package com.ibm.wsspi.wssecurity.token;

import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SecurityCache;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.token.WSCredentialTokenMapperInterface;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.webservices.wssecurity.Constants;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditEventGenerator;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditEventGeneratorImpl;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditService;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditServiceImpl;
import com.ibm.ws.webservices.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.webservices.wssecurity.token.LoginProcessor;
import com.ibm.ws.webservices.wssecurity.token.TokenManager;
import com.ibm.ws.webservices.wssecurity.util.ConfigConstants;
import com.ibm.ws.webservices.wssecurity.util.DOMUtil;
import com.ibm.ws.webservices.wssecurity.util.IdUtil;
import com.ibm.ws.wssecurity.xss4j.dsig.util.Base64;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.webservices.rpc.handler.soap.SOAPMessageContext;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.callback.TokenPropagationCallbackHandler;
import com.ibm.wsspi.wssecurity.auth.token.LTPAToken;
import com.ibm.wsspi.wssecurity.auth.token.LTPATokenWrapper;
import com.ibm.wsspi.wssecurity.config.TokenConsumerConfig;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.lang.reflect.Method;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import org.eclipse.jst.j2ee.internal.web.operations.CreateServletTemplateModel;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:com.ibm.ws.admin.client_7.0.0.jar:com/ibm/wsspi/wssecurity/token/LTPATokenConsumer.class */
public class LTPATokenConsumer implements TokenConsumerComponent {
    private static final String comp = "security.wssecurity";
    private boolean _initialized = false;
    private static final TraceComponent tc = Tr.register(LTPATokenConsumer.class, ConfigConstants.TR_GROUP, ConfigConstants.TR_NLSPROPS);
    private static final String clsName = LTPATokenConsumer.class.getName();

    /* loaded from: input_file:com.ibm.ws.admin.client_7.0.0.jar:com/ibm/wsspi/wssecurity/token/LTPATokenConsumer$_wsCredToken.class */
    private static class _wsCredToken {
        static WSCredentialTokenMapperInterface _wsCredTokenMapper;

        private _wsCredToken() {
        }

        static {
            _wsCredTokenMapper = null;
            try {
                Object newInstance = Class.forName("com.ibm.ws.security.token.WSCredentialTokenMapper").newInstance();
                if (LTPATokenConsumer.tc.isDebugEnabled()) {
                    Tr.debug(LTPATokenConsumer.tc, "Got instance of WSCredTokenMapper.");
                }
                _wsCredTokenMapper = (WSCredentialTokenMapperInterface) newInstance;
            } catch (Exception e) {
                FFDCFilter.processException(e, LTPATokenConsumer.clsName + CreateServletTemplateModel.INIT, "797");
            }
        }
    }

    /* loaded from: input_file:com.ibm.ws.admin.client_7.0.0.jar:com/ibm/wsspi/wssecurity/token/LTPATokenConsumer$getLTPAMethod.class */
    private static class getLTPAMethod {
        private static final String LTPA_SERVER_OBJECT_CLASS = "com.ibm.ws.security.ltpa.LTPAServerObject";
        private static Class _ltpaServerObjectClass = null;
        private static Method _validateLTPATokenMethod = null;
        private static Method _getLTPAServerMethod = null;
        private static Object _ltpaServerObject = null;

        private getLTPAMethod() {
        }

        static {
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.LTPATokenConsumer.getLTPAMethod.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (getLTPAMethod._ltpaServerObjectClass == null) {
                        try {
                            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
                            Class unused = getLTPAMethod._ltpaServerObjectClass = contextClassLoader != null ? contextClassLoader.loadClass(getLTPAMethod.LTPA_SERVER_OBJECT_CLASS) : Class.forName(getLTPAMethod.LTPA_SERVER_OBJECT_CLASS);
                        } catch (Exception e) {
                            throw new UndeclaredThrowableException(e);
                        }
                    }
                    if (getLTPAMethod._getLTPAServerMethod == null && getLTPAMethod._ltpaServerObjectClass != null) {
                        try {
                            Method unused2 = getLTPAMethod._getLTPAServerMethod = getLTPAMethod._ltpaServerObjectClass.getMethod("getLTPAServer", new Class[0]);
                            if (getLTPAMethod._getLTPAServerMethod != null) {
                                Object unused3 = getLTPAMethod._ltpaServerObject = getLTPAMethod._getLTPAServerMethod.invoke(null, new Object[0]);
                            }
                        } catch (Exception e2) {
                            throw new UndeclaredThrowableException(e2);
                        }
                    }
                    if (getLTPAMethod._validateLTPATokenMethod != null || getLTPAMethod._ltpaServerObjectClass == null) {
                        return null;
                    }
                    try {
                        Method unused4 = getLTPAMethod._validateLTPATokenMethod = getLTPAMethod._ltpaServerObjectClass.getMethod("validateToken", byte[].class);
                        return null;
                    } catch (Exception e3) {
                        throw new UndeclaredThrowableException(e3);
                    }
                }
            });
        }
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSComponent, com.ibm.wsspi.wssecurity.Initializable
    public void init(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this._initialized) {
            this._initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSConsumerComponent
    public void invoke(Node node, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(Node target[" + DOMUtil.getDisplayName(node) + "], Map context)");
        }
        final TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) map.remove(TokenConsumerConfig.CONFIG_KEY);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "TokenConsumerConfig [" + tokenConsumerConfig + "].");
        }
        QName type = tokenConsumerConfig.getType();
        if (type == null) {
            type = Constants.LTPA_TOKEN;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No token value type defined in the Token Consumer configuration, defualt [" + Constants.LTPA_TOKEN.toString() + "] is used.");
            }
        } else if (!type.equals(Constants.LTPA_TOKEN) && !type.equals(Constants.LTPA_TOKEN_PROPAGATION)) {
            throw SoapSecurityException.format("security.wssecurity.WSEC0162E", new String[]{type.toString(), clsName, Constants.LTPA_TOKEN.toString() + ", " + Constants.LTPA_TOKEN_PROPAGATION.toString()});
        }
        if (node.getNodeType() == 1) {
            Element element = (Element) node;
            String idAttributeName = IdUtil.getInstance().getIdAttributeName(element);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
            }
            String attribute = idAttributeName != null ? element.getAttribute(idAttributeName) : null;
            final byte[] decode = Base64.decode(DOMUtil.getStringValue(node));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Base64-decoded binary credential [" + decode + "]");
            }
            if (decode == null || decode.length == 0) {
                throw SoapSecurityException.format("security.wssecurity.WSEC0163E");
            }
            int i = 0;
            Object obj = map.get(Constants.WSS_VERSION);
            if (obj != null && (obj instanceof Integer)) {
                i = ((Integer) obj).intValue();
            }
            QName qName = DOMUtil.getQName(element, element.getAttribute("ValueType"), i);
            boolean z = false;
            if (qName == null) {
                throw SoapSecurityException.format("security.wssecurity.WSEC0164E", new String[]{type.toString()});
            }
            if (!Constants.LTPA_TOKEN.equals(qName)) {
                if (!Constants.LTPA_TOKEN_PROPAGATION.equals(qName)) {
                    throw SoapSecurityException.format("security.wssecurity.WSEC0165E", new String[]{type.toString(), clsName, Constants.LTPA_TOKEN.toString() + ", " + Constants.LTPA_TOKEN_PROPAGATION.toString()});
                }
                z = true;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "token propagation is " + z);
            }
            final LTPAToken lTPAToken = null;
            if (z) {
                Subject subject = null;
                Object[] objArr = null;
                String str = null;
                ArrayList arrayList = null;
                WSCredentialTokenMapperInterface wSCredentialTokenMapperInterface = _wsCredToken._wsCredTokenMapper;
                SecurityCache securityCache = ContextManagerFactory.getInstance().getSecurityCache();
                try {
                    arrayList = WSOpaqueTokenHelper.getInstance().createTokenHolderListFromOpaqueToken(decode);
                    objArr = getSubjectFromTokenHolderCacheKey(null, arrayList);
                } catch (WSSecurityException e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Caught WSSecurityException trying to get cached Subject: " + e);
                    }
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Caught Exception trying to get cached Subject: " + e2);
                    }
                }
                if (objArr != null) {
                    subject = (Subject) objArr[0];
                    str = (String) objArr[1];
                }
                if (subject != null) {
                    WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                    SubjectHelper.getPrincipalFromSubject(subject);
                    if (wSCredentialFromSubject != null) {
                        boolean isDestroyed = wSCredentialFromSubject.isDestroyed();
                        boolean z2 = false;
                        try {
                            z2 = wSCredentialFromSubject.isForwardable();
                        } catch (Exception e3) {
                            isDestroyed = true;
                        }
                        boolean z3 = false;
                        if (securityCache != null && wSCredentialTokenMapperInterface != null) {
                            try {
                                z3 = wSCredentialTokenMapperInterface.checkCushionValidityOfAllTokens(subject, securityCache.getCushion());
                            } catch (WSLoginFailedException e4) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Exception when running checkCushionValidityOfAllTokens");
                                }
                            }
                        }
                        if (tc.isDebugEnabled()) {
                            if (z2) {
                                Tr.debug(tc, "credential is forwardable, subject valid = " + z3);
                            } else {
                                Tr.debug(tc, "non-forwardable Subject");
                            }
                        }
                        if (isDestroyed || (z2 && !z3)) {
                            subject = null;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Credential has expired or is destroyed, logging in again.");
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Cached subject is valid.");
                        }
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "No WSCredential in Subject, logging in again.");
                        }
                        subject = null;
                    }
                }
                if (subject == null) {
                    String jAASConfig = tokenConsumerConfig.getJAASConfig();
                    if (jAASConfig == null || jAASConfig.length() == 0) {
                        jAASConfig = Constants.DEFAULT_INBOUND_PROPAGATION_JAAS_CONFIG;
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Using JAAS config: " + jAASConfig);
                    }
                    int size = arrayList != null ? arrayList.size() : 0;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "tokenList size = " + size);
                    }
                    byte[] bArr = null;
                    for (int i2 = 0; i2 < size; i2++) {
                        Object obj2 = arrayList.get(i2);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "tokenList object [" + i2 + "] = " + obj2.getClass().getName());
                        }
                        if (obj2 instanceof TokenHolder) {
                            TokenHolder tokenHolder = (TokenHolder) obj2;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "th[" + i2 + "].name = " + tokenHolder.getName());
                                Tr.debug(tc, "th[" + i2 + "].version = " + tokenHolder.getVersion());
                            }
                            if (AttributeNameConstants.WSAUTHZTOKEN_NAME.equals(tokenHolder.getName())) {
                                bArr = tokenHolder.getBytes();
                                if (tc.isDebugEnabled()) {
                                    if (bArr == null || bArr.length <= 0) {
                                        Tr.debug(tc, "Cred bytes from authz TokenHolder was null or zero-length");
                                    } else {
                                        Tr.debug(tc, "Got cred bytes from authz TokenHolder");
                                    }
                                }
                            }
                        }
                    }
                    try {
                        LoginContext loginContext = new LoginContext(jAASConfig, new TokenPropagationCallbackHandler(map, arrayList, bArr));
                        loginContext.login();
                        Subject subject2 = loginContext.getSubject();
                        subject = subject2;
                        if (str == null || str.length() == 0) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "No cache key string found in token list; will not cache new subject.");
                            }
                        } else if (securityCache != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Caching new subject with cache key string: " + str);
                            }
                            securityCache.insert(subject2, new Object[]{str});
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Not caching new subject because Securitycache instance is null.");
                        }
                        WSCredential wSCredentialFromSubject2 = SubjectHelper.getWSCredentialFromSubject(subject2);
                        WSPrincipal principalFromSubject = SubjectHelper.getPrincipalFromSubject(subject2);
                        lTPAToken = new LTPATokenWrapper(attribute, null, wSCredentialFromSubject2, principalFromSubject);
                        if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS)) {
                            Map<String, Object> auditEventContext = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
                            WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, "AuthnType", tokenConsumerConfig.getType().toString());
                            WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, WSSAuditEventGenerator.TOKEN_ID, lTPAToken.getId());
                            WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, WSSAuditEventGenerator.USERNAME, principalFromSubject.getName());
                            WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext, jAASConfig, "SUCCESS");
                            WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, (SOAPMessageContext) map.get(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_MESSAGE_CONTEXT), map);
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Auditing SECURITY_AUTHN event not enabled.");
                        }
                    } catch (LoginException e5) {
                        if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                            Map<String, Object> auditEventContext2 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_LOGIN_EXCEPTION, e5.toString());
                            WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext2, "AuthnType", type.toString());
                            WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext2, jAASConfig, "SUCCESS");
                            WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, (SOAPMessageContext) map.get(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_MESSAGE_CONTEXT), map);
                        }
                        Tr.processException(e5, LTPATokenConsumer.class.getName() + ".invoke()", "396", this);
                        throw new SoapSecurityException("Error logging in: " + e5.getClass().getName() + ": " + e5.getMessage());
                    }
                }
                final LTPAToken lTPAToken2 = lTPAToken;
                AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.LTPATokenConsumer.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        lTPAToken2.setUsedTokenConsumer(tokenConsumerConfig);
                        return null;
                    }
                });
                setTokenToSubject(map, lTPAToken);
                if (subject != null) {
                    LoginProcessor.addToSubject(map, subject);
                }
            } else {
                lTPAToken = new LTPAToken(attribute, null);
                Boolean bool = (Boolean) tokenConsumerConfig.getProperties().get(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_DECOUPLE_TOKEN);
                lTPAToken.setElement(!(bool != null ? bool.booleanValue() : true) ? element : DOMUtil.clone(element));
                AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.LTPATokenConsumer.2
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        lTPAToken.setUsedTokenConsumer(tokenConsumerConfig);
                        return null;
                    }
                });
                setTokenToSubject(map, lTPAToken);
                AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.LTPATokenConsumer.3
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        lTPAToken.setBytes(decode);
                        return null;
                    }
                });
                Set callers = ((WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey")).getCallers();
                boolean z4 = false;
                if (callers != null) {
                    Iterator it = callers.iterator();
                    while (true) {
                        if (it.hasNext()) {
                            if (((WSSConsumerConfig.CallerConfig) it.next()).getTokenType().equals(qName)) {
                                z4 = true;
                                break;
                            }
                        } else {
                            break;
                        }
                    }
                }
                if (!z4) {
                    Object obj3 = null;
                    try {
                        Method method = getLTPAMethod._validateLTPATokenMethod;
                        Object obj4 = getLTPAMethod._ltpaServerObject;
                        if (method != null && obj4 != null) {
                            obj3 = method.invoke(obj4, decode);
                        }
                        if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS)) {
                            Map<String, Object> auditEventContext3 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
                            WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext3, "AuthnType", tokenConsumerConfig.getType().toString());
                            WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext3, WSSAuditEventGenerator.TOKEN_ID, attribute);
                            WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext3, tokenConsumerConfig.getJAASConfig(), "SUCCESS");
                            WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, (SOAPMessageContext) map.get(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_MESSAGE_CONTEXT), map);
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Auditing SECURITY_AUTHN event not enabled.");
                        }
                        if (obj3 == null) {
                            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                                Map<String, Object> auditEventContext4 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_LOGIN_EXCEPTION, null);
                                WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext4, "AuthnType", type.toString());
                                WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext4, WSSAuditEventGenerator.TOKEN_ID, lTPAToken.getId());
                                WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext4, tokenConsumerConfig.getJAASConfig(), "SUCCESS");
                                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, (SOAPMessageContext) map.get(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_MESSAGE_CONTEXT), map);
                            }
                            throw new SoapSecurityException("security.wssecurityLTPA Token validation failed");
                        }
                    } catch (Exception e6) {
                        if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.ERROR)) {
                            Map<String, Object> auditEventContext5 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.ERROR, WSSAuditService.WSSAuditReason.AUTHN_LOGIN_EXCEPTION, e6.toString());
                            WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext5, "AuthnType", tokenConsumerConfig.getType().toString());
                            WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext5, tokenConsumerConfig.getJAASConfig(), "FAILURE");
                            WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, (SOAPMessageContext) map.get(com.ibm.wsspi.wssecurity.Constants.WSSECURITY_MESSAGE_CONTEXT), map);
                        }
                        throw new SoapSecurityException("security.wssecurityLTPA Token validation failed");
                    }
                }
            }
            String jAASConfig2 = tokenConsumerConfig.getJAASConfig();
            if (jAASConfig2 != null && !z && tc.isDebugEnabled()) {
                Tr.warning(tc, "security.wssecurity.LTPATokenConsumer.s01", jAASConfig2);
            }
            if (tokenConsumerConfig.getTrustedIDEvaluator() != null) {
                final boolean evaluate = tokenConsumerConfig.getTrustedIDEvaluator().evaluate("***");
                final LTPAToken lTPAToken3 = lTPAToken;
                if (!evaluate) {
                    Tr.warning(tc, "security.wssecurity.UsernameTokenConsumer.s02", new Object[]{attribute});
                }
                AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.LTPATokenConsumer.4
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        lTPAToken3.setTrusted(evaluate);
                        return null;
                    }
                });
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Acquired token is [" + lTPAToken + "].");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "WARNING: Unsupported node type: " + node.getNodeName());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Node target,Map context)");
        }
    }

    private static void setTokenToSubject(Map map, LTPAToken lTPAToken) {
        TokenManager.setToken(map, lTPAToken);
    }

    private Object[] getSubjectFromTokenHolderCacheKey(byte[] bArr, List list) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubjectFromTokenHolderCacheKey", new Object[]{bArr, list});
        }
        Subject subject = null;
        String str = null;
        if (list != null) {
            for (int i = 0; i < list.size(); i++) {
                TokenHolder tokenHolder = (TokenHolder) list.get(i);
                if (tokenHolder.getName().equals(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY)) {
                    byte[] bytes = tokenHolder.getBytes();
                    if (bytes != null) {
                        str = StringBytesConversion.getConvertedString(bytes);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found cache key from token holder list: " + str);
                        }
                        subject = ContextManagerFactory.getInstance().getSecurityCache().getSubject(str);
                    }
                    if (subject != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found Subject using cacheKey from prop token.");
                        }
                        if (bArr != null) {
                            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                            SingleSignonToken defaultSSOTokenFromSubject = SubjectHelper.getDefaultSSOTokenFromSubject(subject);
                            if (!((wSCredentialFromSubject != null && Arrays.equals(bArr, wSCredentialFromSubject.getCredentialToken())) || (defaultSSOTokenFromSubject != null && Arrays.equals(bArr, defaultSSOTokenFromSubject.getBytes())))) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Subject found from cacheKey does not have matching LTPA token.");
                                }
                                subject = null;
                            }
                        }
                    }
                }
            }
        }
        Object[] objArr = (subject == null && str == null) ? null : new Object[]{subject, str};
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSubjectFromTokenHolderCacheKey", objArr);
        }
        return objArr;
    }
}
