📄 localauthorizationsessionbean.java
字号:
accessrules.add(new AccessRule("/ca_functionality", AccessRule.RULE_ACCEPT, true)); accessrules.add(new AccessRule("/ra_functionality", AccessRule.RULE_ACCEPT, true)); accessrules.add(new AccessRule("/log_functionality", AccessRule.RULE_ACCEPT, true)); accessrules.add(new AccessRule("/system_functionality", AccessRule.RULE_ACCEPT, true)); accessrules.add(new AccessRule("/hardtoken_functionality", AccessRule.RULE_ACCEPT, true)); accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true)); accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true)); agdl.addAccessRules(accessrules); signalForAuthorizationTreeUpdate(); } catch (CreateException ce) { error("initialize continues after Exception: ", ce); } } // Add Public Web Group try { admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid); this.removeAdminGroup(admin, PUBLICWEBGROUPNAME, caid); } catch (FinderException e) { debug("initialize: FinderEx, can't find public web group."); } try { admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid); } catch (FinderException e) { debug("initialize: FinderEx, create public web group."); try { AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()), PUBLICWEBGROUPNAME, caid); ArrayList adminentities = new ArrayList(); adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_PUBLICWEBUSER)); agdl.addAdminEntities(adminentities); ArrayList accessrules = new ArrayList(); accessrules.add(new AccessRule("/public_web_user", AccessRule.RULE_ACCEPT, false)); accessrules.add(new AccessRule("/ca_functionality/basic_functions", AccessRule.RULE_ACCEPT, false)); accessrules.add(new AccessRule("/ca_functionality/view_certificate", AccessRule.RULE_ACCEPT, false)); accessrules.add(new AccessRule("/ca_functionality/create_certificate", AccessRule.RULE_ACCEPT, false)); accessrules.add(new AccessRule("/ca_functionality/store_certificate", AccessRule.RULE_ACCEPT, false)); accessrules.add(new AccessRule("/ra_functionality/view_end_entity", AccessRule.RULE_ACCEPT, false)); accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true)); accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true)); agdl.addAccessRules(accessrules); signalForAuthorizationTreeUpdate(); } catch (CreateException ce) { error("initialize continues after Exception: ", ce); } } } /** * Method to check if a user is authorized to a certain resource. * * @param admin the administrator about to be authorized, see se.anatom.ejbca.log.Admin class. * @param resource the resource to check authorization for. * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public boolean isAuthorized(Admin admin, String resource) throws AuthorizationDeniedException { if (updateNeccessary()) updateAuthorizationTree(); return authorizer.isAuthorized(admin, resource); } /** * Method to check if a user is authorized to a certain resource without performing any logging. * * @param admin the administrator about to be authorized, see se.anatom.ejbca.log.Admin class. * @param resource the resource to check authorization for. * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException { if (updateNeccessary()) updateAuthorizationTree(); return authorizer.isAuthorizedNoLog(admin, resource); } /** * Method to check if a group is authorized to a resource. * * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public boolean isGroupAuthorized(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException { if (updateNeccessary()) updateAuthorizationTree(); return authorizer.isGroupAuthorized(admin, admingrouppk, resource); } /** * Method to check if a group is authorized to a resource without any logging. * * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public boolean isGroupAuthorizedNoLog(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException { if (updateNeccessary()) updateAuthorizationTree(); return authorizer.isGroupAuthorizedNoLog(admin, admingrouppk, resource); } /** * Method to check if an administrator exists in the specified admingroup. * * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public boolean existsAdministratorInGroup(Admin admin, int admingrouppk) { boolean returnval = false; if (updateNeccessary()) updateAuthorizationTree(); try { AdminGroupDataLocal agdl = admingrouphome.findByPrimaryKey(new Integer(admingrouppk)); Iterator adminentitites = agdl.getAdminGroup().getAdminEntities().iterator(); while (adminentitites.hasNext()) { AdminEntity ae = (AdminEntity) adminentitites.next(); returnval = returnval || ae.match(admin.getAdminInformation()); } } catch (FinderException fe) { } return returnval; } /** * Method to validate and check revokation status of a users certificate. * * @param certificate the users X509Certificate. * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public void authenticate(X509Certificate certificate) throws AuthenticationFailedException { authorizer.authenticate(certificate); } /** * Method to add an admingroup. * * @param admingroupname name of new admingroup, have to be unique. * @throws AdminGroupExistsException if admingroup already exists. * @ejb.interface-method view-type="both" */ public void addAdminGroup(Admin admin, String admingroupname, int caid) throws AdminGroupExistsException { if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { boolean success = true; try { admingrouphome.findByGroupNameAndCAId(admingroupname, caid); success = false; } catch (FinderException e) { } if (success) { try { admingrouphome.create(new Integer(findFreeAdminGroupId()), admingroupname, caid); success = true; } catch (CreateException e) { error("Can't add admingroup: ", e); success = false; } } if (success) { logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, "Administratorgroup " + admingroupname + " added."); } else { logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, "Error adding administratorgroup " + admingroupname + "."); throw new AdminGroupExistsException(); } } } // addAdminGroup /** * Method to remove a admingroup. * * @ejb.interface-method view-type="both" */ public void removeAdminGroup(Admin admin, String admingroupname, int caid) { if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { try { AdminGroupDataLocal agl = admingrouphome.findByGroupNameAndCAId(admingroupname, caid); // Remove groups user entities. agl.removeAdminEntities(agl.getAdminEntityObjects()); // Remove groups accessrules. Iterator iter = agl.getAccessRuleObjects().iterator(); ArrayList remove = new ArrayList(); while (iter.hasNext()) { remove.add(((AccessRule) iter.next()).getAccessRule()); } agl.removeAccessRules(remove); agl.remove(); signalForAuthorizationTreeUpdate(); logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, "Administratorgroup " + admingroupname + " removed."); } catch (Exception e) { error("RemoveAdminGroup: " + e); logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, "Error removing administratorgroup " + admingroupname + "."); } } } // removeAdminGroup /** * Metod to rename a admingroup * * @throws AdminGroupExistsException if admingroup already exists. * @ejb.interface-method view-type="both" */ public void renameAdminGroup(Admin admin, String oldname, int caid, String newname) throws AdminGroupExistsException { if (!(oldname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) { boolean success = false; AdminGroupDataLocal agl = null; try { agl = admingrouphome.findByGroupNameAndCAId(newname, caid); throw new AdminGroupExistsException(); } catch (FinderException e) { success = true; } if (success) { try { agl = admingrouphome.findByGroupNameAndCAId(oldname, caid); agl.setAdminGroupName(newname); agl.setCaId(caid); signalForAuthorizationTreeUpdate(); } catch (Exception e) { error("Can't rename admingroup: ", e); success = false; } } if (success) logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, "Renamed administratorgroup " + oldname + " to " + newname + "."); else logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, "Error renaming administratorgroup " + oldname + " to " + newname + "."); } } // renameAdminGroup /** * Method to get a reference to a admingroup. * * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public AdminGroup getAdminGroup(Admin admin, String admingroupname, int caid) { AdminGroup returnval = null; try { returnval = (admingrouphome.findByGroupNameAndCAId(admingroupname, caid)).getAdminGroup(); } catch (Exception e) { error("Can't get admingroup: ", e); } return returnval; } // getAdminGroup /** * Returns the total number of admingroups */ private Collection getAdminGroups() { ArrayList returnval = new ArrayList(); try { Iterator iter = admingrouphome.findAll().iterator(); while (iter.hasNext()) returnval.add(((AdminGroupDataLocal) iter.next()).getAdminGroup()); } catch (FinderException e) { } return returnval; } // getAdminGroups /** * Returns a Collection of AdminGroup the administrator is authorized to. * <p/> * SuperAdmin is autorized to all groups * Other admins are only authorized to the groups cointaining a subset of authorized CA that the admin * himself is authorized to. * <p/> * The AdminGroup objects only contains only name and caid and no accessdata * * @ejb.interface-method view-type="both" * @ejb.transaction type="Supports" */ public Collection getAuthorizedAdminGroupNames(Admin admin) { ArrayList returnval = new ArrayList(); boolean issuperadmin = false; try { issuperadmin = this.isAuthorizedNoLog(admin, AvailableAccessRules.ROLE_SUPERADMINISTRATOR); } catch (AuthorizationDeniedException e1) { } HashSet authorizedcaids = new HashSet(); HashSet allcaids = new HashSet(); if (!issuperadmin) { authorizedcaids.addAll(authorizer.getAuthorizedCAIds(admin)); allcaids.addAll(getCAAdminSession().getAvailableCAs(admin)); } try { Collection result = admingrouphome.findAll(); Iterator i = result.iterator(); while (i.hasNext()) { AdminGroupDataLocal agdl = (AdminGroupDataLocal) i.next(); boolean allauthorized = false; boolean carecursive = false; boolean superadmingroup = false; boolean authtogroup = false; ArrayList groupcaids = new ArrayList(); if (!issuperadmin) { // Is admin authorized to group caid. if (authorizedcaids.contains(new Integer(agdl.getCaId()))) { authtogroup = true; // check access rules Iterator iter = agdl.getAccessRuleObjects().iterator(); while (iter.hasNext()) { AccessRule accessrule = ((AccessRule) iter.next()); String rule = accessrule.getAccessRule(); if (rule.equals(AvailableAccessRules.ROLE_SUPERADMINISTRATOR) && accessrule.getRule() == AccessRule.RULE_ACCEPT) { superadmingroup = true; break; } if (rule.equals(AvailableAccessRules.CABASE)) { if (accessrule.getRule() == AccessRule.RULE_ACCEPT && accessrule.isRecursive()) { if (authorizedcaids.containsAll(allcaids)) { carecursive = true; } } } else { if (rule.startsWith(AvailableAccessRules.CAPREFIX) && accessrule.getRule() == AccessRule.RULE_ACCEPT) { groupcaids.add(new Integer(rule.substring(AvailableAccessRules.CAPREFIX.length()))); }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -