localauthorizationsessionbean.java

JAVA做的J2EE下CA认证系统 基于EJB开发

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/

package se.anatom.ejbca.authorization;

import java.security.cert.X509Certificate;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Random;

import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.FinderException;

import se.anatom.ejbca.BaseSessionBean;
import se.anatom.ejbca.JNDINames;
import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal;
import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocalHome;
import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocal;
import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome;
import se.anatom.ejbca.log.Admin;
import se.anatom.ejbca.log.ILogSessionLocal;
import se.anatom.ejbca.log.ILogSessionLocalHome;
import se.anatom.ejbca.log.LogConstants;
import se.anatom.ejbca.log.LogEntry;
import se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocal;
import se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocalHome;
import se.anatom.ejbca.util.JDBCUtil;
import se.anatom.ejbca.util.ServiceLocator;

/**
 * Stores data used by web server clients.
 * Uses JNDI name for datasource as defined in env 'Datasource' in ejb-jar.xml.
 *
 * @version $Id: LocalAuthorizationSessionBean.java,v 1.23 2005/04/29 08:16:10 anatom Exp $
 *
 * @ejb.bean
 *   description="Session bean handling interface with ra authorization"
 *   display-name="AuthorizationSessionSB"
 *   name="AuthorizationSession"
 *   jndi-name="AuthorizationSession"
 *   local-jndi-name="AuthorizationSessionLocal"
 *   view-type="both"
 *   type="Stateless"
 *   transaction-type="Container"
 *
 * @ejb.transaction type="Required"
 *
 * @ejb.permission role-name="InternalUser"
 *
 * @ejb.env-entry
 * name="DataSource"
 * type="java.lang.String"
 * value="java:/${datasource.jndi-name}"
 *
 * @ejb.env-entry
 *   description="Custom Available Access Rules, use ';' to separate multiple accessrules"
 *   name="CustomAvailableAccessRules"
 *   type="java.lang.String"
 *   value=""
 *
 * @ejb.ejb-external-ref
 *   description="The log session bean"
 *   view-type="local"
 *   ejb-name="LogSessionLocal"
 *   type="Session"
 *   home="se.anatom.ejbca.log.ILogSessionLocalHome"
 *   business="se.anatom.ejbca.log.ILogSessionLocal"
 *   link="LogSession"
 *
 * @ejb.ejb-external-ref
 *   description="The RA Session Bean"
 *   view-type="local"
 *   ejb-name="RaAdminSessionLocal"
 *   type="Session"
 *   home="se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocalHome"
 *   business="se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocal"
 *   link="RaAdminSession"
 *
 * @ejb.ejb-external-ref
 *   description="The CAAdmin Session Bean"
 *   view-type="local"
 *   ejb-name="CAAdminSessionLocal"
 *   type="Session"
 *   home="se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocalHome"
 *   business="se.anatom.ejbca.ca.sign.ICAAdminSessionLocal"
 *   link="CAAdminSession"
 *
 * @ejb.ejb-external-ref
 *   description="The Certificate Store Session bean"
 *   view-type="local"
 *   ejb-name="CertificateStoreSessionLocal"
 *   type="Session"
 *   home="se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome"
 *   business="se.anatom.ejbca.ca.sore.ICertificateStoreSessionLocal"
 *   link="CertificateStoreSession"
 *
 * @ejb.ejb-external-ref
 *   description="Authorization Tree Update Bean"
 *   view-type="local"
 *   ejb-name="AuthorizationTreeUpdateDataLocal"
 *   type="Entity"
 *   home="se.anatom.ejbca.authorization.AuthorizationTreeUpdateDataLocalHome"
 *   business="se.anatom.ejbca.authorization.AuthorizationTreeUpdateDataLocal"
 *   link="AuthorizationTreeUpdateData"
 *
 * @ejb.ejb-external-ref
 *   description="Admin Groups"
 *   view-type="local"
 *   ejb-name="AdminGroupDataLocal"
 *   type="Entity"
 *   home="se.anatom.ejbca.authorization.AdminGroupDataLocalHome"
 *   business="se.anatom.ejbca.authorization.AdminGroupDataLocal"
 *   link="AdminGroupData"
 *
 * @ejb.security-identity
 *   description=""
 *   run-as="InternalUser"
 *
 * @ejb.home
 *   extends="javax.ejb.EJBHome"
 *   local-extends="javax.ejb.EJBLocalHome"
 *   local-class="se.anatom.ejbca.authorization.IAuthorizationSessionLocalHome"
 *   remote-class="se.anatom.ejbca.authorization.IAuthorizationSessionHome"
 *
 * @ejb.interface
 *   extends="javax.ejb.EJBObject"
 *   local-extends="javax.ejb.EJBLocalObject"
 *   local-class="se.anatom.ejbca.authorization.IAuthorizationSessionLocal"
 *   remote-class="se.anatom.ejbca.authorization.IAuthorizationSessionRemote"
 *
 * @jonas.bean
 *   ejb-name="AuthorizationSession"
 */
public class LocalAuthorizationSessionBean extends BaseSessionBean {

    /**
     * Constant indicating minimum time between updates. In milliseconds
     */
    public static final long MIN_TIME_BETWEEN_UPDATES = 60000 * 1;

    /**
     * The home interface of  AdminGroupData entity bean
     */
    private AdminGroupDataLocalHome admingrouphome = null;

    /**
     * The home interface of AuthorizationTreeUpdateData entity bean
     */
    private AuthorizationTreeUpdateDataLocalHome authorizationtreeupdatehome = null;

    /**
     * help variable used to check that authorization trees is updated.
     */
    private int authorizationtreeupdate = -1;

    /**
     * help variable used to control that update isn't performed to often.
     */
    private long lastupdatetime = -1;

    /**
     * The local interface of  log session bean
     */
    private ILogSessionLocal logsession = null;

    /**
     * The local interface of  raadmin session bean
     */
    private IRaAdminSessionLocal raadminsession = null;

    /**
     * The local interface of  ca admim session bean
     */
    private ICAAdminSessionLocal caadminsession = null;

    /**
     * The local interface of certificate store session bean
     */
    private ICertificateStoreSessionLocal certificatestoresession = null;

    private Authorizer authorizer = null;

    private String[] customaccessrules = null;

    private static final String DEFAULTGROUPNAME = "DEFAULT";
    private static final String PUBLICWEBGROUPNAME = "Public Web Users";

    /**
     * Default create for SessionBean without any creation Arguments.
     *
     * @throws CreateException if bean instance can't be created
     */
    public void ejbCreate() throws CreateException {
        debug(">ejbCreate()");
        ServiceLocator locator = ServiceLocator.getInstance();
        admingrouphome = (AdminGroupDataLocalHome) locator.getLocalHome(AdminGroupDataLocalHome.COMP_NAME);
        authorizationtreeupdatehome = (AuthorizationTreeUpdateDataLocalHome) locator.getLocalHome(AuthorizationTreeUpdateDataLocalHome.COMP_NAME);
        customaccessrules = locator.getString("java:comp/env/CustomAvailableAccessRules").split(";");

        try {
            authorizer = new Authorizer(getAdminGroups(), admingrouphome,
                    getLogSession(), getCertificateStoreSession(), getRaAdminSession(), getCAAdminSession(), new Admin(Admin.TYPE_INTERNALUSER), LogEntry.MODULE_AUTHORIZATION);
        } catch (Exception e) {
            throw new EJBException(e);
        }

        debug("<ejbCreate()");
    }


    /**
     * Gets connection to log session bean
     *
     * @return Connection
     */
    private ILogSessionLocal getLogSession() {
        if (logsession == null) {
            try {
                ILogSessionLocalHome logsessionhome = (ILogSessionLocalHome) ServiceLocator.getInstance().getLocalHome(ILogSessionLocalHome.COMP_NAME);
                logsession = logsessionhome.create();
            } catch (Exception e) {
                throw new EJBException(e);
            }
        }
        return logsession;
    } //getLogSession


    /**
     * Gets connection to certificate store session bean
     *
     * @return Connection
     */
    private IRaAdminSessionLocal getRaAdminSession() {
        if (raadminsession == null) {
            try {
                IRaAdminSessionLocalHome home = (IRaAdminSessionLocalHome) ServiceLocator.getInstance()
                        .getLocalHome(IRaAdminSessionLocalHome.COMP_NAME);
                raadminsession = home.create();
            } catch (Exception e) {
                throw new EJBException(e);
            }
        }
        return raadminsession;
    } //getRaAdminSession

    /**
     * Gets connection to certificate store session bean
     *
     * @return ICertificateStoreSessionLocal
     */
    private ICertificateStoreSessionLocal getCertificateStoreSession() {
        if (certificatestoresession == null) {
            try {
                ICertificateStoreSessionLocalHome home = (ICertificateStoreSessionLocalHome) ServiceLocator.getInstance()
                        .getLocalHome(ICertificateStoreSessionLocalHome.COMP_NAME);
                certificatestoresession = home.create();
            } catch (Exception e) {
                throw new EJBException(e);
            }
        }
        return certificatestoresession;
    } //getCertificateStoreSession


    /**
     * Gets connection to ca admin session bean
     *
     * @return ICAAdminSessionLocal
     */
    private ICAAdminSessionLocal getCAAdminSession() {
        if (caadminsession == null) {
            try {
                ICAAdminSessionLocalHome home = (ICAAdminSessionLocalHome) ServiceLocator.getInstance()
                        .getLocalHome(ICAAdminSessionLocalHome.COMP_NAME);
                caadminsession = home.create();
            } catch (Exception e) {
                throw new EJBException(e);
            }
        }
        return caadminsession;
    }

    // Methods used with AdminGroupData Entity Beans

    /**
     * Method to initialize authorization bean, must be called directly after creation of bean. Should only be called once.
     *
     * @ejb.interface-method view-type="both"
     */
    public void initialize(Admin admin, int caid) throws AdminGroupExistsException {
        // Check if admingroup table is empty, if so insert default superuser
        // and create "special edit accessrules count group"
        try {
            Collection result = admingrouphome.findAll();
            if (result.size() == 0) {
                // Authorization table is empty, fill with default and special admingroups.
                String admingroupname = "Temporary Super Administrator Group";
                addAdminGroup(admin, admingroupname, caid);
                ArrayList adminentities = new ArrayList();
                adminentities.add(new AdminEntity(AdminEntity.WITH_COMMONNAME, AdminEntity.TYPE_EQUALCASEINS, "SuperAdmin", caid));
                addAdminEntities(admin, admingroupname, caid, adminentities);
                ArrayList accessrules = new ArrayList();
                accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false));
                addAccessRules(admin, admingroupname, caid, accessrules);
            }
        } catch (FinderException e) {
        	debug("initialize: FinderEx, findAll failed.");
        }
        // Add Special Admin Group
        // Special admin group is a group that is not authenticated with client certificate, such as batch tool etc
        try {
            admingrouphome.findByGroupNameAndCAId(DEFAULTGROUPNAME, LogConstants.INTERNALCAID);
        } catch (FinderException e) {
        	debug("initialize: FinderEx, add default group.");
            // Add Default Special Admin Group
            try {
                AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()), DEFAULTGROUPNAME, LogConstants.INTERNALCAID);

                ArrayList adminentities = new ArrayList();
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_BATCHCOMMANDLINEADMIN));
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_CACOMMANDLINEADMIN));
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_RACOMMANDLINEADMIN));
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_INTERNALUSER));
                agdl.addAdminEntities(adminentities);

                ArrayList accessrules = new ArrayList();
                accessrules.add(new AccessRule("/administrator", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false));