localuseradminsessionbean.java

JAVA做的J2EE下CA认证系统 基于EJB开发

        try {
            UserDataPK pk = new UserDataPK(username);
            UserDataLocal data1 = home.findByPrimaryKey(pk);
            caid = data1.getCaId();

            if (!authorizedToCA(admin, caid)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator not authorized to change status of user with current CA.");
                throw new AuthorizationDeniedException("Administrator not authorized to set status to user with given CA.");
            }


            if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
                if (!authorizedToEndEntityProfile(admin, data1.getEndEntityProfileId(), AvailableAccessRules.EDIT_RIGHTS)) {
                    logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator not authorized to change status");
                    throw new AuthorizationDeniedException("Administrator not authorized to edit user.");
                }
            }

            if(data1.getStatus() == UserDataConstants.STATUS_KEYRECOVERY && !(status == UserDataConstants.STATUS_KEYRECOVERY || status == UserDataConstants.STATUS_INPROCESS || status == UserDataConstants.STATUS_INITIALIZED)){
                keyrecoverysession.unmarkUser(admin,username);	
            }
            
            data1.setStatus(status);
            data1.setTimeModified((new java.util.Date()).getTime());
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_CHANGEDENDENTITY, ("New status : " + status));

        } catch (FinderException e) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Couldn't find username in database.");
            throw e;
        }

        debug("<setUserStatus(" + username + ", " + status + ")");
    } // setUserStatus

    /**
     * Sets a new password for a user.
     *
     * @param admin    the administrator pwrforming the action
     * @param username the unique username.
     * @param password the new password for the user, NOT null.
     * @ejb.interface-method
     */
    public void setPassword(Admin admin, String username, String password) throws UserDoesntFullfillEndEntityProfile, AuthorizationDeniedException, FinderException {
        setPassword(admin, username, password, false);
    } // setPassword

    /**
     * Sets a clear text password for a user.
     *
     * @param admin    the administrator pwrforming the action
     * @param username the unique username.
     * @param password the new password to be stored in clear text. Setting password to 'null'
     *                 effectively deletes any previous clear text password.
     * @ejb.interface-method
     */
    public void setClearTextPassword(Admin admin, String username, String password) throws UserDoesntFullfillEndEntityProfile, AuthorizationDeniedException, FinderException {
        setPassword(admin, username, password, true);
    } // setClearTextPassword

    /**
     * Sets a password, hashed or clear text, for a user.
     *
     * @param admin     the administrator pwrforming the action
     * @param username  the unique username.
     * @param password  the new password to be stored in clear text. Setting password to 'null'
     *                  effectively deletes any previous clear text password.
     * @param cleartext true gives cleartext password, false hashed
     */
    private void setPassword(Admin admin, String username, String password, boolean cleartext) throws UserDoesntFullfillEndEntityProfile, AuthorizationDeniedException, FinderException {
        debug(">setPassword(" + username + ", hiddenpwd), " + cleartext);
        // Find user
        String newpasswd = password;
        UserDataPK pk = new UserDataPK(username);
        UserDataLocal data = home.findByPrimaryKey(pk);
        int caid = data.getCaId();

        EndEntityProfile profile = raadminsession.getEndEntityProfile(admin, data.getEndEntityProfileId());

        if (profile.useAutoGeneratedPasswd())
            newpasswd = profile.getAutoGeneratedPasswd();

        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            // Check if user fulfills it's profile.
            try {
                profile.doesPasswordFulfillEndEntityProfile(password, true);
            } catch (UserDoesntFullfillEndEntityProfile ufe) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Clearpassword didn't fullfill end entity profile.");
                throw ufe;
            }

            // Check if administrator is authorized to edit user.
            if (!authorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AvailableAccessRules.EDIT_RIGHTS)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator isn't authorized to change clearpassword.");
                throw new AuthorizationDeniedException("Administrator not authorized to edit user.");
            }
        }

        if (!authorizedToCA(admin, caid)) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator not authorized to change password of user with current CA.");
            throw new AuthorizationDeniedException("Administrator not authorized to set cleartext password to user with given CA.");
        }

        try {
            if ((newpasswd == null) && (cleartext)) {
                data.setClearPassword("");
                data.setTimeModified((new java.util.Date()).getTime());
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_CHANGEDENDENTITY, "Clearpassword changed.");
            } else {
                if (cleartext) {
                    data.setOpenPassword(newpasswd);
                } else {
                    data.setPassword(newpasswd);
                }
                data.setTimeModified((new java.util.Date()).getTime());
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_CHANGEDENDENTITY, "Clearpassword changed.");
            }
        } catch (java.security.NoSuchAlgorithmException nsae) {
            debug("NoSuchAlgorithmException while setting password for user " + username);
            throw new EJBException(nsae);
        }
        debug("<setPassword(" + username + ", hiddenpwd), " + cleartext);
    } // setPassword

    /**
     * Verifies a password for a user.
     *
     * @param admin    the administrator pwrforming the action
     * @param username the unique username.
     * @param password the password to be verified.
     * @ejb.interface-method
     */
    public boolean verifyPassword(Admin admin, String username, String password) throws UserDoesntFullfillEndEntityProfile, AuthorizationDeniedException, FinderException {
        debug(">verifyPassword(" + username + ", hiddenpwd)");
        boolean ret = false;
        // Find user
        UserDataPK pk = new UserDataPK(username);
        UserDataLocal data = home.findByPrimaryKey(pk);
        int caid = data.getCaId();

        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            // Check if administrator is authorized to edit user.
            if (!authorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AvailableAccessRules.EDIT_RIGHTS)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator isn't authorized to verify password.");
                throw new AuthorizationDeniedException("Administrator not authorized to verify user.");
            }
        }

        if (!authorizedToCA(admin, caid)) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_CHANGEDENDENTITY, "Administrator not authorized to verify password of user with current CA.");
            throw new AuthorizationDeniedException("Administrator not authorized to verify password for user with given CA.");
        }

        try {
            ret = data.comparePassword(password);
        } catch (java.security.NoSuchAlgorithmException nsae) {
            debug("NoSuchAlgorithmException while verifying password for user " + username);
            throw new EJBException(nsae);
        }
        debug("<verifyPassword(" + username + ", hiddenpwd)");
        return ret;
    } // verifyPassword

    /**
     * Method that revokes a user.
     *
     * @param username the username to revoke.
     * @ejb.interface-method
     */
    public void revokeUser(Admin admin, String username, int reason) throws AuthorizationDeniedException, FinderException {
        debug(">revokeUser(" + username + ")");
        UserDataPK pk = new UserDataPK(username);
        UserDataLocal data;
        try {
            data = home.findByPrimaryKey(pk);
        } catch (ObjectNotFoundException oe) {
            throw new EJBException(oe);
        }

        int caid = data.getCaId();
        if (!authorizedToCA(admin, caid)) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_REVOKEDENDENTITY, "Administrator not authorized to revoke user with given CA.");
            throw new AuthorizationDeniedException("Administrator not authorized to revoke user with given CA.");
        }

        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            if (!authorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AvailableAccessRules.REVOKE_RIGHTS)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_REVOKEDENDENTITY, "Administrator not authorized");
                throw new AuthorizationDeniedException("Not authorized to revoke user : " + username + ".");
            }
        }

        Collection publishers = this.certificatesession.getCertificateProfile(admin, data.getCertificateProfileId()).getPublisherList();
        setUserStatus(admin, username, UserDataConstants.STATUS_REVOKED);
        certificatesession.setRevokeStatus(admin, username, publishers, reason);
        logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_REVOKEDENDENTITY, "");
        debug("<revokeUser()");
    } // revokeUser

    /**
     * Method that revokes a certificate.
     *
     * @param certserno the serno of certificate to revoke.
     * @param username  the username to revoke.
     * @param reason    the reason of revokation.
     * @ejb.interface-method
     */
    public void revokeCert(Admin admin, BigInteger certserno, String issuerdn, String username, int reason) throws AuthorizationDeniedException, FinderException {
        debug(">revokeCert(" + certserno + ", IssuerDN: " + issuerdn + ", username, " + username + ")");
        UserDataPK pk = new UserDataPK(username);
        UserDataLocal data;
        try {
            data = home.findByPrimaryKey(pk);
        } catch (ObjectNotFoundException oe) {
            throw new EJBException(oe);
        }

        int caid = data.getCaId();
        if (!authorizedToCA(admin, caid)) {
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_REVOKEDENDENTITY, "Administrator not authorized to revoke certificates of this CA.");
            throw new AuthorizationDeniedException("Administrator not authorized to revoke certificate of user with given CA.");
        }

        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            if (!authorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AvailableAccessRules.REVOKE_RIGHTS)) {
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_ERROR_REVOKEDENDENTITY, "Administrator not authorized");
                throw new AuthorizationDeniedException("Not authorized to revoke user : " + username + ".");
            }
        }
        Collection publishers = this.certificatesession.getCertificateProfile(admin, data.getCertificateProfileId()).getPublisherList();
        // revoke certificate in database and all publishers
        certificatesession.setRevokeStatus(admin, issuerdn, certserno, publishers, reason);

        if (certificatesession.checkIfAllRevoked(admin, username)) {
            setUserStatus(admin, username, UserDataConstants.STATUS_REVOKED);
            logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), username, null, LogEntry.EVENT_INFO_REVOKEDENDENTITY, "");
        }
        debug("<revokeCert()");
    } // revokeCert

    /**
     * Finds a user.
     *
     * @param admin the administrator performing the action
     * @param username username.
     * @return UserDataVO or null if the user is not found.
     * @ejb.interface-method
     * @ejb.transaction type="Supports"
     */
    public UserDataVO findUser(Admin admin, String username) throws FinderException, AuthorizationDeniedException {
        debug(">findUser(" + username + ")");
        UserDataPK pk = new UserDataPK(username);
        UserDataLocal data;
        try {
            data = home.findByPrimaryKey(pk);
        } catch (ObjectNotFoundException oe) {
            return null;
        }

        if (!authorizedToCA(admin, data.getCaId())) {
            throw new AuthorizationDeniedException("Administrator not authorized to view user with given CA.");
        }

        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            // Check if administrator is authorized to view user.
            if (!authorizedToEndEntityProfile(admin, data.getEndEntityProfileId(), AvailableAccessRules.VIEW_RIGHTS))
                throw new AuthorizationDeniedException("Administrator not authorized to view user.");
        }

        UserDataVO ret = new UserDataVO(data.getUsername(), data.getSubjectDN(), data.getCaId(), data.getSubjectAltName(), data.getSubjectEmail(), data.getStatus()
                , data.getType(), data.getEndEntityProfileId(), data.getCertificateProfileId()
                , new java.util.Date(data.getTimeCreated()), new java.util.Date(data.getTimeModified())
                , data.getTokenType(), data.getHardTokenIssuerId(), data.getExtendedInformation());
        ret.setPassword(data.getClearPassword());
        debug("<findUser(" + username + ")");
        return ret;
    } // findUser