localauthorizationsessionbean.java

一个免费的CA,基于EJB平台的,老师叫我们测试,现把之共享出来让大家参考

     * @return ICertificateStoreSessionLocal
     */
    private ICertificateStoreSessionLocal getCertificateStoreSession() {
        if (certificatestoresession == null) {
            try {
                ICertificateStoreSessionLocalHome home = (ICertificateStoreSessionLocalHome) ServiceLocator.getInstance()
                        .getLocalHome(ICertificateStoreSessionLocalHome.COMP_NAME);
                certificatestoresession = home.create();
            } catch (Exception e) {
                throw new EJBException(e);
            }
        }
        return certificatestoresession;
    } //getCertificateStoreSession


    /**
     * Gets connection to ca admin session bean
     *
     * @return ICAAdminSessionLocal
     */
    private ICAAdminSessionLocal getCAAdminSession() {
        if (caadminsession == null) {
            try {
                ICAAdminSessionLocalHome home = (ICAAdminSessionLocalHome) ServiceLocator.getInstance()
                        .getLocalHome(ICAAdminSessionLocalHome.COMP_NAME);
                caadminsession = home.create();
            } catch (Exception e) {
                throw new EJBException(e);
            }
        }
        return caadminsession;
    }

    // Methods used with AdminGroupData Entity Beans

    /**
     * Method to initialize authorization bean, must be called directly after creation of bean. Should only be called once.
     *
     * @ejb.interface-method view-type="both"
     */
    public void initialize(Admin admin, int caid) throws AdminGroupExistsException {
    	if (log.isDebugEnabled()) {
    		log.debug(">initialize, caid: "+caid);
    	}
        // Check if admingroup table is empty, if so insert default superuser
        // and create "special edit accessrules count group"
        try {
            Collection result = admingrouphome.findAll();
            if (result.size() == 0) {
                // Authorization table is empty, fill with default and special admingroups.
                String admingroupname = "Temporary Super Administrator Group";
                addAdminGroup(admin, admingroupname, caid);
                ArrayList adminentities = new ArrayList();
                adminentities.add(new AdminEntity(AdminEntity.WITH_COMMONNAME, AdminEntity.TYPE_EQUALCASEINS, "SuperAdmin", caid));
                addAdminEntities(admin, admingroupname, caid, adminentities);
                ArrayList accessrules = new ArrayList();
                accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false));
                addAccessRules(admin, admingroupname, caid, accessrules);
            }
        } catch (FinderException e) {
        	debug("initialize: FinderEx, findAll failed.");
        }
        // Add Special Admin Group
        // Special admin group is a group that is not authenticated with client certificate, such as batch tool etc
        try {
            admingrouphome.findByGroupNameAndCAId(DEFAULTGROUPNAME, LogConstants.INTERNALCAID);
        } catch (FinderException e) {
        	debug("initialize: FinderEx, add default group.");
            // Add Default Special Admin Group
            try {
                AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()), DEFAULTGROUPNAME, LogConstants.INTERNALCAID);

                ArrayList adminentities = new ArrayList();
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_BATCHCOMMANDLINEADMIN));
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_CACOMMANDLINEADMIN));
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_RAADMIN));
                adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_INTERNALUSER));
                agdl.addAdminEntities(adminentities);

                ArrayList accessrules = new ArrayList();
                accessrules.add(new AccessRule("/administrator", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/super_administrator", AccessRule.RULE_ACCEPT, false));

                accessrules.add(new AccessRule("/ca_functionality", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/ra_functionality", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/log_functionality", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/system_functionality", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/hardtoken_functionality", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true));
                accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true));

                agdl.addAccessRules(accessrules);

                signalForAuthorizationTreeUpdate();
            } catch (CreateException ce) {
            	error("initialize continues after Exception: ", ce);
            }
        }
        // Add Public Web Group
        try {
            AdminGroupDataLocal agl = admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid);
            removeAndAddDefaultPublicWebGroupRules(agl);
        } catch (FinderException e) {
        	debug("initialize: FinderEx, can't find public web group for caid "+caid);
        	debug("initialize: FinderEx, create public web group for caid "+caid);
        	try {
                AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()), PUBLICWEBGROUPNAME, caid);
                addDefaultPublicWebGroupRules(agdl);
                signalForAuthorizationTreeUpdate();
            } catch (CreateException ce) {
            	error("initialize continues after Exception: ", ce);
            }
        }

    	if (log.isDebugEnabled()) {
    		log.debug("<initialize, caid: "+caid);
    	}
    }


	private void addDefaultPublicWebGroupRules(AdminGroupDataLocal agdl) {
    	debug("create public web group for caid "+agdl.getCaId());
		ArrayList adminentities = new ArrayList();
		adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_PUBLICWEBUSER));
		agdl.addAdminEntities(adminentities);

		ArrayList accessrules = new ArrayList();
		accessrules.add(new AccessRule("/public_web_user", AccessRule.RULE_ACCEPT, false));

		accessrules.add(new AccessRule("/ca_functionality/basic_functions", AccessRule.RULE_ACCEPT, false));
		accessrules.add(new AccessRule("/ca_functionality/view_certificate", AccessRule.RULE_ACCEPT, false));
		accessrules.add(new AccessRule("/ca_functionality/create_certificate", AccessRule.RULE_ACCEPT, false));
		accessrules.add(new AccessRule("/ca_functionality/store_certificate", AccessRule.RULE_ACCEPT, false));
		accessrules.add(new AccessRule("/ra_functionality/view_end_entity", AccessRule.RULE_ACCEPT, false));
		accessrules.add(new AccessRule("/ca", AccessRule.RULE_ACCEPT, true));
		accessrules.add(new AccessRule("/endentityprofilesrules", AccessRule.RULE_ACCEPT, true));

		agdl.addAccessRules(accessrules);
	}


    /**
     */
    private void removeAndAddDefaultPublicWebGroupRules(AdminGroupDataLocal agl) {
    	if (log.isDebugEnabled()) {
    		debug("Removing old and adding new accessrules and admin entitites to admin group "+agl.getAdminGroupName()+" for caid "+agl.getCaId());
    	}
        removeEntitiesAndRulesFromGroup(agl);
        addDefaultPublicWebGroupRules(agl);
        signalForAuthorizationTreeUpdate();
    }

    /**
     * Method to check if a user is authorized to a certain resource.
     *
     * @param admin    the administrator about to be authorized, see org.ejbca.core.model.log.Admin class.
     * @param resource the resource to check authorization for.
     * @ejb.interface-method view-type="both"
     * @ejb.transaction type="Supports"
     */
    public boolean isAuthorized(Admin admin, String resource) throws AuthorizationDeniedException {
        if (updateNeccessary())
            updateAuthorizationTree();
        
        return authorizer.isAuthorized(admin, resource);
    }

    /**
     * Method to check if a user is authorized to a certain resource without performing any logging.
     *
     * @param admin    the administrator about to be authorized, see org.ejbca.core.model.log.Admin class.
     * @param resource the resource to check authorization for.
     * @ejb.interface-method view-type="both"
     * @ejb.transaction type="Supports"
     */
    public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException {
        if (updateNeccessary())
            updateAuthorizationTree();
        return authorizer.isAuthorizedNoLog(admin, resource);
    }

    /**
     * Method to check if a group is authorized to a resource.
     *
     * @ejb.interface-method view-type="both"
     * @ejb.transaction type="Supports"
     */
    public boolean isGroupAuthorized(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException {
        if (updateNeccessary())
            updateAuthorizationTree();
        return authorizer.isGroupAuthorized(admin, admingrouppk, resource);
    }

    /**
     * Method to check if a group is authorized to a resource without any logging.
     *
     * @ejb.interface-method view-type="both"
     * @ejb.transaction type="Supports"
     */
    public boolean isGroupAuthorizedNoLog(Admin admin, int admingrouppk, String resource) throws AuthorizationDeniedException {
        if (updateNeccessary())
            updateAuthorizationTree();
        return authorizer.isGroupAuthorizedNoLog(admin, admingrouppk, resource);
    }

    /**
     * Method to check if an administrator exists in the specified admingroup.
     *
     * @ejb.interface-method view-type="both"
     * @ejb.transaction type="Supports"
     */
    public boolean existsAdministratorInGroup(Admin admin, int admingrouppk) {
        boolean returnval = false;
        if (updateNeccessary())
            updateAuthorizationTree();

        try {
            AdminGroupDataLocal agdl = admingrouphome.findByPrimaryKey(new Integer(admingrouppk));
            Iterator adminentitites = agdl.getAdminGroup().getAdminEntities().iterator();
            while (adminentitites.hasNext()) {
                AdminEntity ae = (AdminEntity) adminentitites.next();
                returnval = returnval || ae.match(admin.getAdminInformation());
            }
        } catch (FinderException fe) {
        }

        return returnval;
    }


    /**
     * Method to validate and check revokation status of a users certificate.
     *
     * @param certificate the users X509Certificate.
     * @ejb.interface-method view-type="both"
     * @ejb.transaction type="Supports"
     */

    public void authenticate(X509Certificate certificate) throws AuthenticationFailedException {
        authorizer.authenticate(certificate);
    }

    /**
     * Method to add an admingroup.
     *
     * @param admingroupname name of new admingroup, have to be unique.
     * @throws AdminGroupExistsException if admingroup already exists.
     * @ejb.interface-method view-type="both"
     */
    public void addAdminGroup(Admin admin, String admingroupname, int caid) throws AdminGroupExistsException {
        if (!(admingroupname.equals(DEFAULTGROUPNAME) && caid == LogConstants.INTERNALCAID)) {

            boolean success = true;
            try {
                admingrouphome.findByGroupNameAndCAId(admingroupname, caid);
                success = false;
            } catch (FinderException e) {
            }
            if (success) {
                try {
                    admingrouphome.create(new Integer(findFreeAdminGroupId()), admingroupname, caid);
                    success = true;
                } catch (CreateException e) {
            		String msg = intres.getLocalizedMessage("authorization.erroraddadmingroup", admingroupname);            	
                    error(msg, e);
                    success = false;
                }
            }


            if (success) {
        		String msg = intres.getLocalizedMessage("authorization.admingroupadded", admingroupname);            	
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_INFO_EDITEDADMINISTRATORPRIVILEGES, msg);
            } else {
        		String msg = intres.getLocalizedMessage("authorization.erroraddadmingroup", admingroupname);            	
                logsession.log(admin, caid, LogEntry.MODULE_RA, new java.util.Date(), null, null, LogEntry.EVENT_ERROR_EDITEDADMINISTRATORPRIVILEGES, msg);
                throw new AdminGroupExistsException();
            }