGROUPNAME   = "DEFAULT";
    private static final String PUBLICWEBGROUPNAME = "Public Web Users";
    
    /**
     * Default create for SessionBean without any creation Arguments.
     * @throws CreateException if bean instance can't be created
     */
    public void ejbCreate() throws CreateException {
        debug(">ejbCreate()");
        try{
          dataSource = (String)lookup("java:comp/env/DataSource", java.lang.String.class);
          debug("DataSource=" + dataSource);
          admingrouphome = (AdminGroupDataLocalHome)lookup("java:comp/env/ejb/AdminGroupDataLocal");
          authorizationtreeupdatehome = (AuthorizationTreeUpdateDataLocalHome)lookup("java:comp/env/ejb/AuthorizationTreeUpdateDataLocal");
          customaccessrules =   ((String) lookup("java:comp/env/CustomAvailableAccessRules", java.lang.String.class)).split(";");
        }catch(Exception e){
           throw new CreateException(e.getMessage());
        }

        try{       
          authorizer = new Authorizer(getAdminGroups(new Admin(Admin.TYPE_INTERNALUSER)), admingrouphome, 
                                      getLogSession(), getCertificateStoreSession(), getRaAdminSession(), getCAAdminSession(), new Admin(Admin.TYPE_INTERNALUSER),LogEntry.MODULE_AUTHORIZATION);
        }catch(Exception e){
           throw new EJBException(e);
        }
        
        debug("<ejbCreate()");
    }


    /** Gets connection to Datasource used for manual SQL searches
     * @return Connection
     */
    private Connection getConnection() throws SQLException, NamingException {
        DataSource ds = (DataSource)getInitialContext().lookup(dataSource);
        return ds.getConnection();
    } //getConnection    
    
    /** Gets connection to log session bean
     * @return Connection
     */
    private ILogSessionLocal getLogSession() {
        if(logsession == null){
          try{
            ILogSessionLocalHome logsessionhome = (ILogSessionLocalHome) lookup("java:comp/env/ejb/LogSessionLocal",ILogSessionLocalHome.class);
            logsession = logsessionhome.create();
          }catch(Exception e){
             throw new EJBException(e);
          }
        }
        return logsession;
    } //getLogSession

    
    /** Gets connection to certificate store session bean
     * @return Connection
     */
    private IRaAdminSessionLocal getRaAdminSession() {
        if(raadminsession == null){
          try{
            IRaAdminSessionLocalHome raadminsessionhome = (IRaAdminSessionLocalHome) lookup("java:comp/env/ejb/RaAdminSessionLocal",IRaAdminSessionLocalHome.class);
            raadminsession = raadminsessionhome.create();
          }catch(Exception e){
             throw new EJBException(e);
          }
        }
        return raadminsession;
    } //getRaAdminSession

    /** Gets connection to certificate store session bean
     * @return ICertificateStoreSessionLocal
     */
    private ICertificateStoreSessionLocal getCertificateStoreSession() {
        if(certificatestoresession == null){
          try{
            ICertificateStoreSessionLocalHome certificatestoresessionhome = (ICertificateStoreSessionLocalHome) lookup("java:comp/env/ejb/CertificateStoreSessionLocal",ICertificateStoreSessionLocalHome.class);
            certificatestoresession = certificatestoresessionhome.create();
          }catch(Exception e){
             throw new EJBException(e);
          }
        }
        return certificatestoresession;
    } //getCertificateStoreSession    


    /** Gets connection to ca admin session bean
     * @return ICAAdminSessionLocal
     */
    private ICAAdminSessionLocal getCAAdminSession() {
        if(caadminsession == null){
          try{
            ICAAdminSessionLocalHome caadminsessionhome = (ICAAdminSessionLocalHome) lookup("java:comp/env/ejb/CAAdminSessionLocal",ICAAdminSessionLocalHome.class);
            caadminsession = caadminsessionhome.create();
          }catch(Exception e){
             throw new EJBException(e);
          }
        }
        return caadminsession;
    } //getCAAdminSession        
    
    // Methods used with AdminGroupData Entity Beans

    /**
     * Method to initialize authorization bean, must be called directly after creation of bean. Should only be called once.
     */
    public void initialize(Admin admin, int caid) throws AdminGroupExistsException{
         // Check if admingroup table is empty, if so insert default superuser
         // and create "special edit accessrules count group"
       try{
         Collection result = admingrouphome.findAll();
         if(result.size()==0){
          // Authorization table is empty, fill with default and special admingroups.
           String admingroupname = "Temporary Super Administrator Group";   
           addAdminGroup(admin, admingroupname, caid); 
           ArrayList adminentities = new ArrayList();
           adminentities.add(new AdminEntity(AdminEntity.WITH_COMMONNAME,AdminEntity.TYPE_EQUALCASEINS,"SuperAdmin",caid));           
           
           addAdminEntities(admin, admingroupname, caid, adminentities);
           ArrayList accessrules = new ArrayList();

           accessrules.add(new AccessRule("/super_administrator",AccessRule.RULE_ACCEPT,false));
           
           addAccessRules(admin, admingroupname, caid, accessrules);
           
         }
       }catch(FinderException e){}
         // Add Special Admin Group

         try{
            admingrouphome.findByGroupNameAndCAId(DEFAULTGROUPNAME, ILogSessionLocal.INTERNALCAID);   
         }catch(FinderException e){
           // Add Default Group
           try{  
           AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()), DEFAULTGROUPNAME,  ILogSessionLocal.INTERNALCAID);
        
           ArrayList adminentities = new ArrayList();
           adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_BATCHCOMMANDLINEADMIN));
           adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_CACOMMANDLINEADMIN));   
           adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_RACOMMANDLINEADMIN));  
           adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_INTERNALUSER));
           agdl.addAdminEntities(adminentities);
         
           ArrayList accessrules = new ArrayList();
           accessrules.add(new AccessRule("/administrator",AccessRule.RULE_ACCEPT,true));
           accessrules.add(new AccessRule("/super_administrator",AccessRule.RULE_ACCEPT,false));

           accessrules.add(new AccessRule("/ca_functionality",AccessRule.RULE_ACCEPT,true));
           accessrules.add(new AccessRule("/ra_functionality",AccessRule.RULE_ACCEPT,true));
           accessrules.add(new AccessRule("/log_functionality",AccessRule.RULE_ACCEPT,true));
           accessrules.add(new AccessRule("/system_functionality",AccessRule.RULE_ACCEPT,true));
           accessrules.add(new AccessRule("/hardtoken_functionality",AccessRule.RULE_ACCEPT,true));           
           accessrules.add(new AccessRule("/ca",AccessRule.RULE_ACCEPT,true)); 
           accessrules.add(new AccessRule("/endentityprofilesrules",AccessRule.RULE_ACCEPT,true)); 
          
           agdl.addAccessRules(accessrules);
           
           signalForAuthorizationTreeUpdate();
         }catch(CreateException ce){}
       }
	   // Add Public Web Group
       try{
          admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid);
          this.removeAdminGroup(admin, PUBLICWEBGROUPNAME,  caid);
       }catch(FinderException e){}
        	   
	   try{
		  admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid);   
	   }catch(FinderException e){	   	   	 
	     try{           	   	 
		   AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()),PUBLICWEBGROUPNAME,  caid);
        
		   ArrayList adminentities = new ArrayList();
		   adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_PUBLICWEBUSER));		 
		   agdl.addAdminEntities(adminentities);
         
		   ArrayList accessrules = new ArrayList();
		   accessrules.add(new AccessRule("/public_web_user",AccessRule.RULE_ACCEPT,false));
		 
		   accessrules.add(new AccessRule("/ca_functionality/basic_functions",AccessRule.RULE_ACCEPT,false));
		   accessrules.add(new AccessRule("/ca_functionality/view_certificate",AccessRule.RULE_ACCEPT,false));
		   accessrules.add(new AccessRule("/ca_functionality/create_certificate",AccessRule.RULE_ACCEPT,false));
		   accessrules.add(new AccessRule("/ca_functionality/store_certificate",AccessRule.RULE_ACCEPT,false));
		   accessrules.add(new AccessRule("/ra_functionality/view_end_entity",AccessRule.RULE_ACCEPT,false));			 
		   accessrules.add(new AccessRule("/ca",AccessRule.RULE_ACCEPT,true)); 
		   accessrules.add(new AccessRule("/endentityprofilesrules",AccessRule.RULE_ACCEPT,true)); 
		                                                       
		   agdl.addAccessRules(accessrules);
           
		  signalForAuthorizationTreeUpdate();
	      }catch(CreateException ce){}	       
	   }  
    }


     /**
     * Method to check if a user is authorized to a certain resource.
     *
     * @param admin the administrator about to be authorized, see se.anatom.ejbca.log.Admin class.
     * @param resource the resource to check authorization for.
     */
    public boolean isAuthorized(Admin admin, String resource) throws  AuthorizationDeniedException{
        if(updateNeccessary())
          updateAuthorizationTree(admin);
        return authorizer.isAuthorized(admin, resource);
    }

     /**
     * Method to check if a user is authorized to a certain resource without performing any logging.
     *
     * @param admin the administrator about to be authorized, see se.anatom.ejbca.log.Admin class.
     * @param resource the resource to check authorization for. 
     */
    public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException{