📄 localauthorizationsessionbean.java
字号:
if(updateNeccessary()) updateAuthorizationTree(admin); return authorizer.isAuthorizedNoLog(admin, resource); } /** * Method to check if a group is authorized to a resource. */ public boolean isGroupAuthorized(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException{ if(updateNeccessary()) updateAuthorizationTree(admin); return authorizer.isGroupAuthorized(admin, admingrouppk, resource); } /** * Method to check if a group is authorized to a resource without any logging. */ public boolean isGroupAuthorizedNoLog(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException{ if(updateNeccessary()) updateAuthorizationTree(admin); return authorizer.isGroupAuthorizedNoLog(admin, admingrouppk, resource); } /** * Method to check if an administrator exists in the specified admingroup. */ public boolean existsAdministratorInGroup(Admin admin, int admingrouppk){ boolean returnval = false; if(updateNeccessary()) updateAuthorizationTree(admin); try{ AdminGroupDataLocal agdl = admingrouphome.findByPrimaryKey(new Integer(admingrouppk)); Iterator adminentitites = agdl.getAdminGroup().getAdminEntities().iterator(); while(adminentitites.hasNext()){ AdminEntity ae = (AdminEntity) adminentitites.next(); returnval = returnval || ae.match(admin.getAdminInformation()); } }catch(FinderException fe){} return returnval; } /** * Method to validate and check revokation status of a users certificate. * * @param certificate the users X509Certificate. * */ public void authenticate(X509Certificate certificate) throws AuthenticationFailedException{ authorizer.authenticate(certificate); } /** * Method to add an admingroup. * * @param admingroupname name of new admingroup, have to be unique. * @throws AdminGroupExistsException if admingroup already exists. */ public void addAdminGroup(Admin admin, String admingroupname, int caid) throws AdminGroupExistsException { if(!(admingroupname.equals(DEFAULTGROUPNAME) && caid == ILogSessionLocal.INTERNALCAID)){ boolean success=true; try{ admingrouphome.findByGroupNameAndCAId(admingroupname, caid); success=false; }catch(FinderException e){ } if(success){ try{ admingrouphome.create(new Integer(findFreeAdminGroupId()), admingroupname, caid); success=true; }catch(CreateException e){ error("Can't add admingroup:"+e.getMessage()); success=false; } } if(success){ logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES,"Administratorgroup " + admingroupname + " added."); }else{ logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES,"Error adding administratorgroup " + admingroupname + "."); throw new AdminGroupExistsException(); } } } // addAdminGroup /** * Method to remove a admingroup. */ public void removeAdminGroup(Admin admin, String admingroupname, int caid){ if(!(admingroupname.equals(DEFAULTGROUPNAME) && caid == ILogSessionLocal.INTERNALCAID)){ try{ AdminGroupDataLocal agl = admingrouphome.findByGroupNameAndCAId(admingroupname, caid); // Remove groups user entities. agl.removeAdminEntities(agl.getAdminEntityObjects()); // Remove groups accessrules. Iterator iter = agl.getAccessRuleObjects().iterator(); ArrayList remove = new ArrayList(); while(iter.hasNext()){ remove.add(((AccessRule) iter.next()).getAccessRule()); } agl.removeAccessRules(remove); agl.remove(); signalForAuthorizationTreeUpdate(); logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES,"Administratorgroup " + admingroupname + " removed."); }catch(Exception e){ error("RemoveAdminGroup: "+e); logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES,"Error removing administratorgroup " + admingroupname + "."); } } } // removeAdminGroup /** * Metod to rename a admingroup * * @throws AdminGroupExistsException if admingroup already exists. */ public void renameAdminGroup(Admin admin, String oldname, int caid, String newname) throws AdminGroupExistsException { if(!(oldname.equals(DEFAULTGROUPNAME) && caid == ILogSessionLocal.INTERNALCAID)){ boolean success = false; AdminGroupDataLocal agl = null; try{ agl = admingrouphome.findByGroupNameAndCAId(newname, caid); throw new AdminGroupExistsException(); }catch(FinderException e){ success = true; } if(success){ try{ agl = admingrouphome.findByGroupNameAndCAId(oldname, caid); agl.setAdminGroupName(newname); agl.setCAId(caid); signalForAuthorizationTreeUpdate(); }catch(Exception e){ error("Can't rename admingroup:"+e.getMessage()); success = false; } } if(success) logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES,"Renamed administratorgroup " + oldname + " to " + newname + "."); else logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES,"Error renaming administratorgroup " + oldname + " to " + newname + "."); } } // renameAdminGroup /** * Method to get a reference to a admingroup. */ public AdminGroup getAdminGroup(Admin admin, String admingroupname, int caid){ AdminGroup returnval = null; try{ returnval = (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).getAdminGroup(); }catch(Exception e){ error("Can't get admingroup:"+e.getMessage()); } return returnval; } // getAdminGroup /** * Returns the total number of admingroups */ private Collection getAdminGroups(Admin admin){ ArrayList returnval= new ArrayList(); try{ Iterator iter = admingrouphome.findAll().iterator(); while(iter.hasNext()) returnval.add(((AdminGroupDataLocal) iter.next()).getAdminGroup()); }catch(FinderException e){} return returnval; } // getAdminGroups /** * Returns a Collection of AdminGroup the administrator is authorized to. * * SuperAdmin is autorized to all groups * Other admins are only authorized to the groups cointaining a subset of authorized CA that the admin * himself is authorized to. * * The AdminGroup objects only contains only name and caid and no accessdata */ public Collection getAuthorizedAdminGroupNames(Admin admin){ ArrayList returnval = new ArrayList(); boolean issuperadmin = false; try { issuperadmin = this.isAuthorizedNoLog(admin, AvailableAccessRules.ROLE_SUPERADMINISTRATOR); } catch (AuthorizationDeniedException e1) { } HashSet authorizedcaids = new HashSet(); HashSet allcaids = new HashSet(); if(!issuperadmin){ authorizedcaids.addAll(authorizer.getAuthorizedCAIds(admin)); allcaids.addAll(getCAAdminSession().getAvailableCAs(admin)); } try{ Collection result = admingrouphome.findAll(); Iterator i = result.iterator(); while(i.hasNext()){ AdminGroupDataLocal agdl = (AdminGroupDataLocal) i.next(); boolean allauthorized = false; boolean carecursive = false; boolean superadmingroup = false; boolean authtogroup = false; ArrayList groupcaids = new ArrayList(); if(!issuperadmin){ // Is admin authorized to group caid. if(authorizedcaids.contains(new Integer(agdl.getCAId()))){ authtogroup = true; // check access rules Iterator iter = agdl.getAccessRuleObjects().iterator(); while(iter.hasNext()){ AccessRule accessrule = ((AccessRule) iter.next()); String rule = accessrule.getAccessRule(); if(rule.equals(AvailableAccessRules.ROLE_SUPERADMINISTRATOR) && accessrule.getRule() == AccessRule.RULE_ACCEPT){ superadmingroup = true; break; } if(rule.equals(AvailableAccessRules.CABASE)){ if(accessrule.getRule() == AccessRule.RULE_ACCEPT && accessrule.isRecursive()){ if(authorizedcaids.containsAll(allcaids)){ carecursive = true; } } }else{ if(rule.startsWith(AvailableAccessRules.CAPREFIX) && accessrule.getRule() == AccessRule.RULE_ACCEPT){ groupcaids.add(new Integer(rule.substring(AvailableAccessRules.CAPREFIX.length()))); } } } } } allauthorized = authorizedcaids.containsAll(groupcaids); if(issuperadmin || ((allauthorized || carecursive) && authtogroup && !superadmingroup)){ if(!agdl.getAdminGroupName().equals(PUBLICWEBGROUPNAME) && !(agdl.getAdminGroupName().equals(DEFAULTGROUPNAME) && agdl.getCAId() == ILogSessionLocal.INTERNALCAID)) returnval.add(agdl.getAdminGroupNames()); } } }catch(FinderException e){} return returnval; } // getAuthorizedAdminGroupNames /** * Adds a Collection of AccessRule to an an admin group. * */ public void addAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules){ if(!(admingroupname.equals(DEFAULTGROUPNAME) && caid == ILogSessionLocal.INTERNALCAID)){ try{ (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).addAccessRules(accessrules); signalForAuthorizationTreeUpdate(); logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES,"Added accessrules to admingroup : " + admingroupname ); }catch(Exception e){ error("Can't add access rule:"+e.getMessage()); logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES,"Error adding accessrules to admingroup : " + admingroupname); } } } // addAccessRules /** * Removes a Collection of (String) containing accessrules to remove from admin group. * */ public void removeAccessRules(Admin admin, String admingroupname, int caid, Collection accessrules){ if(!(admingroupname.equals(DEFAULTGROUPNAME) && caid == ILogSessionLocal.INTERNALCAID)){ try{ (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).removeAccessRules(accessrules); signalForAuthorizationTreeUpdate(); logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES,"Removed accessrules from admingroup : " + admingroupname ); }catch(Exception e){ logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(),null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES,"Error removing accessrules from admingroup : " + admingroupname ); } } } // removeAccessRules⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -