package com.ibm.ws.security.server.lm;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.AdminData;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.SingleSignonConfig;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.token.KerberosServiceTicketImpl;
import com.ibm.ws.security.token.KerberosTokenImpl;
import com.ibm.ws.security.token.WSSMarkerObject;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.security.auth.callback.WSProtocolPolicyCallback;
import com.ibm.wsspi.security.csiv2.CSIv2PerformPolicy;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.AuthenticationToken;
import com.ibm.wsspi.security.token.AuthorizationToken;
import com.ibm.wsspi.security.token.KerberosToken;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.security.token.WSSecurityPropagationHelper;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.ietf.jgss.GSSCredential;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/server/lm/wsMapCSIv2OutboundLoginModule.class */
public class wsMapCSIv2OutboundLoginModule implements LoginModule {
    private Subject subject;
    private Subject invocation_subject;
    private CallbackHandler callbackHandler;
    private Map sharedState;
    private Map options;
    private static final WebSphereRuntimePermission MAP_CREDENTIAL = new WebSphereRuntimePermission("mapCredential");
    private static final TraceComponent tc = Tr.register(wsMapCSIv2OutboundLoginModule.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private SecurityConfig security = null;
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    private TokenHolder opaqueTokenHolder = null;
    private AuthorizationToken authzToken = null;
    private SingleSignonToken ssoToken = null;
    private AuthenticationToken authToken = null;
    private KerberosToken kerberosToken = null;
    boolean spnegoLTPASupport = false;
    private CSIv2PerformPolicy csiv2PerformPolicy = null;
    protected boolean debug = false;
    protected boolean ssoEnabled = false;
    private boolean wssTokenPropagationEnabled = false;
    private String OID = null;

    public wsMapCSIv2OutboundLoginModule() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "wsMapCSIv2OutboundLoginModule()");
            Tr.exit(tc, "wsMapCSIv2OutboundLoginModule()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(subject = \"" + subject.toString() + "\", callbackHandler = \"" + callbackHandler.toString() + "\", sharedState = \"" + map.toString() + "\", options = \"" + map2.toString() + "\")");
        }
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = map;
        this.options = map2;
        this.security = SecurityObjectLocator.getSecurityConfig();
        try {
            SingleSignonConfig singleSignon = this.security.getActiveAuthMechanism().getSingleSignon();
            if (false != null) {
                this.ssoEnabled = singleSignon.getBoolean("enabled");
            }
            this.OID = this.security.getActiveAuthMechanism().getString(AuthMechanismConfig.OID);
            ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
            if (contextManagerFactory != null) {
                contextManagerFactory.clearRootException();
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.initialize", "168", this);
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception initializing wsMapCSIv2OutboundLoginModule.", new Object[]{e});
            }
        }
        this.debug = "true".equalsIgnoreCase((String) this.options.get("debug"));
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "WSLoginModuleImpl initialized");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options)");
        }
    }

    public boolean login() throws LoginException {
        Callback[] callbackArr;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        WSSMarkerObject wSSMarkerFromSubject = getWSSMarkerFromSubject(this.subject);
        if (wSSMarkerFromSubject != null && wSSMarkerFromSubject.isEnabled()) {
            this.wssTokenPropagationEnabled = true;
        }
        if (!WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled() && !this.wssTokenPropagationEnabled) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "Attribute propagation disabled locally.");
            }
            this.succeeded = true;
            return this.succeeded;
        }
        this.succeeded = false;
        if (this.commitSucceeded) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "The login module is in funny state, cleanup before starting a new login process.");
            }
            cleanup();
        }
        final ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (this.sharedState.containsKey(Constants.CALLBACK_KEY)) {
            callbackArr = (Callback[]) this.sharedState.get(Constants.CALLBACK_KEY);
        } else {
            if (this.callbackHandler == null) {
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException("No CallbackHandler available to gather authentication information from the user.");
                contextManagerFactory.setRootException(wSLoginFailedException);
                throw wSLoginFailedException;
            }
            callbackArr = new Callback[]{new WSProtocolPolicyCallback("Protocol Policy Callback: ")};
            try {
                this.callbackHandler.handle(callbackArr);
                this.sharedState.put(Constants.CALLBACK_KEY, callbackArr);
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "246", this);
                Tr.error(tc, "security.jaas.callBackHandlerIOException", new Object[]{getClass().getName(), e});
                contextManagerFactory.setRootException(e);
                this.succeeded = false;
                throw new WSLoginFailedException("IOException: " + e.getMessage(), e);
            } catch (UnsupportedCallbackException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "254", this);
                Tr.error(tc, "security.jaas.callBackHandlerException", new Object[]{getClass().getName(), e2.getCallback().toString(), e2});
                contextManagerFactory.setRootException(e2);
                this.succeeded = false;
                throw new WSLoginFailedException(e2.getCallback().toString() + " not supported by CallbackHandler to gather authentication information from the user" + e2.getMessage(), e2);
            }
        }
        this.csiv2PerformPolicy = (CSIv2PerformPolicy) ((WSProtocolPolicyCallback) callbackArr[0]).getProtocolPolicy();
        try {
            if (this.wssTokenPropagationEnabled || this.csiv2PerformPolicy.performAuthorizationToken()) {
                String str = null;
                if (this.csiv2PerformPolicy != null) {
                    str = this.csiv2PerformPolicy.getServiceCfgList();
                }
                final WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(this.subject);
                if ((this.wssTokenPropagationEnabled || str != null) && wSCredentialFromSubject != null && wSCredentialFromSubject.isForwardable()) {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "The following ServiceConfiguration list was received: " + str);
                    }
                    if (!wSCredentialFromSubject.isBasicAuth()) {
                        try {
                            final boolean z = this.ssoEnabled;
                            AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.1
                                @Override // java.security.PrivilegedExceptionAction
                                public Object run() throws WSSecurityException, WSLoginFailedException, CredentialExpiredException {
                                    GSSCredential gSSCredentialFromSubject;
                                    AuthorizationToken defaultAuthzTokenFromSubject = SubjectHelper.getDefaultAuthzTokenFromSubject(wsMapCSIv2OutboundLoginModule.this.subject);
                                    AuthenticationToken defaultAuthTokenFromSubject = SubjectHelper.getDefaultAuthTokenFromSubject(wsMapCSIv2OutboundLoginModule.this.subject);
                                    SingleSignonToken defaultSSOTokenFromSubject = SubjectHelper.getDefaultSSOTokenFromSubject(wsMapCSIv2OutboundLoginModule.this.subject);
                                    KerberosTokenImpl kerberosTokenImpl = null;
                                    if (wsMapCSIv2OutboundLoginModule.this.spnegoLTPASupport && (gSSCredentialFromSubject = SubjectHelper.getGSSCredentialFromSubject(wsMapCSIv2OutboundLoginModule.this.subject)) != null) {
                                        kerberosTokenImpl = new KerberosTokenImpl();
                                        kerberosTokenImpl.initializeToken(gSSCredentialFromSubject);
                                    }
                                    if (defaultAuthzTokenFromSubject == null) {
                                        if (wsMapCSIv2OutboundLoginModule.this.debug || wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "Creating AuthorizationToken for outbound request.");
                                        }
                                        wsMapCSIv2OutboundLoginModule.this.authzToken = contextManagerFactory.getWSCredTokenMapper().createAuthzTokenFromWSCredential(wSCredentialFromSubject);
                                    }
                                    if (defaultAuthTokenFromSubject == null && wSCredentialFromSubject.getCredentialToken() != null) {
                                        if (wsMapCSIv2OutboundLoginModule.this.debug || wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "Creating AuthenticationToken for outbound request.");
                                        }
                                        wsMapCSIv2OutboundLoginModule.this.authToken = contextManagerFactory.getWSCredTokenMapper().createAuthTokenFromWSCredential(wSCredentialFromSubject);
                                    }
                                    if (defaultSSOTokenFromSubject == null && z) {
                                        if (wsMapCSIv2OutboundLoginModule.this.debug || wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "Creating SingleSignonToken for outbound request.");
                                        }
                                        wsMapCSIv2OutboundLoginModule.this.ssoToken = contextManagerFactory.getWSCredTokenMapper().createSSOTokenFromWSCredential(wSCredentialFromSubject);
                                        String string = SecurityObjectLocator.getAdminData().getString(AdminData.PROCESS_TYPE);
                                        if (string != null && (string.equals("ManagedProcess") || string.equals(com.ibm.websphere.management.AdminConstants.STANDALONE_PROCESS))) {
                                            String string2 = SecurityObjectLocator.getAdminData().getString("process.serverName");
                                            if (string2 != null) {
                                                wsMapCSIv2OutboundLoginModule.this.ssoToken.addAttribute("process.serverName", string2);
                                            } else if (wsMapCSIv2OutboundLoginModule.this.debug || wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                                Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "Cannot add serverName to SSO token, config property is null.");
                                            }
                                            Properties properties = (Properties) wsMapCSIv2OutboundLoginModule.this.security.getObject("process.jmxConnectorProps");
                                            if (properties != null) {
                                                wsMapCSIv2OutboundLoginModule.this.ssoToken.addAttribute("type", (String) properties.get("type"));
                                                wsMapCSIv2OutboundLoginModule.this.ssoToken.addAttribute("host", (String) properties.get("host"));
                                                wsMapCSIv2OutboundLoginModule.this.ssoToken.addAttribute("port", (String) properties.get("port"));
                                            } else if (wsMapCSIv2OutboundLoginModule.this.debug || wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                                Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "Cannot add connectorProps to SSO token, config property is null.");
                                            }
                                            long expiration = wSCredentialFromSubject.getExpiration();
                                            if (expiration <= 0) {
                                                expiration = System.currentTimeMillis() + (Long.valueOf(wsMapCSIv2OutboundLoginModule.this.security.getAuthMechanism("LTPA").getLong("timeout")).longValue() * 60 * 1000);
                                            }
                                            wsMapCSIv2OutboundLoginModule.this.ssoToken.addAttribute(AttributeNameConstants.WSTOKEN_EXPIRATION, Long.toString(expiration));
                                            if (kerberosTokenImpl != null && wsMapCSIv2OutboundLoginModule.this.spnegoLTPASupport) {
                                                if (wsMapCSIv2OutboundLoginModule.this.debug || wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                                    Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "gssCredential exists, mark SSO token");
                                                }
                                                wsMapCSIv2OutboundLoginModule.this.ssoToken.addAttribute(CommonConstants.SSO_SPNEGO, "true");
                                            }
                                        } else if (wsMapCSIv2OutboundLoginModule.this.debug || wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "Not adding connector properties to SSO token, process type: " + string);
                                        }
                                    }
                                    if (wsMapCSIv2OutboundLoginModule.this.authzToken != null && !wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.authzToken)) {
                                        wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().add(wsMapCSIv2OutboundLoginModule.this.authzToken);
                                    }
                                    if (wsMapCSIv2OutboundLoginModule.this.authToken != null && !wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.authToken)) {
                                        wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().add(wsMapCSIv2OutboundLoginModule.this.authToken);
                                    }
                                    if (wsMapCSIv2OutboundLoginModule.this.ssoToken != null && !wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.ssoToken)) {
                                        wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().add(wsMapCSIv2OutboundLoginModule.this.ssoToken);
                                    }
                                    if (kerberosTokenImpl == null || !wsMapCSIv2OutboundLoginModule.this.spnegoLTPASupport) {
                                        return null;
                                    }
                                    KerberosServiceTicketImpl kerberosServiceTicketImpl = new KerberosServiceTicketImpl(kerberosTokenImpl, wsMapCSIv2OutboundLoginModule.this.csiv2PerformPolicy);
                                    wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().remove(kerberosTokenImpl);
                                    wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().add(kerberosServiceTicketImpl);
                                    return null;
                                }
                            });
                        } catch (PrivilegedActionException e3) {
                            FFDCFilter.processException(e3.getException(), "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule", "410");
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Error creating default authz and auth tokens.", new Object[]{e3.getException()});
                            }
                        }
                    }
                    byte[] createOpaqueTokenFromSubject = WSOpaqueTokenHelper.getInstance().createOpaqueTokenFromSubject(this.subject);
                    if (createOpaqueTokenFromSubject != null) {
                        this.opaqueTokenHolder = new TokenHolder(createOpaqueTokenFromSubject, WSOpaqueTokenHelper.getInstance().getOpaqueTokenName(), WSOpaqueTokenHelper.getInstance().getOpaqueTokenVersion());
                        this.sharedState.put("WSOPAQUE", this.opaqueTokenHolder);
                        if (this.debug || tc.isEntryEnabled()) {
                            Tr.exit(tc, "Opaque token generated, propagating security attributes.");
                        }
                    } else if (this.debug || tc.isEntryEnabled()) {
                        Tr.exit(tc, "Opaque token is null, not propagating security attributes.");
                    }
                } else if (this.debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "Not processing the authz token.", new Object[]{str, wSCredentialFromSubject});
                }
            } else if (WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled() && !this.csiv2PerformPolicy.performAuthorizationToken() && (this.debug || tc.isDebugEnabled())) {
                Tr.debug(tc, "Target server does not support authorization token.");
            }
            this.succeeded = true;
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "login() succeeded.");
            }
            return this.succeeded;
        } catch (WSLoginFailedException e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.login", "443", this);
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "WSLoginFailedException creating SAP tokens from WSCredential.", new Object[]{e4});
            }
            this.succeeded = false;
            throw e4;
        } catch (Exception e5) {
            FFDCFilter.processException(e5, "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.login", "450", this);
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "Exception creating SAP tokens from WSCredential.", new Object[]{e5});
            }
            this.succeeded = false;
            throw new WSLoginFailedException(e5.getMessage(), e5);
        }
    }

    public boolean commit() throws LoginException {
        boolean z;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (!WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled() && !this.wssTokenPropagationEnabled) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Attribute propagation is disabled locally.");
            }
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "commit()");
            }
            this.commitSucceeded = true;
            return this.commitSucceeded;
        }
        if (WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled() && !this.csiv2PerformPolicy.performAuthorizationToken() && !this.wssTokenPropagationEnabled) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Attribute propagation is disabled remotely.");
            }
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "commit()");
            }
            this.commitSucceeded = true;
            return this.commitSucceeded;
        }
        if (this.succeeded) {
            if (this.commitSucceeded) {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "It has been committed prior this call, nothing is done.");
                }
            } else {
                if (this.opaqueTokenHolder == null) {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Authorization token is null, returning from commit.");
                    }
                    this.commitSucceeded = true;
                    return this.commitSucceeded;
                }
                try {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Start committing the changes to the Subject ...");
                    }
                    try {
                        AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.2
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws WSLoginFailedException, CredentialDestroyedException, CredentialExpiredException {
                                if (wsMapCSIv2OutboundLoginModule.this.opaqueTokenHolder == null || wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.opaqueTokenHolder)) {
                                    return null;
                                }
                                wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().add(wsMapCSIv2OutboundLoginModule.this.opaqueTokenHolder);
                                return null;
                            }
                        });
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Change committed!");
                        }
                        this.commitSucceeded = true;
                    } catch (PrivilegedActionException e) {
                        FFDCFilter.processException(e.getException(), "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.commit", "553", this);
                        ContextManagerFactory.getInstance().setRootException(e.getException());
                        throw new WSLoginFailedException(e.getException().getMessage(), e.getException());
                    }
                } catch (Exception e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.commit", "569", this);
                    Tr.error(tc, "security.jaas.LoginModuleCommitError", new Object[]{getClass().getName(), e2});
                    cleanup();
                    this.commitSucceeded = false;
                }
            }
            z = this.commitSucceeded;
        } else {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Do not commit because of authentication failed.");
            }
            z = false;
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "commit()");
        }
        this.authToken = null;
        this.authzToken = null;
        this.ssoToken = null;
        return z;
    }

    public boolean abort() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled()) {
            if (!this.debug && !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "abort()");
            return true;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes WSPrincipal and WSCredential from the Subject, reset all internal variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "abort()");
        return true;
    }

    public boolean logout() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled()) {
            if (!this.debug && !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "abort()");
            return true;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes WSPrincipal and WSCredential from the Subject, reset all internal variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "logout()");
        return true;
    }

    private void cleanup() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup()");
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        this.wssTokenPropagationEnabled = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing AuthorizationToken from the Subject.");
            Tr.debug(tc, "Start removing ...");
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.3
            @Override // java.security.PrivilegedAction
            public Object run() {
                try {
                    if (wsMapCSIv2OutboundLoginModule.this.opaqueTokenHolder != null && wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.opaqueTokenHolder)) {
                        wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().remove(wsMapCSIv2OutboundLoginModule.this.opaqueTokenHolder);
                    }
                    if (wsMapCSIv2OutboundLoginModule.this.authToken != null && wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.authToken)) {
                        wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().remove(wsMapCSIv2OutboundLoginModule.this.authToken);
                    }
                    if (wsMapCSIv2OutboundLoginModule.this.authzToken != null && wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.authzToken)) {
                        wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().remove(wsMapCSIv2OutboundLoginModule.this.authzToken);
                    }
                    if (wsMapCSIv2OutboundLoginModule.this.ssoToken != null && wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapCSIv2OutboundLoginModule.this.ssoToken)) {
                        wsMapCSIv2OutboundLoginModule.this.subject.getPrivateCredentials().remove(wsMapCSIv2OutboundLoginModule.this.ssoToken);
                    }
                    return null;
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.cleanup", "735", this);
                    Tr.error(wsMapCSIv2OutboundLoginModule.tc, "security.jaas.removeCredException", new Object[]{getClass().getName(), e});
                    return null;
                }
            }
        });
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        this.opaqueTokenHolder = null;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanup()");
        }
    }

    private WSSMarkerObject getWSSMarkerFromSubject(final Subject subject) {
        if (subject == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Subject is null, so no WSSMarkerObject returned.");
            return null;
        }
        try {
            return (WSSMarkerObject) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.4
                @Override // java.security.PrivilegedAction
                public Object run() {
                    Set privateCredentials = subject.getPrivateCredentials(WSSMarkerObject.class);
                    if (privateCredentials != null && privateCredentials.size() > 0) {
                        Iterator it = privateCredentials.iterator();
                        if (it.hasNext()) {
                            Object next = it.next();
                            if (wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "WSSMarkerObject present in Subject.");
                            }
                            return (WSSMarkerObject) next;
                        }
                    }
                    if (!wsMapCSIv2OutboundLoginModule.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(wsMapCSIv2OutboundLoginModule.tc, "WSSMarkerObject not present in Subject.");
                    return null;
                }
            });
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule.getWSSMarkerFromSubject", "800");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting WSSMarkerObject from Subject.", new Object[]{e});
            return null;
        }
    }
}
