localuseradminsessionbean.java

用来生成java证书

            try {
                profile.doesUserFullfillEndEntityProfile(userdata.getUsername(), userdata.getPassword(), dn, userdata.getSubjectAltName(), userdata.getExtendedinformation().getSubjectDirectoryAttributes(), userdata.getEmail(), userdata.getCertificateProfileId(), clearpwd,
                        (type & SecConst.USER_ADMINISTRATOR) != 0, (type & SecConst.USER_KEYRECOVERABLE) != 0, (type & SecConst.USER_SENDNOTIFICATION) != 0,
                        userdata.getTokenType(), userdata.getHardTokenIssuerId(), userdata.getCAId(), userdata.getExtendedinformation());
            } catch (UserDoesntFullfillEndEntityProfile udfp) {
                String msg = intres.getLocalizedMessage("ra.errorfullfillprofile", profileName, dn, udfp.getMessage());            	
                logsession.log(admin, userdata.getCAId(), LogConstants.MODULE_RA, new java.util.Date(), userdata.getUsername(), null, LogConstants.EVENT_ERROR_ADDEDENDENTITY, msg);
                throw new UserDoesntFullfillEndEntityProfile(udfp.getMessage());
            }

            // Check if administrator is authorized to add user.
            if (!authorizedToEndEntityProfile(admin, userdata.getEndEntityProfileId(), AvailableAccessRules.CREATE_RIGHTS)) {
                String msg = intres.getLocalizedMessage("ra.errorauthprofile", profileName);            	
                logsession.log(admin, userdata.getCAId(), LogConstants.MODULE_RA, new java.util.Date(), userdata.getUsername(), null, LogConstants.EVENT_ERROR_ADDEDENDENTITY, msg);
                throw new AuthorizationDeniedException(msg);
            }
        }

        // Check if administrator is authorized to add user to CA.
        if (!authorizedToCA(admin, userdata.getCAId())) {
            String msg = intres.getLocalizedMessage("ra.errorauthca", new Integer(userdata.getCAId()));            	
            logsession.log(admin, userdata.getCAId(), LogConstants.MODULE_RA, new java.util.Date(), userdata.getUsername(), null, LogConstants.EVENT_ERROR_ADDEDENDENTITY, msg);
            throw new AuthorizationDeniedException(msg);
        }

        // Check if approvals is required.
        int numOfApprovalsRequired = getNumOfApprovalRequired(admin, CAInfo.REQ_APPROVAL_ADDEDITENDENTITY, userdata.getCAId());
        AddEndEntityApprovalRequest ar = new AddEndEntityApprovalRequest(userdata,clearpwd,admin,null,numOfApprovalsRequired,userdata.getCAId(),userdata.getEndEntityProfileId());
        if (ApprovalExecutorUtil.requireApproval(ar, NONAPPROVABLECLASSNAMES_ADDUSER)) {       		    		
        	getApprovalSession().addApprovalRequest(admin, ar);
            String msg = intres.getLocalizedMessage("ra.approvalad");            	
        	throw new WaitingForApprovalException(msg);
        }
        
        try {
            UserDataLocal data1 = home.create(userdata.getUsername(), newpassword, dn, userdata.getCAId());
            if (userdata.getSubjectAltName() != null)
                data1.setSubjectAltName(userdata.getSubjectAltName());

            if (userdata.getEmail() != null)
                data1.setSubjectEmail(userdata.getEmail());

            data1.setType(type);
            data1.setEndEntityProfileId(userdata.getEndEntityProfileId());
            data1.setCertificateProfileId(userdata.getCertificateProfileId());
            data1.setTokenType(userdata.getTokenType());
            data1.setHardTokenIssuerId(userdata.getHardTokenIssuerId());
            data1.setExtendedInformation(userdata.getExtendedinformation());

            if (clearpwd) {
                try {
                    if (newpassword == null) {
                        data1.setClearPassword("");
                    } else {
                        data1.setOpenPassword(newpassword);
                    }
                } catch (java.security.NoSuchAlgorithmException nsae) {
                    debug("NoSuchAlgorithmException while setting password for user " + userdata.getUsername());
                    throw new EJBException(nsae);
                }
            }
            
            // Although UserDataVO should always have a null password for autogenerated end entities, the notification framework
            // expect it to exist. Since nothing else but printing is done after this point it is safe to set the password
            userdata.setPassword(newpassword);
            // Send notifications, if they should be sent
            sendNotification(admin, userdata, UserDataConstants.STATUS_NEW);
            
            if ((type & SecConst.USER_PRINT) != 0) {
            	print(admin,profile,userdata);
            }
            String msg = intres.getLocalizedMessage("ra.addedentity", userdata.getUsername());            	
            logsession.log(admin, userdata.getCAId(), LogConstants.MODULE_RA, new java.util.Date(), userdata.getUsername(), null, LogConstants.EVENT_INFO_ADDEDENDENTITY, msg);

        } catch (DuplicateKeyException e) {
            String msg = intres.getLocalizedMessage("ra.errorentityexist", userdata.getUsername());            	
            logsession.log(admin, userdata.getCAId(), LogConstants.MODULE_RA, new java.util.Date(), userdata.getUsername(), null, LogConstants.EVENT_ERROR_ADDEDENDENTITY, msg);
            throw e;
        } catch (Exception e) {
            String msg = intres.getLocalizedMessage("ra.erroraddentity", userdata.getUsername());            	
            logsession.log(admin, userdata.getCAId(), LogConstants.MODULE_RA, new java.util.Date(), userdata.getUsername(), null, LogConstants.EVENT_ERROR_ADDEDENDENTITY, msg, e);
            error(msg, e);
            throw new EJBException(e);
        }

        debug("<addUser(" + userdata.getUsername() + ", password, " + dn + ", " + userdata.getEmail() + ")");
    } // addUser

    /**
     * Help method that checks the CA data config if specified action 
     * requires approvals and how many
     * @param action one of CAInfo.REQ_APPROVAL_ constants
     * @param caid of the ca to check
     * @return 0 of no approvals is required or no such CA exists, othervise the number of approvals
     */
    private int getNumOfApprovalRequired(Admin admin,int action, int caid) {
    	CAInfo cainfo = caadminsession.getCAInfo(admin, caid);
    	if (cainfo == null) {
    		log.error("No CA info exists for CA id: "+caid);
    		return 0;
    	}
    	return ApprovalExecutorUtil.getNumOfApprovalRequired(action, cainfo);    	
	}

	/**
     * Changes data for a user in the database speciefied by username.
     * 
     * Important, this method is old and shouldn't be used, user changeUser(..UserDataVO...) instead.
     *
     * @param username              the unique username.
     * @param password              the password used for authentication.*
     * @param subjectdn             the DN the subject is given in his certificate.
     * @param subjectaltname        the Subject Alternative Name to be used.
     * @param email                 the email of the subject or null.
     * @param endentityprofileid    the id number of the end entity profile bound to this user.
     * @param certificateprofileid  the id number of the certificate profile that should be generated for the user.
     * @param type                  of user i.e administrator, keyrecoverable and/or sendnotification
     * @param tokentype             the type of token to be generated, one of SecConst.TOKEN constants
     * @param hardwaretokenissuerid if token should be hard, the id of the hard token issuer, else 0.
     * @param status 				the status of the user, from UserDataConstants.STATUS_X
     * @param caid                  the id of the CA that should be used to issue the users certificate
     * 
     * @throws AuthorizationDeniedException if administrator isn't authorized to add user
     * @throws UserDoesntFullfillEndEntityProfile if data doesn't fullfil requirements of end entity profile 
     * @throws ApprovalException if an approval already is waiting for specified action 
     * @throws WaitingForApprovalException if approval is required and the action have been added in the approval queue.
     * @throws EJBException if a communication or other error occurs.
     * 
     * @deprecated use {@link #changeUser(Admin, UserDataVO, boolean)} instead
     * 
     * @ejb.interface-method
     */
    public void changeUser(Admin admin, String username, String password, String subjectdn, String subjectaltname, String email, boolean clearpwd, int endentityprofileid, int certificateprofileid,
            int type, int tokentype, int hardwaretokenissuerid, int status, int caid)
throws AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile, ApprovalException, WaitingForApprovalException {
    	UserDataVO userdata = new UserDataVO(username, subjectdn, caid, subjectaltname, 
                email, status, type, endentityprofileid, certificateprofileid,
                null,null, tokentype, hardwaretokenissuerid, null);
        
    	userdata.setPassword(password);
        changeUser(admin, userdata, clearpwd);    	
    }

	private static final ApprovalOveradableClassName[] NONAPPROVABLECLASSNAMES_CHANGEUSER = {
		new ApprovalOveradableClassName("org.ejbca.core.model.approval.approvalrequests.EditEndEntityApprovalRequest",null),
		new ApprovalOveradableClassName("se.primeKey.cardPersonalization.ra.connection.ejbca.EjbcaConnection",null)
	};

	/**
     * Implements IUserAdminSession::changeUser.. 
     *
     * @param admin                 the administrator performing the action
     * @param userdata 	            a UserDataVO object,  timecreated and timemodified will not be used.
     * @param clearpwd              true if the password will be stored in clear form in the db, otherwise it is
     *                              hashed.
     *                              
     * @throws AuthorizationDeniedException if administrator isn't authorized to add user
     * @throws UserDoesntFullfillEndEntityProfile if data doesn't fullfil requirements of end entity profile 
     * @throws ApprovalException if an approval already is waiting for specified action 
     * @throws WaitingForApprovalException if approval is required and the action have been added in the approval queue.

     * @ejb.interface-method
     */
    public void changeUser(Admin admin, UserDataVO userdata, boolean clearpwd)
            throws AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile, ApprovalException, WaitingForApprovalException {
    	changeUser(admin, userdata,clearpwd, false);
    }
	/**
     * Implements IUserAdminSession::changeUser.. 
     *
     * @param admin                 the administrator performing the action
     * @param userdata 	            a UserDataVO object,  timecreated and timemodified will not be used.
     * @param clearpwd              true if the password will be stored in clear form in the db, otherwise it is
     *                              hashed.
     * @param fromWebService    	The service is called from webService
     *                              
     * @throws AuthorizationDeniedException if administrator isn't authorized to add user
     * @throws UserDoesntFullfillEndEntityProfile if data doesn't fullfil requirements of end entity profile 
     * @throws ApprovalException if an approval already is waiting for specified action 
     * @throws WaitingForApprovalException if approval is required and the action have been added in the approval queue.

     * @ejb.interface-method
     */
    public void changeUser(Admin admin, UserDataVO userdata, boolean clearpwd, boolean fromWebService)
            throws AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile, ApprovalException, WaitingForApprovalException {
        // String used in SQL so strip it
        String dn = CertTools.stringToBCDNString(userdata.getDN());
        dn = StringTools.strip(dn);
        String altName = userdata.getSubjectAltName();    
        String newpassword = userdata.getPassword();
        int type = userdata.getType();
        debug(">changeUser(" + userdata.getUsername() + ", " + dn + ", " + userdata.getEmail() + ")");
        int oldstatus;
        EndEntityProfile profile = raadminsession.getEndEntityProfile(admin, userdata.getEndEntityProfileId());
        UserDataPK pk = new UserDataPK(userdata.getUsername());

        // if required, we merge the existing user dn into the dn provided by the web service.
        if (fromWebService && profile.getAllowMergeDnWebServices()) {
			UserDataLocal userDataLocal = null;
			try {
				userDataLocal = home.findByPrimaryKey(pk);
			} catch (Exception e) {
				String msg = intres.getLocalizedMessage("ra.erroreditentity", userdata.getUsername());
				logsession.log(admin, userdata.getCAId(), LogConstants.MODULE_RA, new java.util.Date(), userdata.getUsername(), null, LogConstants.EVENT_ERROR_CHANGEDENDENTITY, msg);
				error("ChangeUser:", e);
				throw new EJBException(e);
			}

			if (userDataLocal != null) {
				if (userDataLocal.getSubjectDN() != null) {
					try {
						dn = (new DistinguishedName(userDataLocal.getSubjectDN())).mergeDN(new DistinguishedName(dn), true, false, "").toString();
					} catch (InvalidNameException e) {
						log.debug("Invalid dn. We make it empty");
						dn = "";
					}
				}
				if (userDataLocal.getSubjectAltName() != null) {
					try {
						//SubjectAltName is not mandatory so
						if(altName==null) {
							altName="";
						}
						altName = (new DistinguishedName(userDataLocal.getSubjectAltName()))
                             .mergeDN(new DistinguishedName(altName), true, profile.getUse(DnComponents.RFC822NAME, 0), userdata.getEmail()).toString();
					} catch (InvalidNameException e) {
						log.debug("Invalid altName. We make it empty");
						altName = "";
					}
				}
			}
		}
        if (profile.useAutoGeneratedPasswd() && userdata.getPassword() != null) {
            // special case used to signal regeneraton of password
            newpassword = profile.getAutoGeneratedPasswd();
        }

        // Check if user fulfills it's profile.
        if (getGlobalConfiguration(admin).getEnableEndEntityProfileLimitations()) {
            try {
                profile.doesUserFullfillEndEntityProfileWithoutPassword(userdata.getUsername(), dn, altName, userdata.getExtendedinformation().getSubjectDirectoryAttributes(), userdata.getEmail(), userdata.getCertificateProfileId(),
                        (type & SecConst.USER_ADMINISTRATOR) != 0, (type & SecConst.USER_KEYRECOVERABLE) != 0, (type & SecConst.USER_SENDNOTIFICATION) != 0,