package de.superx.servlet; import static de.superx.servlet.SxSQL_Server.DEFAULT_MANDANTEN_ID; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.sql.Connection; import java.sql.DatabaseMetaData; import java.sql.Date; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Hashtable; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.TreeSet; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpSession; import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerException; import org.apache.log4j.Logger; import org.h2.util.StringUtils; import org.saiku.web.service.SessionService; import org.springframework.context.ApplicationContext; import de.memtext.db.DBAccess; import de.memtext.db.NichtAngemeldetException; import de.memtext.tree.KeyParentEqualException; import de.memtext.tree.NoMainEntryException; import de.memtext.util.CryptUtils; import de.memtext.util.DateUtils; import de.memtext.util.EqualsUtil; import de.memtext.util.ServletHelper; import de.superx.bianalysis.service.DbMetaAdapter; import de.superx.common.AbstractSicht; import de.superx.common.DBServletException; import de.superx.common.OrgUnit; import de.superx.common.Sichten; import de.superx.common.SxFinRechte; import de.superx.common.SxResultRow; import de.superx.common.SxResultSet; import de.superx.common.SxUser; import de.superx.saiku.SuperxSaikuSessionService; import de.superx.util.SqlStringUtils; import freemarker.template.TemplateException; /** * Erstellt User Objekt, wenn Authentifizierung ok * */ public class UserInitializer { private static Logger logger = Logger.getLogger(UserInitializer.class); private static final String SELECT_ORGUNIT = "select key_apnr as apnr,uniquename,lid,name,gueltig_seit,gueltig_bis from organigramm where lid in "; public static final String MAXIMALE_LOGIN_VERSUCHE_UEBERSCHRITTEN = " Maximale Login-Versuche überschritten"; private SxUser user = new SxUser(); private boolean isPasswordChangeDemanded = false; protected HttpServletRequest request; private String mandantenID = DEFAULT_MANDANTEN_ID; private String oldsha; private boolean implicit_orgunit_rights_table_exists = false; /** * @param request kann Null sein, wenn von ExecuteMask ausgefuehrt * @param token */ public UserInitializer(HttpServletRequest request) throws IOException { this.request = request; } /** * Zum Aufbau von Testusern für ExecuteMask * * @param mandantenID * @param userName * @param userid * @param adminUser * @throws TransformerException * @throws DBServletException * @throws SQLException */ public UserInitializer(String mandantenID, String userName, Integer userid, Object adminUser) throws SQLException, DBServletException, TransformerException { this.mandantenID = mandantenID; this.user = new SxUser(userName, userid, mandantenID); if (adminUser.toString().contentEquals("1")) user.setAdmin(true); } /** * Der Authentifizierte User wird auch in die Session gesteckt. * * @throws NichtAngemeldetException * @throws IllegalArgumentException * @throws SecurityException * @throws TransformerConfigurationException * @throws InstantiationException * @throws IllegalAccessException * @throws InvocationTargetException * @throws NoSuchMethodException * @throws TransformerException * @throws KeyParentEqualException * @throws SQLException * @throws DBServletException */ public void perform(TokenChecker tokenChecker, ApplicationContext springApplicationContext) throws NichtAngemeldetException, IllegalArgumentException, SecurityException, TransformerConfigurationException, InstantiationException, IllegalAccessException, InvocationTargetException, NoSuchMethodException, TransformerException, KeyParentEqualException, SQLException, DBServletException { Map attributes = new HashMap(); if (tokenChecker != null) { streamLineTokenRightsAndFillRightsMap(tokenChecker, attributes); } mandantenID = ServletHelper.getParameter(request, RequestParameter.MandantenID); if (mandantenID == null) mandantenID = DEFAULT_MANDANTEN_ID; user.setMandantenID(mandantenID); try (Connection con = SxPools.getConnection(mandantenID)) { authenticate(con); synchronized (this) { if (SxPools.get(mandantenID).userpool.containsItemWithId(user.getId().toString())) { user = (SxUser) SxPools.get(mandantenID).userpool.getById(user.getId().toString()); } else { try { initUser(con, attributes); } catch (Exception e) { e.printStackTrace(); throw new IllegalArgumentException(e.toString()); } } initHttpSession(); attributes.putAll(initAttributes(tokenChecker, user.isAdmin())); updateUserAndSessionAttrib(user, attributes); // logging out and in to Spring if (springApplicationContext != null) { SessionService sessionService = (SessionService) springApplicationContext.getBean("sessionService"); sessionService.logout(request); sessionService.authenticate(request, user.getName(), null); } } if ( DbMetaAdapter.rechteModus == DbMetaAdapter.Rechtekonzept.SchemaBased) { createUserRechteSchema(con); } } } private void createUserRechteSchema(Connection con) throws SQLException { String userName = user.getName(); Statement stmt = con.createStatement(); stmt.execute("SELECT * FROM rechte_views_function('metadata', '" + userName + "')"); stmt.execute("SELECT * FROM rechte_views_function('presentation', '" + userName + "')"); } private void initHttpSession() { HttpSession session = request.getSession(true); session.setAttribute("UserID", user.getId().toString()); session.setAttribute("sessiontype", "superx"); session.setAttribute("MandantenID", mandantenID); session.setAttribute("User-A", request.getHeader("User-Agent")); String desiredLocale = ServletHelper.getParameter(request, RequestParameter.locale); if (desiredLocale != null) session.setAttribute("locale", desiredLocale); session.setAttribute("username", user.getName()); session.setAttribute("user", user); session.setAttribute("sessiontype", "superx"); session.setAttribute("UserIsAdmin", user.isAdmin() ? "true" : "false"); session.setAttribute("UserMaskRights", user.getMaskRights()); session.setAttribute("UserGroups", user.getGroups()); session.setAttribute("UserSachgebiete", user.getSachgebiete()); session.setAttribute("UserGroupnames", user.getGroupnames()); if (isPasswordChangeDemanded()) session.setAttribute("passwordchange", "true"); } private void initPWGueltigkeit_Oldshas(Connection con) throws SQLException { try (Statement st = con.createStatement();) { try (ResultSet rs = st .executeQuery("select passwd_sha from userinfo where tid=" + user.getUserIdAsInt());) { while (rs.next()) { user.setCurrentSha(rs.getString(1)); } } try (ResultSet rs = st.executeQuery( "select pw_gueltig_bis,old_sha1,old_sha2,old_sha3,old_sha4,old_sha5,old_sha6,old_sha7 from user_pw where userinfo_id=" + user.getUserIdAsInt());) { while (rs.next()) { Date gueltig_bis = rs.getDate(1); java.util.Date today = new java.util.Date(); if (gueltig_bis != null && !DateUtils.isDateInFuture(gueltig_bis)) isPasswordChangeDemanded = true; user.setOldSha(0, rs.getString(2)); user.setOldSha(1, rs.getString(3)); user.setOldSha(2, rs.getString(4)); user.setOldSha(3, rs.getString(5)); user.setOldSha(4, rs.getString(6)); user.setOldSha(5, rs.getString(7)); user.setOldSha(6, rs.getString(8)); } } } } /** * Implizite Rechte werden im Arbeitsspeicher gehalten, aber zu * Debugging/Kontrollzwecken auch in die Datenbank geschrieben * * @param mandantenID * @param userid * @throws SQLException */ private void initImplicitOrgUnitRights(Connection con) throws SQLException { if (DBAccess.hasTable(con, "implicit_orgunit_rights")) implicit_orgunit_rights_table_exists = true; if (implicit_orgunit_rights_table_exists) { logger.info( "Leere implicit_orgunit_rights für User " + user.getName() + " (" + user.getUserIdAsInt() + ")"); PreparedStatement pst_delete = con .prepareStatement("delete from implicit_orgunit_rights where userinfo_id=?"); pst_delete.setInt(1, user.getUserIdAsInt()); pst_delete.execute(); pst_delete.close(); } logger.info("BI-Trage implizite erlaubte Orgeinheiten ein für User " + user.getName() + " (" + user.getUserIdAsInt() + ")"); if (user.hasAllOrgUnitRights()) allowAllOrgUnitsImplicitly(con); else { ImplicitOrgEinheitFillerI iof = null; if (SxPools.get(mandantenID).getSqlDialect().contentEquals("Postgres")) { logger.info("Using PostgresImplicitOrgEinheitFiller"); iof = new PostgresImplicitOrgEinheitFiller(implicit_orgunit_rights_table_exists, user); } else { logger.info("Using JavaRecursiveImplicitOrgEinheitFiller"); iof = new JavaRecursiveImplicitOrgEinheitFiller(implicit_orgunit_rights_table_exists, user); } for (OrgUnit ou : user.getAllowedOrgUnits()) { iof.insertImplicitOrgUnitRights(con, ou); } } } private void allowAllOrgUnitsImplicitly(Connection con) throws SQLException { if (implicit_orgunit_rights_table_exists) { logger.info("Trage alle Einheiten komplett ein in implicit_orgunit_rights für UserId " + user.getName() + " (" + user.getUserIdAsInt() + ")"); try (PreparedStatement pst = con .prepareStatement("insert into implicit_orgunit_rights (userinfo_id,apnr,uniquename,lid)\n" + "select ?::integer,key_apnr,nvl(uniquename,key_apnr)::varchar(255),lid from organigramm union\n" + // in alten SuperX-Standalone Installationen kann uniquename noch null sein // daher nvl "select ?::integer,mapped_id,uniquename,lid from orgunit_mapping union\n" + "select ?::integer,uniquename,uniquename,lid from orgunit_mapping");) { pst.setInt(1, user.getUserIdAsInt()); pst.setInt(2, user.getUserIdAsInt()); pst.setInt(3, user.getUserIdAsInt()); pst.execute(); } } try (Statement stm = con.createStatement(); ResultSet rs = stm.executeQuery( "select key_apnr,nvl(uniquename,key_apnr) as uniquename,lid,name,gueltig_seit,gueltig_bis from organigramm");) { while (rs.next()) { OrgUnit ou = new OrgUnit(rs.getString("key_apnr"), rs.getString("uniquename"), rs.getString("lid"), rs.getString("name"), rs.getDate("gueltig_seit"), rs.getDate("gueltig_bis")); user.addImplicitlyAllowedOrgUnit(ou); } } } /** * * * @throws DBServletException * @throws NichtAngemeldetException * @throws SQLException */ private void authenticate(Connection con) throws DBServletException, NichtAngemeldetException, SQLException { logger.debug("Session authentication for user=" + user.getName()); String token = ServletHelper.getParameter(request, RequestParameter.token); if (!SuperXManager.isHis1) { superxStandaloneAuthenfication(con); } else if (token != null) { TokenChecker tokenChecker = new TokenChecker(token); tokenChecker.testAll(); user.setName(tokenChecker.getKennung()); user.setHisInOneOrgUnitLidOfRole(tokenChecker.getOrgunitLid()); checkIfUserExistsInDatabaseAndUpdateDetails(con, false); } else { his1GuestAuthentication(con); } erfolgreicheAnmeldungVerarbeiten(con); } private void superxStandaloneAuthenfication(Connection con) throws NichtAngemeldetException, SQLException { if (SuperXManager.isHis1) { // Anmerkung: Die Fehlermeldung ist leider für Nutzer wenig hilfreich, allerdings sollte im Kontext von // Authentifizierung nicht zu viel Information "exposed" werden!!1! throw new NichtAngemeldetException("Keine Anmeldung möglich: Fehler in der Anwendungskonfiguration"); } user.setName(ServletHelper.getParameter(request, RequestParameter.kennung)); if (StringUtils.isNullOrEmpty(user.getName())) throw new NichtAngemeldetException(" Keine Anmeldung möglich, da im request keine Kennung angegeben."); checkIfUserExistsInDatabaseAndUpdateDetails(con, true); System.out.println("AUTH1:"+user.getName()); String passwort = ServletHelper.getParameter(request, RequestParameter.passwort); // neue Funktion "Gastanmeldung", Admins können in der userinfo verschluesselt // Passwort // notsecret hintelegen für Gastzugänge wie anonym,public oder gast, für die // kein Passwort kontrolliert werden soll // falls im Request ein Passwort übergeben, das prüfen (Uni Düsseldorf) if (passwort == null || passwort.length() == 0) passwort = "notsecret"; boolean isPasswordOK = false; if (SuperXManager.isStandaloneLdapActive()) { if ("superx".equals(ServletHelper.getParameter(request, RequestParameter.login))) { logger.debug("LDAP aktiv aber Passwortkontrolle für " + user.getName() + " aus SuperX-Datenbank wegen Parameter login=superx"); isPasswordOK = isPasswordInSuperXDatabaseOK(passwort); } else { isPasswordOK = new LdapPasswordChecker().isLdapPasswordOK(false, mandantenID, user.getName(), passwort); } } else { //Support fuer LDAP-Technik via Tomcat Remote User System.out.println("AUTH2:via Tomcat Remote User"); System.out.println("AUTH3:"+request.getAuthType()); if (request.getRemoteUser()!=null || (request.getAuthType() !=null && request.getAuthType().equals("shibboleth")) ) { isPasswordOK=true; } else { isPasswordOK = isPasswordInSuperXDatabaseOK(passwort); } } if (!isPasswordOK) { passwortFehlerVerarbeiten(con); throw new NichtAngemeldetException(" Falsches Passwort für User " + user.getName()); } } private void his1GuestAuthentication(Connection con) throws NichtAngemeldetException, SQLException { user.setName(ServletBasics.getParameter(request, RequestParameter.kennung)); if (StringUtils.isNullOrEmpty(user.getName())) throw new NichtAngemeldetException(" Keine Anmeldung möglich, da im request keine Kennung angegeben."); if (!isGuestUser(con, user.getName())) { throw new NichtAngemeldetException("Kein Gastzugang für " + user.getName()); } checkIfUserExistsInDatabaseAndUpdateDetails(con, false); } /** * Erzeugen des UserObjekts mit Rechten auch von ExecuteMask für Shellaufruf * ohne Webserver genutzt * * @param hisinoneRightsMap - optional kann null sein * @param userid * @param adminUser * @throws IllegalArgumentException * @throws SecurityException * @throws TransformerConfigurationException * @throws InstantiationException * @throws IllegalAccessException * @throws InvocationTargetException * @throws NoSuchMethodException * @throws TransformerException * @throws KeyParentEqualException * @throws SQLException * @throws DBServletException * @throws NichtAngemeldetException * @throws IOException * @throws TemplateException * @throws NoMainEntryException * @throws CloneNotSupportedException */ public void initUser(Connection con, Map hisInOneAttributMap) throws IllegalArgumentException, SecurityException, TransformerConfigurationException, InstantiationException, IllegalAccessException, InvocationTargetException, NoSuchMethodException, TransformerException, KeyParentEqualException, SQLException, DBServletException, NichtAngemeldetException, CloneNotSupportedException, NoMainEntryException, TemplateException, IOException { user.getSelectionBuffer().setActive(SuperXManager.isSessionFieldDefaultsWanted(mandantenID)); user.setDBVersion(SxPools.get(mandantenID).getDatabaseMajorVersion(), SxPools.get(mandantenID).getDatabaseMinorVersion()); if (hisInOneAttributMap != null) { addH1TokenOrgUnitRights(con, hisInOneAttributMap); } addSuperXOrBIDirectOrgUnitRights(con); initImplicitOrgUnitRights(con); initMaskenUndSachgebietsRechte(con); initGroups(con); initSichten(); initFinRechte(); if (SxPools.get(mandantenID).hasKontierungsrechte()) { user.initKontierungsrechte(); } user.initThemenbaum(); user.updateFreemarkerBasicMap(); initPWGueltigkeit_Oldshas(con); initMaskenEditRechte(); } private void addH1TokenOrgUnitRights(Connection con, Map hisInOneAttributMap) throws SQLException { Map> rightsMap = (Map>) hisInOneAttributMap .get("rightsMap"); if (rightsMap != null) { // nur der Form/Einfachheithalber eine Map es sind die erlaubten // apnrs enthalten vergl. UserAndRightsStreamliner Map allowedOrgUnitLids = rightsMap.get("allowedOrgUnits"); if (allowedOrgUnitLids != null) { if (allowedOrgUnitLids.size() == 0) { throw new RuntimeException("Keine gültige Organisationseinheit für Nutzer gefunden." + " Bitte Hauptladeroutine Kostenrechnung ausführen!"); } String sqlLidInString = buildInString(allowedOrgUnitLids.keySet()); try (Statement stm = con.createStatement(); ResultSet rs = stm.executeQuery(SELECT_ORGUNIT + sqlLidInString)) { while (rs.next()) { OrgUnit ou = new OrgUnit(rs.getString("apnr"), rs.getString("uniquename"), rs.getString("lid"), rs.getString("name"), rs.getDate("gueltig_seit"), rs.getDate("gueltig_bis")); user.addStandardOrgUnitRight(ou); } } } } } private static String buildInString(Collection items) { String result = "("; int count = items.size(); int i = 0; for (String item : items) { i++; result += "'" + item + "'"; if (i < count) { result += ","; } } return result + ")"; } /** * in SuperX/BI selbst vergebene zusätzliche OrgEinheit Rehte Merkmal * external_entry!=1 * * @param user * @throws DBServletException * @throws SQLException */ private void addSuperXOrBIDirectOrgUnitRights(Connection con) throws SQLException, DBServletException { try (Statement stm = con.createStatement(); ResultSet rs = stm.executeQuery( "select trim(ch110_institut) as apnr,O.uniquename,O.name,O.lid,O.gueltig_seit,O.gueltig_bis from user_institution U left outer join organigramm O on (ch110_institut=key_apnr) where userid=" + user.getId() + " and ch110_institut is not null and (external_entry is null or external_entry!=1) " + "and (U.gueltig_seit is null or U.gueltig_seit<=today()) and (U.gueltig_bis is null or U.gueltig_bis>=today()) ");) { while (rs.next()) { OrgUnit ou = new OrgUnit(rs.getString("apnr"), rs.getString("uniquename"), rs.getString("lid"), rs.getString("name"), rs.getDate("gueltig_seit"), rs.getDate("gueltig_bis")); user.addStandardOrgUnitRight(ou); } } } private void initFinRechte() throws SQLException, DBServletException { SxResultSet rs = null; int finRightVariant = SxPools.get(mandantenID).getFinRightVariant(); if (finRightVariant != SxFinRechte.NO_RIGHTS && !user.isAdmin()) { if (finRightVariant == SxFinRechte.SIMPLE_RIGHTS) { rs = ServletUtils.execute("Einlesen von einfachtenFin-Rechten für Benutzer " + user.getId(), SxFinRechte.getReadingSqlUserKamSimple(user), user.getMandantenID()); } if (finRightVariant == SxFinRechte.EXTENDED_RIGHTS) { rs = ServletUtils.execute("Einlesen von erweiterten Fin-Rechten für Benutzer " + user.getId(), SxFinRechte.getReadingSqlUserKam(user), user.getMandantenID()); } if (finRightVariant == SxFinRechte.INS3_RIGHTS) { rs = ServletUtils.execute( "Einlesen von erweiterten Fin-Rechten inkl. ins3 für Benutzer " + user.getId(), SxFinRechte.getReadingSqlUserKamIns3(user, SxPools.get(mandantenID).hasFinUserKamRestrictionFields()), // erweitert!! user.getMandantenID()); } SxResultSet rs2 = ServletUtils .executeALL_el(null, null, "Einlesen von Fin-Rechten proj_to_inst für Benutzer " + user.getId(), SxFinRechte.getReadingSqlProjToInst(SxPools.get(mandantenID).getDatabaseAbbr(), user), user.getMandantenID(), true) .getResultSet(); user.initFinRechte(rs, finRightVariant, rs2, SxPools.get(mandantenID).is0FINJoker(), SxPools.get(mandantenID).getRepository()); } } private void initSichten() throws SQLException, DBServletException, KeyParentEqualException, CloneNotSupportedException, NoMainEntryException, TemplateException, IOException { boolean hasSichtartRechteDefinitionen = SxPools.get(user.getMandantenID()).getSichtartRechteDefinitionen() .size() > 0; if (hasSichtartRechteDefinitionen) { readAdditionalSichtenRights1(); } SxResultSet rs = ServletUtils.execute("Einlesen von Sichten für Benutzer " + user.getId(), Sichten.getReadingSql(user), user.getMandantenID()); user.getSichten().init(user.getMandantenID(), rs, SichtServlet.class); if (hasSichtartRechteDefinitionen) { readAdditionalSichtenRights2(); } rs = ServletUtils.execute("Einlesen von Sichtrechten für Benutzer " + user.getId(), "select distinct tid,type from sichten S where " + Sichten.getErlaubteSichtenSql(user), user.getMandantenID()); user.getSichten().setAllowedSichten(rs, user.isAdmin()); } private void readAdditionalSichtenRights1() throws SQLException, DBServletException { for (Iterator it = SxPools.get(user.getMandantenID()).getSichtartRechteDefinitionen().iterator(); it .hasNext();) { SichtartRechteDefinition sd = (SichtartRechteDefinition) it.next(); SxResultSet rs = ServletUtils.execute( "Einlesen von Sichtart " + sd.getName() + " Rechten für Benutzer " + user.getId(), sd.getSql((Integer) user.getId()), user.getMandantenID()); user.getSichten().addSichtartRechte(sd.getName(), sd.isFallback_user_inst(), rs); } } private void readAdditionalSichtenRights2() throws SQLException, DBServletException, KeyParentEqualException, CloneNotSupportedException, NoMainEntryException, TemplateException, IOException { for (Iterator it = SxPools.get(user.getMandantenID()).getSichtartRechteDefinitionen().iterator(); it .hasNext();) { SichtartRechteDefinition sd = (SichtartRechteDefinition) it.next(); if (sd.hasAdditionalKeysSQL()) { boolean isSQLOK = true; String sql = sd.getAdditionalKeysSQL(); sql = sql.replaceAll("<>", user.getId().toString()); for (Iterator it2 = user.getSichten().getSichtenArten().iterator(); it2.hasNext();) { String sichtart = it2.next(); if (sql.indexOf("<<" + sichtart + ">>") > -1) { String sichtartkeys = user.getSichten().getSichtartKeys(sichtart); if (sichtartkeys.equals("")) isSQLOK = false; sql = sql.replaceAll("<<" + sichtart + ">>", sichtartkeys); } } if (isSQLOK) { SxResultSet rs2 = ServletUtils.execute("Einlesen ergänzenden Rechten von Sichtart " + sd.getName() + " Rechten für Benutzer " + user.getId(), sql, user.getMandantenID()); user.getSichten().addSichtartRechte(sd.getName(), sd.isFallback_user_inst(), rs2); // nicht nötig, weil Sichten erst eingelesen werden, wenn // tatsächlich gebaucht // user.getSichten().reinit(sd.getName()); } } } } private void initGroups(Connection con) throws SQLException { try (Statement stm = con.createStatement(); ResultSet rs = stm.executeQuery( "select tid::varchar(10) as groupid,name from groupinfo G, user_group_bez U where G.tid=U.groupinfo_id and userinfo_id=" + user.getUserIdAsInt());) { while (rs.next()) { user.addGruppe(rs.getString("groupid"), rs.getString("name")); } } } private void initMaskenUndSachgebietsRechte(Connection con) throws SQLException, DBServletException { String queryMaskenRechte = "--alle Abfragen für die die Gruppe über Sachgebiete berechtigt \n" + "select distinct M.tid,M.name \n" + " from maskeninfo M, sachgeb_maske_bez S, group_sachgeb_bez G, user_group_bez U \n" + " where M.tid = S.maskeninfo_id \n" + " and S.sachgebiete_id = G.sachgebiete_id \n" + " and G.groupinfo_id = U.groupinfo_id \n" + " and U.userinfo_id = " + user.getId() + " \n" + " union \n" + " --alle Abfragen für die die Gruppe berechtigt (Einzelrechte) \n" + " select distinct M.tid,M.name \n" + " from maskeninfo M, group_masken_bez G, user_group_bez U \n" + " where M.tid = G.maskeninfo_id \n" + " and G.groupinfo_id = U.groupinfo_id \n" + " and U.userinfo_id = " + user.getId() + " \n" + " union \n" + "--alle Abfragen aus Sachgebieten für die der Nutzer Rechte hat \n" + " select distinct M.tid,M.name \n" + " from maskeninfo M \n" + " where \n" + " (M.tid in (select maskeninfo_id from sachgeb_maske_bez S where S.sachgebiete_id in \n" + " (select sachgebiete_id from user_sachgeb_bez U where U.userinfo_id=" + user.getId() + " ))) \n" + " union \n" + "--alle Abfragen für die Einzelrechte in user_masken_bez angegeben \n" + " select distinct M.tid,M.name \n" + " from maskeninfo M, user_masken_bez B \n" + " where \n" + " B.userinfo_id = " + user.getId() + " \n" + " and (M.tid = B.maskeninfo_id \n" + " or B.maskeninfo_id = 0)"; SxResultSet rs = ServletUtils.execute("Erlaubte Masken für User " + user.getName() + " (" + user.getId() + ")", queryMaskenRechte, user.getMandantenID()); List erlaubteMasken = new ArrayList<>(); for (Iterator it = rs.iterator(); it.hasNext();) { SxResultRow row = (SxResultRow) it.next(); erlaubteMasken.add((Integer) row.get(0)); } user.initErlaubteMasken(erlaubteMasken); rs = ServletUtils.execute("Erlaubte Sachgebiete für User " + user.getName() + " (" + user.getId() + ")", "select sachgebiete_id from user_sachgeb_bez where userinfo_id=" + user.getId() + " \n" + "union \n" + "select sachgebiete_id from group_sachgeb_bez where groupinfo_id in ( \n" + "select groupinfo_id from user_group_bez where userinfo_id=" + user.getId() + ")", user.getMandantenID()); user.setSachgebiete(rs); try { rs = ServletUtils.execute("Einlesen von versteckten Feldern für Benutzer " + user.getId(), "select field_id from group_field_pref where pref='hidden' and groupinfo_id in" + " (select groupinfo_id from user_group_bez where userinfo_id=" + user.getId() + ")", user.getMandantenID()); user.setHiddenFields(rs); } catch (Exception e) { e.printStackTrace(); } } private void initMaskenEditRechte() throws SQLException, DBServletException { String sql = " SELECT (SELECT count(*) from user_group_bez U,group_sachgeb_bez B, sachgebiete S " + "where S.tid=B.sachgebiete_id " + "and U.groupinfo_id=B.groupinfo_id " + "and U.userinfo_id=" + user.getId() + " and (S.name like 'Bearbeitung%' or S.name like 'Administration%') " + ") " + "+ " + "(SELECT count(*) from user_sachgeb_bez B, sachgebiete S " + "where S.tid=B.sachgebiete_id " + "and B.userinfo_id=" + user.getId() + " and (S.name like 'Bearbeitung%' or S.name like 'Administration%') " + ")"; // String sql = "SELECT distinct trim(dbf.name) FROM db_forms dbf " // + "JOIN sachgeb_dbform_bez sdb ON sdb.dbform_id = dbf.tid " // + "JOIN sachgebiete s ON s.tid = sdb.sachgebiete_id " // + "AND s.rightname LIKE 'CS_BIA_ADMINISTRATE_TOPIC_AREA%' " // + "AND s.tid IN(" + user.getSachgebieteIn() + ")"; SxResultSet rs = ServletUtils.execute("Bearbeitungsrechte auf Masken", sql, user.getMandantenID()); user.setMaskenEditRights(rs); } /** * not in use * * @deprecated * @param user * @throws SQLException * @throws DBServletException */ @Deprecated private static void initUserField1Cache(SxUser user) throws SQLException, DBServletException { SxResultSet rs = ServletUtils .execute("potentielle zu cachende User-Field1-quellen lesen", "select distinct relation from felderinfo where " // + SuperXManager.userField1Cache + " and art=1 and tid!=23541", user.getMandantenID()); TreeSet sqls = new TreeSet(); String haushaltsjahr = DateUtils.getYear(new java.sql.Date(new java.util.Date().getTime())); Hashtable formular = new Hashtable(); formular.put("Haushaltsjahr", haushaltsjahr); for (Iterator it = rs.iterator(); it.hasNext();) { SxResultRow row = (SxResultRow) it.next(); String sql = (String) row.get(0); if (sql.trim().indexOf("<>") == -1) continue; sql = SqlStringUtils.generateSQL("PG", formular, sql);// Database-Abbr // für // haushaltsjahr // egal try { HashMap map = new HashMap(); map.putAll(user.getBasicMap()); sql = SxPools.get(user.getMandantenID()).getTemplateProcessor().process(map, null, "user Field1 Cache", sql, null, SxPools.get(user.getMandantenID()).getRepository(), SxPools.get(user.getMandantenID()).getSqlDialect()); sql = AbstractSicht.getStrippedSQL(sql); if (sql.indexOf("<<") == -1) sqls.add(sql); } catch (Exception e) { logger.info("Problem bei Caching des User-Feld-SQLs " + sql + " " + e); } } /* * FieldElementCache userFieldElementCache = (FieldElementCache) * user.getFieldElementCache(); for (Iterator it = sqls.iterator(); * it.hasNext();) { String sql = (String) it.next(); Logger.getLogger("superx_" * + user.getMandantenID()).log(Level.FINER, " Cache User-Feld-SQL: " + sql); * try { rs = ServletUtils.executeALL_el(null, null, "Felder-SQL cachen", sql, * user.getMandantenID(), true).getResultSet(); userFieldElementCache.add(sql, * rs); } catch (Exception e) { Logger.getLogger("superx_" + * user.getMandantenID()).log(Level.INFO, * "Problem bei Caching des User-Feld-SQLs " + sql + " " + e); } } */ } private void checkIfUserExistsInDatabaseAndUpdateDetails(Connection con, boolean isStandardLogin) throws SQLException, NichtAngemeldetException { boolean wasUserFound = false; boolean isUserinfoMitGueltigkeit=checkUserinfoMitGueltigkeit(con); // #305059 String select="select tid, passwd_sha, administration, kennwort,akt_versuch,max_versuch from userinfo where benutzer = ? "; if (isUserinfoMitGueltigkeit) { select+= "and ( (gueltig_von is null or gueltig_von<=today()) and (gueltig_bis is null or gueltig_bis>=today()) )"; } try (PreparedStatement pst = con .prepareStatement(select);) { pst.setString(1, user.getName()); try (ResultSet rs = pst.executeQuery();) { while (rs.next()) { wasUserFound = true; checkAndUpdateUserDetails(isStandardLogin, rs); } } } if (!wasUserFound) { fehlerhafteAnmeldungProtokollieren(con); throw new NichtAngemeldetException(" Kombination von " + user.getName() + " und Passwort ungültig"); } } private boolean checkUserinfoMitGueltigkeit(Connection dbConnection) throws SQLException { boolean result=false; Statement stm = dbConnection.createStatement(); DatabaseMetaData md = dbConnection.getMetaData(); ResultSet rs = md.getColumns(null, null, "userinfo", null); while (rs.next()) { if (rs.getString(4).equals("gueltig_von")) { result=true; } } rs.close(); return result; } private static boolean isGuestUser(Connection con, String kennung) throws SQLException { boolean result = false; try (PreparedStatement pst = con .prepareStatement("select name from userinfo where benutzer = ?");) { pst.setString(1, kennung); try (ResultSet rs = pst.executeQuery()) { if (rs.next()) { String name = rs.getString("name"); result = name != null && name.trim().equals("Gastkennung"); } } } return result; } private void passwortFehlerVerarbeiten(Connection con) throws SQLException { try (Statement stm = con.createStatement();) { // Versuchszahl erhöhen stm.executeUpdate( "update userinfo set akt_versuch=akt_versuch+1 " + " where tid=" + user.getUserIdAsInt()); // protokollieren stm.execute("insert into protokoll (proto_fkt_id, userinfo_id, " + "ip_adresse, client_name, zeitpunkt) values (" + "2," + user.getUserIdAsInt() + ",'" + request.getRemoteAddr() + "','" + request.getRemoteHost() + "'" + "," + now_command() + ");"); } } private void erfolgreicheAnmeldungVerarbeiten(Connection con) throws SQLException { try (Statement stm = con.createStatement();) { if (user.getId() != null) stm.executeUpdate("update userinfo set akt_versuch=0 " + " where tid = " + user.getUserIdAsInt()); updateLastLogin(stm); if (SxPools.get(mandantenID).isErweitertesProtokollWanted()) { stm.execute("insert into protokoll (proto_fkt_id, userinfo_id, " + "ip_adresse, client_name, zeitpunkt) values (" + "1," + user.getUserIdAsInt() + ",'" + request.getRemoteAddr() + "','" + request.getRemoteHost() + "'" + "," + now_command() + ");"); } } } private String now_command() { if (SxPools.get(mandantenID).getSqlDialect().equals("Postgres")) { return "now()"; } else { return "current"; } } private void fehlerhafteAnmeldungProtokollieren(Connection con) throws SQLException { try (Statement stm = con.createStatement();) { stm.execute("insert into protokoll (proto_fkt_id, userinfo_id, " + "ip_adresse, client_name, zeitpunkt) values (" + "2, -1,'" + request.getRemoteAddr() + "','" + request.getRemoteHost() + "'" + "," + now_command() + ");"); } } private void checkAndUpdateUserDetails(boolean isStandardLogin, ResultSet rs) throws SQLException, NichtAngemeldetException { String password_sha; Integer userid = (Integer) rs.getObject(1); user.setId(userid); String kennwortSpalte = (String) rs.getString(4); if (kennwortSpalte != null) kennwortSpalte = kennwortSpalte.trim().toLowerCase(); if (isStandardLogin && kennwortSpalte != null && (kennwortSpalte.equals("ändern") || kennwortSpalte.equals("aendern"))) isPasswordChangeDemanded = true; Short adminUser = Short.valueOf(rs.getShort(3)); if (adminUser.shortValue() == 1) user.setAdmin(true); password_sha = (String) rs.getString(2); if (password_sha == null) throw new NichtAngemeldetException("Kein Passwort in DB gefunden"); else password_sha = password_sha.trim(); user.setCurrentSha(password_sha); oldsha = password_sha; int akt_versuch = rs.getInt(5); int max_versuch = rs.getInt(6); if (akt_versuch > max_versuch || max_versuch==0) { throw new NichtAngemeldetException(MAXIMALE_LOGIN_VERSUCHE_UEBERSCHRITTEN); } } private boolean isPasswordInSuperXDatabaseOK(String enteredPassword) { return EqualsUtil.areEqual(user.getCurrentSha(), CryptUtils.encodeSHA(enteredPassword)) || EqualsUtil .areEqual(user.getCurrentSha(), CryptUtils.encodeSHA(enteredPassword + CryptUtils.geheimnis1)); } private void updateLastLogin(Statement stm) throws SQLException { int userInDB = 0; try (ResultSet rs = stm .executeQuery("select count(*) from user_pw where userinfo_id=" + user.getUserIdAsInt());) { while (rs.next()) { userInDB = rs.getInt(1); } } if (userInDB == 0) { stm.executeUpdate( "insert into user_pw (userinfo_id,last_login) values (" + user.getUserIdAsInt() + ",now());"); } else { stm.executeUpdate("update user_pw set last_login=now() where userinfo_id=" + user.getUserIdAsInt()); } } public String getUsername() { return user.getName(); } public SxUser getUser() { return user; } /** * @return Returns the isPasswordChangeDemanded. checks session attribute also */ public boolean isPasswordChangeDemanded() { String attrib = "false"; if (request.getSession() != null) { attrib = (String) request.getSession().getAttribute("passwordchange"); if (attrib == null) attrib = "false"; } return isPasswordChangeDemanded || attrib.equals("true"); } /** * @param isPasswordChangeDemanded The isPasswordChangeDemanded to set. */ public void setPasswordChangeDemanded(boolean isPasswordChangeDemanded) { this.isPasswordChangeDemanded = isPasswordChangeDemanded; } public static String getPwChangeHtml(String message) { return de.superx.servlet.SuperXManager.htmlPageHead("Erfolg") + "
" + message + "
" + "Bisheriges Passwort


" + "Neues Passwort

" + "Erneut eingeben

" + "
" + "" + "
" + ""; } /** * @return Returns the oldsha. */ public String getOldsha() { return oldsha; } @Deprecated void initSessionOld(TokenChecker tokenChecker, ApplicationContext springApplicationContext) throws NichtAngemeldetException, TransformerConfigurationException, InstantiationException, IllegalAccessException, InvocationTargetException, NoSuchMethodException, TransformerException, KeyParentEqualException, SQLException, DBServletException { Map attributes = new HashMap(); if (tokenChecker != null) { streamLineTokenRightsAndFillRightsMap(tokenChecker, attributes); } // perform(attributes); attributes.putAll(initAttributes(tokenChecker, user.isAdmin())); updateUserAndSessionAttrib(user, attributes); //logging out and in to Spring if (springApplicationContext != null) { SessionService sessionService = (SessionService) springApplicationContext.getBean("sessionService"); sessionService.logout(request); sessionService.authenticate(request, user.getName(), null); } } private void streamLineTokenRightsAndFillRightsMap(TokenChecker tokenChecker, Map attributes) throws SQLException, NichtAngemeldetException, DBServletException { Map> rightsMap = UserAndRightsStreamliner.streamline(mandantenID, tokenChecker); attributes.put("rightsMap", rightsMap); } /** * * @param tokenChecker - darf null sein, dann wird für SuperXStandalone * vorbereitet * @param isAdmin * @return * @throws SQLException * @throws DBServletException * @throws NichtAngemeldetException * @throws TransformerConfigurationException * @throws InstantiationException * @throws IllegalAccessException * @throws InvocationTargetException * @throws NoSuchMethodException * @throws TransformerException * @throws KeyParentEqualException */ private Map initAttributes(TokenChecker tokenChecker, boolean isAdmin) throws SQLException, DBServletException, NichtAngemeldetException, TransformerConfigurationException, InstantiationException, IllegalAccessException, InvocationTargetException, NoSuchMethodException, TransformerException, KeyParentEqualException { Map attributes = null; // TODO check hier von isTokenUsed==true geändert if (tokenChecker != null) { attributes = getAttributesFromToken(tokenChecker); } else { attributes = getSxStandaloneAttributes(isAdmin); } return attributes; } private void updateUserAndSessionAttrib(SxUser user, Map attributes) { user.setRights((Map>) attributes.get("rightsMap"), (String) attributes.get("role")); user.setHisInOneOrgUnitLidOfRole((Integer) attributes.get("orgUnit")); user.setRoleId((Integer) attributes.get("roleId")); // save rights in session if (request.getSession() != null) { request.getSession().setAttribute(SessionAttribute.isSuperXStandalone.toString(), (SuperXManager.isHis1() ? "false" : "true")); request.getSession().setAttribute(SessionAttribute.rights.toString(), (String) attributes.get(SessionAttribute.rightsString.toString())); request.getSession().setAttribute(SessionAttribute.orgUnit.toString(), (Integer) attributes.get(SessionAttribute.orgUnit.toString())); } } private Map getSxStandaloneAttributes(boolean isAdmin) throws NichtAngemeldetException, TransformerConfigurationException, InstantiationException, IllegalAccessException, InvocationTargetException, NoSuchMethodException, TransformerException, KeyParentEqualException, SQLException, DBServletException { Map attributes = new HashMap(); attributes.put("orgUnit", Integer.getInteger("-1")); // wichtig, dass ein Wert da ist, da ggfs. mit equals // gearbeitet wird isKennungOrRightsInTokenChanged Map> sx_rightsMap = new HashMap>(); // 2. Parameter der Map ist null, hier kämen bei HisInOne Rechteparameter vergl. // de.superx.util.RightsParser.parse() if (isAdmin) { sx_rightsMap.put(SuperxSaikuSessionService.ADMIN_RIGHT, null); sx_rightsMap.put(SuperxSaikuSessionService.VIEW_OLAP_RIGHT, null); attributes.put("rightsString", SuperxSaikuSessionService.VIEW_OLAP_RIGHT + "," + SuperxSaikuSessionService.ADMIN_RIGHT); attributes.put("role", SuperxSaikuSessionService.ROLE_BI_ADMIN); } else if (this.user.getName().startsWith("gast")){ sx_rightsMap.put(SuperxSaikuSessionService.STANDARDREPORTS_RIGHT, null); attributes.put("rightsString", SuperxSaikuSessionService.STANDARDREPORTS_RIGHT); attributes.put("role", SuperxSaikuSessionService.ROLE_BI_SPECIALIST); } else { sx_rightsMap.put(SuperxSaikuSessionService.STANDARDREPORTS_RIGHT, null); sx_rightsMap.put(SuperxSaikuSessionService.VIEW_OLAP_RIGHT, null); attributes.put("rightsString", SuperxSaikuSessionService.VIEW_OLAP_RIGHT + "," + SuperxSaikuSessionService.STANDARDREPORTS_RIGHT); attributes.put("role", SuperxSaikuSessionService.ROLE_BI_SPECIALIST); } attributes.put("rightsMap", sx_rightsMap); return attributes; } private Map getAttributesFromToken(TokenChecker tokenChecker) throws NichtAngemeldetException, TransformerConfigurationException, InstantiationException, IllegalAccessException, InvocationTargetException, NoSuchMethodException, TransformerException, KeyParentEqualException, SQLException, DBServletException { logger.debug("Request.token: " + tokenChecker.getTokenString()); Map attributes = new HashMap(); // rightsMap wird schon vorher gefüllt in streamLineTokenRightsAndFillRightsMap attributes.put("role", tokenChecker.getRole()); attributes.put("orgUnit", tokenChecker.getOrgunitLid()); attributes.put("rightsString", tokenChecker.getRights()); attributes.put("roleId", tokenChecker.getExternRoleID()); return attributes; } } // Created on 17.03.2005 at 09:09:00