localuseradminsessionbean.java

JAVA做的J2EE下CA认证系统 基于EJB开发

        try {
            if (profileid == SecConst.EMPTY_ENDENTITYPROFILE && (rights.equals(AvailableAccessRules.CREATE_RIGHTS) || rights.equals(AvailableAccessRules.EDIT_RIGHTS)))
                returnval = authorizationsession.isAuthorizedNoLog(admin, "/super_administrator");
            else
                returnval = authorizationsession.isAuthorizedNoLog(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX + profileid + rights);
        } catch (AuthorizationDeniedException e) {
        }
        return returnval;
    }


    /**
     * Implements IUserAdminSession::addUser.
     * Implements a mechanism that uses UserDataEntity Bean.
     *
     * @param admin                 the administrator pwrforming the action
     * @param username              the unique username.
     * @param password              the password used for authentication.
     * @param subjectdn             the DN the subject is given in his certificate.
     * @param subjectaltname        the Subject Alternative Name to be used.
     * @param email                 the email of the subject or null.
     * @param clearpwd              true if the password will be stored in clear form in the db, otherwise it is
     *                              hashed.
     * @param endentityprofileid    the id number of the end entity profile bound to this user.
     * @param certificateprofileid  the id number of the certificate profile that should be
     *                              generated for the user.
     * @param type                  of user i.e administrator, keyrecoverable and/or sendnotification
     * @param tokentype             the type of token to be generated, one of SecConst.TOKEN constants
     * @param hardwaretokenissuerid , if token should be hard, the id of the hard token issuer,
     *                              else 0.
     * @ejb.interface-method
     */
    public void addUser(Admin admin, String username, String password, String subjectdn, String subjectaltname, String email, boolean clearpwd, int endentityprofileid, int certificateprofileid,
                        int type, int tokentype, int hardwaretokenissuerid, int caid)
            throws AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile, DuplicateKeyException {
        // String used in SQL so strip it
        String dn = CertTools.stringToBCDNString(subjectdn);
        dn = StringTools.strip(dn);
        String newpassword = password;
        debug(">addUser(" + username + ", password, " + dn + ", "+ subjectaltname + ", " + email + ")");
        EndEntityProfile profile = raadminsession.getEndEntityProfile(admin, endentityprofileid);

        if (profile.useAutoGeneratedPasswd() && password == null) {
            // special case used to signal regeneraton of password
            newpassword = profile.getAutoGeneratedPasswd();
        }


        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            // Check if user fulfills it's profile.
            try {
                profile.doesUserFullfillEndEntityProfile(username, password, dn, subjectaltname, email, certificateprofileid, clearpwd,
                        (type & SecConst.USER_ADMINISTRATOR) != 0, (type & SecConst.USER_KEYRECOVERABLE) != 0, (type & SecConst.USER_SENDNOTIFICATION) != 0,
                        tokentype, hardwaretokenissuerid, caid);
            } catch (UserDoesntFullfillEndEntityProfile udfp) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_ADDEDENDENTITY, "Userdata did not fullfill end entity profile. " + udfp.getMessage());
                throw new UserDoesntFullfillEndEntityProfile(udfp.getMessage());
            }

            // Check if administrator is authorized to add user.
            if (!authorizedToEndEntityProfile(admin, endentityprofileid, AvailableAccessRules.CREATE_RIGHTS)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_ADDEDENDENTITY, "Administrator not authorized.");
                throw new AuthorizationDeniedException("Administrator not authorized to create user.");
            }
        }

        // Check if administrator is authorized to add user to CA.
        if (!authorizedToCA(admin, caid)) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_ADDEDENDENTITY, "Administrator not authorized to add user to CA.");
            throw new AuthorizationDeniedException("Administrator not authorized to create user with given CA.");
        }

        try {
            UserDataLocal data1 = home.create(username, newpassword, dn, caid);
            if (subjectaltname != null)
                data1.setSubjectAltName(subjectaltname);

            if (email != null)
                data1.setSubjectEmail(email);

            data1.setType(type);
            data1.setEndEntityProfileId(endentityprofileid);
            data1.setCertificateProfileId(certificateprofileid);
            data1.setTokenType(tokentype);
            data1.setHardTokenIssuerId(hardwaretokenissuerid);

            if (clearpwd) {
                try {
                    if (newpassword == null) {
                        data1.setClearPassword("");
                    } else {
                        data1.setOpenPassword(newpassword);
                    }
                } catch (java.security.NoSuchAlgorithmException nsae) {
                    debug("NoSuchAlgorithmException while setting password for user " + username);
                    throw new EJBException(nsae);
                }
            }
            if ((type & SecConst.USER_SENDNOTIFICATION) != 0) {
                sendNotification(admin, profile, username, newpassword, dn, email, caid);
            }
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_ADDEDENDENTITY, "");

        } catch (DuplicateKeyException e) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_ADDEDENDENTITY, "Entity already exists.");
            throw e;
        } catch (Exception e) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_ADDEDENDENTITY, e.getMessage());
            error("AddUser:", e);
            throw new EJBException(e);
        }

        debug("<addUser(" + username + ", password, " + dn + ", " + email + ")");
    } // addUser

    /**
     * Changes data for a user in the database speciefied by username.
     *
     * @param username              the unique username.
     * @param password              the password used for authentication.*
     * @param subjectdn             the DN the subject is given in his certificate.
     * @param subjectaltname        the Subject Alternative Name to be used.
     * @param email                 the email of the subject or null.
     * @param endentityprofileid    the id number of the end entity profile bound to this user.
     * @param certificateprofileid  the id number of the certificate profile that should be generated for the user.
     * @param type                  of user i.e administrator, keyrecoverable and/or sendnotification
     * @param tokentype             the type of token to be generated, one of SecConst.TOKEN constants
     * @param hardwaretokenissuerid if token should be hard, the id of the hard token issuer, else 0.
     * @param caid                  the id of the CA that should be used to issue the users certificate
     * @throws EJBException if a communication or other error occurs.
     * @ejb.interface-method
     */
    public void changeUser(Admin admin, String username, String password, String subjectdn, String subjectaltname, String email, boolean clearpwd, int endentityprofileid, int certificateprofileid,
                           int type, int tokentype, int hardwaretokenissuerid, int status, int caid)
            throws AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile {
        // String used in SQL so strip it
        String dn = CertTools.stringToBCDNString(subjectdn);
        dn = StringTools.strip(dn);
        String newpassword = password;
        boolean statuschanged = false;
        debug(">changeUser(" + username + ", " + dn + ", " + email + ")");
        int oldstatus;
        EndEntityProfile profile = raadminsession.getEndEntityProfile(admin, endentityprofileid);

        if (profile.useAutoGeneratedPasswd() && password != null) {
            // special case used to signal regeneraton of password
            newpassword = profile.getAutoGeneratedPasswd();
        }

        // Check if user fulfills it's profile.
        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            try {
                profile.doesUserFullfillEndEntityProfileWithoutPassword(username, dn, subjectaltname, email, certificateprofileid,
                        (type & SecConst.USER_ADMINISTRATOR) != 0, (type & SecConst.USER_KEYRECOVERABLE) != 0, (type & SecConst.USER_SENDNOTIFICATION) != 0,
                        tokentype, hardwaretokenissuerid, caid);
            } catch (UserDoesntFullfillEndEntityProfile udfp) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Userdata didn'nt fullfill end entity profile. + " + udfp.getMessage());
                throw udfp;
            }
            // Check if administrator is authorized to edit user.
            if (!authorizedToEndEntityProfile(admin, endentityprofileid, AvailableAccessRules.EDIT_RIGHTS)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator not authorized");
                throw new AuthorizationDeniedException("Administrator not authorized to edit user.");
            }
        }

        // Check if administrator is authorized to edit user to CA.
        if (!authorizedToCA(admin, caid)) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator not authorized to edit user with this CA.");
            throw new AuthorizationDeniedException("Administrator not authorized to edit user with given CA.");
        }
        try {
            UserDataPK pk = new UserDataPK(username);
            UserDataLocal data1 = home.findByPrimaryKey(pk);
            data1.setDN(dn);
            if (subjectaltname != null)
                data1.setSubjectAltName(subjectaltname);
            if (email != null)
                data1.setSubjectEmail(email);
            data1.setCaId(caid);
            data1.setType(type);
            data1.setEndEntityProfileId(endentityprofileid);
            data1.setCertificateProfileId(certificateprofileid);
            data1.setTokenType(tokentype);
            data1.setHardTokenIssuerId(hardwaretokenissuerid);
            oldstatus = data1.getStatus();
            if(oldstatus == UserDataConstants.STATUS_KEYRECOVERY && !(status == UserDataConstants.STATUS_KEYRECOVERY || status == UserDataConstants.STATUS_INPROCESS)){
              keyrecoverysession.unmarkUser(admin,username);	
            }
            statuschanged = status != oldstatus;
            data1.setStatus(status);
            data1.setTimeModified((new java.util.Date()).getTime());

            if(newpassword != null){
                if(clearpwd) {
                    try {
                        data1.setOpenPassword(newpassword);
                    } catch (java.security.NoSuchAlgorithmException nsae) {
                        debug("NoSuchAlgorithmException while setting password for user "+username);
                        throw new EJBException(nsae);
                    }
                } else {
                    data1.setPassword(newpassword);
                }
            }

            if ((type & SecConst.USER_SENDNOTIFICATION) != 0 && statuschanged && (status == UserDataConstants.STATUS_NEW || status == UserDataConstants.STATUS_KEYRECOVERY || status == UserDataConstants.STATUS_INITIALIZED)) {

                sendNotification(admin, profile, username, newpassword, dn, email, caid);
            }
            if (statuschanged)
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_CHANGEDENDENTITY, "New status: " + status);
            else
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_CHANGEDENDENTITY, "");
        } catch (Exception e) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "");
            error("ChangeUser:", e);
            throw new EJBException(e);
        }
        debug("<changeUser(" + username + ", password, " + dn + ", " + email + ")");
    } // changeUser


    /**
     * Deletes a user from the database. The users certificates must be revoked BEFORE this method is called.
     *
     * @param username the unique username.
     * @throws NotFoundException if the user does not exist
     * @throws RemoveException   if the user could not be removed
     * @ejb.interface-method
     */
    public void deleteUser(Admin admin, String username) throws AuthorizationDeniedException, NotFoundException, RemoveException {
        debug(">deleteUser(" + username + ")");
        // Check if administrator is authorized to delete user.
        int caid = LogConstants.INTERNALCAID;
        try {
            UserDataPK pk = new UserDataPK(username);
            UserDataLocal data1 = home.findByPrimaryKey(pk);
            caid = data1.getCaId();

            if (!authorizedToCA(admin, caid)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_DELETEENDENTITY, "Administrator not authorized to delete user with this CA.");
                throw new AuthorizationDeniedException("Administrator not authorized to delete user with given CA.");
            }

            if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
                if (!authorizedToEndEntityProfile(admin, data1.getEndEntityProfileId(), AvailableAccessRules.DELETE_RIGHTS)) {
                    logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_DELETEENDENTITY, "Administrator not authorized");
                    throw new AuthorizationDeniedException("Administrator not authorized to delete user.");
                }
            }
        } catch (FinderException e) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_DELETEENDENTITY, "Could not find username in database");
            throw new NotFoundException("Could not find '" + username + "' in database");
        }
        try {
            UserDataPK pk = new UserDataPK(username);
            home.remove(pk);
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_DELETEDENDENTITY, "");
        } catch (EJBException e) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_DELETEENDENTITY, "Could not remove user from database");
            throw new RemoveException("Could not remove '" + username + "' from database");
        }
        debug("<deleteUser(" + username + ")");
    } // deleteUser

    /**
     * Changes status of a user.
     *
     * @param username the unique username.
     * @param status   the new status, from 'UserData'.
     * @ejb.interface-method
     */
    public void setUserStatus(Admin admin, String username, int status) throws AuthorizationDeniedException, FinderException {
        debug(">setUserStatus(" + username + ", " + status + ")");
        // Check if administrator is authorized to edit user.
        int caid = LogConstants.INTERNALCAID;