package com.ibm.ws.webcontainer.security;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.kernel.security.thread.ThreadIdentityException;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.authorization.AuthorizationService;
import com.ibm.ws.security.authorization.jacc.JaccService;
import com.ibm.ws.security.collaborator.CollaboratorUtils;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.threadContext.ComponentMetaDataAccessorImpl;
import com.ibm.ws.webcontainer.osgi.WebContainer;
import com.ibm.ws.webcontainer.osgi.webapp.WebAppConfiguration;
import com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator;
import com.ibm.ws.webcontainer.security.internal.ChallengeReply;
import com.ibm.ws.webcontainer.security.internal.DenyReply;
import com.ibm.ws.webcontainer.security.internal.FormLoginExtensionProcessor;
import com.ibm.ws.webcontainer.security.internal.FormLogoutExtensionProcessor;
import com.ibm.ws.webcontainer.security.internal.HTTPSRedirectHandler;
import com.ibm.ws.webcontainer.security.internal.PermitReply;
import com.ibm.ws.webcontainer.security.internal.RedirectReply;
import com.ibm.ws.webcontainer.security.internal.ReturnReply;
import com.ibm.ws.webcontainer.security.internal.SRTServletRequestUtils;
import com.ibm.ws.webcontainer.security.internal.TAIChallengeReply;
import com.ibm.ws.webcontainer.security.internal.URLHandler;
import com.ibm.ws.webcontainer.security.internal.WebAppSecurityConfigImpl;
import com.ibm.ws.webcontainer.security.internal.WebReply;
import com.ibm.ws.webcontainer.security.internal.WebSecurityCollaboratorException;
import com.ibm.ws.webcontainer.security.internal.WebSecurityHelperImpl;
import com.ibm.ws.webcontainer.security.jacc.WebAppJaccAuthorizationHelper;
import com.ibm.ws.webcontainer.security.metadata.FormLoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.LoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.MatchResponse;
import com.ibm.ws.webcontainer.security.metadata.SecurityConstraint;
import com.ibm.ws.webcontainer.security.metadata.SecurityConstraintCollection;
import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata;
import com.ibm.ws.webcontainer.security.metadata.WebResourceCollection;
import com.ibm.ws.webcontainer.security.oauth20.OAuth20Service;
import com.ibm.ws.webcontainer.security.openid20.OpenidClientService;
import com.ibm.ws.webcontainer.security.openidconnect.OidcClient;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServer;
import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.webcontainer.RequestProcessor;
import com.ibm.wsspi.webcontainer.collaborator.IWebAppSecurityCollaborator;
import com.ibm.wsspi.webcontainer.extension.ExtensionProcessor;
import com.ibm.wsspi.webcontainer.metadata.WebComponentMetaData;
import com.ibm.wsspi.webcontainer.security.SecurityViolationException;
import com.ibm.wsspi.webcontainer.servlet.IExtendedRequest;
import com.ibm.wsspi.webcontainer.servlet.IServletContext;
import com.ibm.wsspi.webcontainer.webapp.WebAppConfig;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.DispatcherType;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.webcontainer.security_1.0.12.cl50920160815-1404.jar:com/ibm/ws/webcontainer/security/WebAppSecurityCollaboratorImpl.class */
public class WebAppSecurityCollaboratorImpl implements IWebAppSecurityCollaborator, WebAppAuthorizationHelper {
    static final String KEY_ID = "id";
    static final String KEY_SERVICE_ID = "service.id";
    static final String KEY_COMPONENT_NAME = "component.name";
    public static final String KEY_SECURITY_SERVICE = "securityService";
    public static final String KEY_TAI_SERVICE = "taiService";
    public static final String KEY_INTERCEPTOR_SERVICE = "interceptorService";
    static final String KEY_OAUTH_SERVICE = "oauthService";
    static final String KEY_OIDC_SERVER = "oidcServer";
    static final String KEY_OIDC_CLIENT = "oidcClient";
    static final String KEY_OPENID_CLIENT_SERVICE = "openidClientService";
    static final String KEY_JACC_SERVICE = "jaccService";
    static final String JASPI_SERVICE_COMPONENT_NAME = "com.ibm.ws.security.jaspi";
    public static final String KEY_WEB_AUTHENTICATOR = "webAuthenticator";
    public static final String KEY_UNPROTECTED_RESOURCE_SERVICE = "unprotectedResourceService";
    protected final ConcurrentServiceReferenceMap<String, WebAuthenticator> webAuthenticatorRef;
    protected final ConcurrentServiceReferenceMap<String, UnprotectedResourceService> unprotectedResourceServiceRef;
    protected final AtomicServiceReference<TAIService> taiServiceRef;
    protected final ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> interceptorServiceRef;
    protected final AtomicServiceReference<OAuth20Service> oauthServiceRef;
    protected final AtomicServiceReference<OidcServer> oidcServerRef;
    protected final AtomicServiceReference<OidcClient> oidcClientRef;
    protected final AtomicServiceReference<OpenidClientService> openidClientRef;
    protected final AtomicServiceReference<SecurityService> securityServiceRef;
    protected final AtomicServiceReference<JaccService> jaccServiceRef;
    private final String KEY_LOCATION_ADMIN = "locationAdmin";
    private final AtomicServiceReference<WsLocationAdmin> locationAdminRef;
    private static final String AUTH_TYPE = "AUTH_TYPE";
    private static final String ALL_AUTHENTICATED_ROLE = "**";
    private static final String STARSTAR_ROLE = "_starstar_";
    protected volatile WebAppSecurityConfig webAppSecConfig;
    protected volatile AuthenticateApi authenticateApi;
    protected volatile PostParameterHelper postParameterHelper;
    protected CollaboratorUtils collabUtils;
    protected SubjectHelper subjectHelper;
    protected SubjectManager subjectManager;
    protected HTTPSRedirectHandler httpsRedirectHandler;
    protected WebAuthenticatorProxy authenticatorProxy;
    protected WebProviderAuthenticatorProxy providerAuthenticatorProxy;
    private UnauthenticatedSubjectService unauthenticatedSubjectService;
    private WebAppAuthorizationHelper wasch;
    private boolean isJaspiEnabled;
    static final long serialVersionUID = 5956753714072062021L;
    private static final TraceComponent tc = Tr.register(WebAppSecurityCollaboratorImpl.class);
    private static final WebReply PERMIT_REPLY = new PermitReply();
    private static final WebReply DENY_AUTHN_FAILED = new DenyReply("AuthenticationFailed");
    private static final WebReply DENY_AUTHZ_FAILED = new DenyReply("AuthorizationFailed");
    private static WebAppSecurityConfig globalConfig = null;

    public WebAppSecurityCollaboratorImpl() {
        this(new SubjectHelper(), new SubjectManager(), new HTTPSRedirectHandler());
    }

    public WebAppSecurityCollaboratorImpl(SubjectHelper subjectHelper, SubjectManager subjectManager, HTTPSRedirectHandler hTTPSRedirectHandler) {
        this.webAuthenticatorRef = new ConcurrentServiceReferenceMap<>(KEY_WEB_AUTHENTICATOR);
        this.unprotectedResourceServiceRef = new ConcurrentServiceReferenceMap<>(KEY_UNPROTECTED_RESOURCE_SERVICE);
        this.taiServiceRef = new AtomicServiceReference<>(KEY_TAI_SERVICE);
        this.interceptorServiceRef = new ConcurrentServiceReferenceMap<>(KEY_INTERCEPTOR_SERVICE);
        this.oauthServiceRef = new AtomicServiceReference<>(KEY_OAUTH_SERVICE);
        this.oidcServerRef = new AtomicServiceReference<>(KEY_OIDC_SERVER);
        this.oidcClientRef = new AtomicServiceReference<>(KEY_OIDC_CLIENT);
        this.openidClientRef = new AtomicServiceReference<>(KEY_OPENID_CLIENT_SERVICE);
        this.securityServiceRef = new AtomicServiceReference<>(KEY_SECURITY_SERVICE);
        this.jaccServiceRef = new AtomicServiceReference<>(KEY_JACC_SERVICE);
        this.KEY_LOCATION_ADMIN = "locationAdmin";
        this.locationAdminRef = new AtomicServiceReference<>("locationAdmin");
        this.webAppSecConfig = null;
        this.authenticateApi = null;
        this.postParameterHelper = null;
        this.wasch = this;
        this.isJaspiEnabled = false;
        this.subjectHelper = subjectHelper;
        this.subjectManager = subjectManager;
        this.httpsRedirectHandler = hTTPSRedirectHandler;
        this.collabUtils = new CollaboratorUtils(subjectManager);
    }

    public WebAppSecurityCollaboratorImpl(SubjectHelper subjectHelper, SubjectManager subjectManager, HTTPSRedirectHandler hTTPSRedirectHandler, WebAppSecurityConfig webAppSecurityConfig) {
        this.webAuthenticatorRef = new ConcurrentServiceReferenceMap<>(KEY_WEB_AUTHENTICATOR);
        this.unprotectedResourceServiceRef = new ConcurrentServiceReferenceMap<>(KEY_UNPROTECTED_RESOURCE_SERVICE);
        this.taiServiceRef = new AtomicServiceReference<>(KEY_TAI_SERVICE);
        this.interceptorServiceRef = new ConcurrentServiceReferenceMap<>(KEY_INTERCEPTOR_SERVICE);
        this.oauthServiceRef = new AtomicServiceReference<>(KEY_OAUTH_SERVICE);
        this.oidcServerRef = new AtomicServiceReference<>(KEY_OIDC_SERVER);
        this.oidcClientRef = new AtomicServiceReference<>(KEY_OIDC_CLIENT);
        this.openidClientRef = new AtomicServiceReference<>(KEY_OPENID_CLIENT_SERVICE);
        this.securityServiceRef = new AtomicServiceReference<>(KEY_SECURITY_SERVICE);
        this.jaccServiceRef = new AtomicServiceReference<>(KEY_JACC_SERVICE);
        this.KEY_LOCATION_ADMIN = "locationAdmin";
        this.locationAdminRef = new AtomicServiceReference<>("locationAdmin");
        this.webAppSecConfig = null;
        this.authenticateApi = null;
        this.postParameterHelper = null;
        this.wasch = this;
        this.isJaspiEnabled = false;
        this.subjectHelper = subjectHelper;
        this.subjectManager = subjectManager;
        this.httpsRedirectHandler = hTTPSRedirectHandler;
        this.webAppSecConfig = webAppSecurityConfig;
        WebSecurityHelperImpl.setWebAppSecurityConfig(webAppSecurityConfig);
    }

    public void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    public void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    public void setTaiService(ServiceReference<TAIService> serviceReference) {
        this.taiServiceRef.setReference(serviceReference);
    }

    public void unsetTaiService(ServiceReference<TAIService> serviceReference) {
        this.taiServiceRef.unsetReference(serviceReference);
    }

    public synchronized void setInterceptorService(ServiceReference<TrustAssociationInterceptor> serviceReference) {
        String str = (String) serviceReference.getProperty("id");
        if (str == null) {
            str = (String) serviceReference.getProperty("component.name");
        }
        this.interceptorServiceRef.putReference(str, serviceReference);
    }

    public synchronized void unsetInterceptorService(ServiceReference<TrustAssociationInterceptor> serviceReference) {
        this.interceptorServiceRef.removeReference((String) serviceReference.getProperty("id"), serviceReference);
    }

    protected void setOauthService(ServiceReference<OAuth20Service> serviceReference) {
        this.oauthServiceRef.setReference(serviceReference);
    }

    protected void unsetOauthService(ServiceReference<OAuth20Service> serviceReference) {
        this.oauthServiceRef.unsetReference(serviceReference);
    }

    protected void setOidcServer(ServiceReference<OidcServer> serviceReference) {
        this.oidcServerRef.setReference(serviceReference);
        if (this.webAppSecConfig != null) {
            this.webAppSecConfig.setSsoCookieName(this.oidcServerRef, this.oidcClientRef);
        }
    }

    protected void unsetOidcServer(ServiceReference<OidcServer> serviceReference) {
        this.oidcServerRef.unsetReference(serviceReference);
    }

    protected void setOidcClient(ServiceReference<OidcClient> serviceReference) {
        this.oidcClientRef.setReference(serviceReference);
        if (this.webAppSecConfig != null) {
            this.webAppSecConfig.setSsoCookieName(this.oidcServerRef, this.oidcClientRef);
        }
    }

    protected void unsetOidcClient(ServiceReference<OidcClient> serviceReference) {
        this.oidcClientRef.unsetReference(serviceReference);
    }

    protected void setOpenidClientService(ServiceReference<OpenidClientService> serviceReference) {
        this.openidClientRef.setReference(serviceReference);
    }

    protected void unsetOpenidClientService(ServiceReference<OpenidClientService> serviceReference) {
        this.openidClientRef.unsetReference(serviceReference);
    }

    public void setWebAuthenticator(ServiceReference<WebAuthenticator> serviceReference) {
        String str = (String) serviceReference.getProperty("component.name");
        this.webAuthenticatorRef.putReference(str, serviceReference);
        if (str.equals(JASPI_SERVICE_COMPONENT_NAME)) {
            this.isJaspiEnabled = true;
        }
    }

    public void unsetWebAuthenticator(ServiceReference<WebAuthenticator> serviceReference) {
        String str = (String) serviceReference.getProperty("component.name");
        this.webAuthenticatorRef.removeReference(str, serviceReference);
        if (str.equals(JASPI_SERVICE_COMPONENT_NAME)) {
            this.isJaspiEnabled = false;
        }
    }

    public void setUnprotectedResourceService(ServiceReference<UnprotectedResourceService> serviceReference) {
        this.unprotectedResourceServiceRef.putReference(getServiceId(serviceReference), serviceReference);
    }

    public void unsetUnprotectedResourceService(ServiceReference<UnprotectedResourceService> serviceReference) {
        this.unprotectedResourceServiceRef.removeReference(getServiceId(serviceReference), serviceReference);
    }

    String getServiceId(ServiceReference<UnprotectedResourceService> serviceReference) {
        return "urs_" + ((Long) serviceReference.getProperty("service.id")).longValue();
    }

    public void setUnauthenticatedSubjectService(UnauthenticatedSubjectService unauthenticatedSubjectService) {
        this.unauthenticatedSubjectService = unauthenticatedSubjectService;
    }

    protected void unsetUnauthenticatedSubjectService(UnauthenticatedSubjectService unauthenticatedSubjectService) {
        if (this.unauthenticatedSubjectService == unauthenticatedSubjectService) {
            this.unauthenticatedSubjectService = null;
        }
    }

    protected void setLocationAdmin(ServiceReference<WsLocationAdmin> serviceReference) {
        this.locationAdminRef.setReference(serviceReference);
    }

    protected void unsetLocationAdmin(ServiceReference<WsLocationAdmin> serviceReference) {
        this.locationAdminRef.unsetReference(serviceReference);
    }

    protected void setJaccService(ServiceReference<JaccService> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "enabling JACC service", new Object[0]);
        }
        this.jaccServiceRef.setReference(serviceReference);
        this.wasch = new WebAppJaccAuthorizationHelper(this.jaccServiceRef);
    }

    protected void unsetJaccService(ServiceReference<JaccService> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "disabling JACC service", new Object[0]);
        }
        this.jaccServiceRef.unsetReference(serviceReference);
        this.wasch = this;
    }

    public void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.locationAdminRef.activate(componentContext);
        this.securityServiceRef.activate(componentContext);
        this.interceptorServiceRef.activate(componentContext);
        this.taiServiceRef.activate(componentContext);
        this.oauthServiceRef.activate(componentContext);
        this.oidcServerRef.activate(componentContext);
        this.oidcClientRef.activate(componentContext);
        this.openidClientRef.activate(componentContext);
        this.jaccServiceRef.activate(componentContext);
        this.webAuthenticatorRef.activate(componentContext);
        this.unprotectedResourceServiceRef.activate(componentContext);
        this.webAppSecConfig = new WebAppSecurityConfigImpl(map, this.locationAdminRef, this.oidcServerRef, this.oidcClientRef);
        WebSecurityHelperImpl.setWebAppSecurityConfig(this.webAppSecConfig);
        this.authenticateApi = new AuthenticateApi(new SSOCookieHelperImpl(this.webAppSecConfig, this.oidcServerRef), this.securityServiceRef, this.collabUtils, this.webAuthenticatorRef, this.unprotectedResourceServiceRef);
        this.postParameterHelper = new PostParameterHelper(this.webAppSecConfig);
        this.providerAuthenticatorProxy = new WebProviderAuthenticatorProxy(this.securityServiceRef, this.taiServiceRef, this.interceptorServiceRef, this.webAppSecConfig, this.oauthServiceRef, this.openidClientRef, this.oidcServerRef, this.oidcClientRef, this.webAuthenticatorRef);
        this.authenticatorProxy = new WebAuthenticatorProxy(this.webAppSecConfig, this.postParameterHelper, this.securityServiceRef, this.providerAuthenticatorProxy, this.oidcServerRef);
    }

    public void modified(Map<String, Object> map) {
        WebAppSecurityConfigImpl webAppSecurityConfigImpl = new WebAppSecurityConfigImpl(map, this.locationAdminRef, this.oidcServerRef, this.oidcClientRef);
        String changedProperties = webAppSecurityConfigImpl.getChangedProperties(this.webAppSecConfig);
        this.webAppSecConfig = webAppSecurityConfigImpl;
        WebSecurityHelperImpl.setWebAppSecurityConfig(this.webAppSecConfig);
        this.authenticateApi = new AuthenticateApi(new SSOCookieHelperImpl(this.webAppSecConfig, this.oidcServerRef), this.securityServiceRef, this.collabUtils, this.webAuthenticatorRef, this.unprotectedResourceServiceRef);
        this.postParameterHelper = new PostParameterHelper(this.webAppSecConfig);
        this.providerAuthenticatorProxy = new WebProviderAuthenticatorProxy(this.securityServiceRef, this.taiServiceRef, this.interceptorServiceRef, this.webAppSecConfig, this.oauthServiceRef, this.openidClientRef, this.oidcServerRef, this.oidcClientRef, this.webAuthenticatorRef);
        this.authenticatorProxy = new WebAuthenticatorProxy(this.webAppSecConfig, this.postParameterHelper, this.securityServiceRef, this.providerAuthenticatorProxy, this.oidcServerRef);
        Tr.audit(tc, "WEB_APP_SECURITY_CONFIGURATION_UPDATED", changedProperties);
    }

    public void deactivate(ComponentContext componentContext) {
        this.locationAdminRef.deactivate(componentContext);
        this.securityServiceRef.deactivate(componentContext);
        this.taiServiceRef.deactivate(componentContext);
        this.interceptorServiceRef.deactivate(componentContext);
        this.oauthServiceRef.deactivate(componentContext);
        this.oidcServerRef.deactivate(componentContext);
        this.oidcClientRef.deactivate(componentContext);
        this.openidClientRef.deactivate(componentContext);
        this.jaccServiceRef.deactivate(componentContext);
        this.webAuthenticatorRef.deactivate(componentContext);
        this.unprotectedResourceServiceRef.deactivate(componentContext);
        WebSecurityHelperImpl.setWebAppSecurityConfig(null);
    }

    public ExtensionProcessor getFormLoginExtensionProcessor(IServletContext iServletContext) {
        try {
            SecurityService service = this.securityServiceRef.getService();
            return new FormLoginExtensionProcessor(this.webAppSecConfig, service.getAuthenticationService(), service.getUserRegistryService().getUserRegistry(), iServletContext, this.providerAuthenticatorProxy, this.oidcServerRef, this.webAuthenticatorRef);
        } catch (RegistryException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl", "386", this, new Object[]{iServletContext});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "RegistryException while trying to create FormLoginExtensionProcessor", e);
            return null;
        }
    }

    public ExtensionProcessor getFormLogoutExtensionProcessor(IServletContext iServletContext) {
        return new FormLogoutExtensionProcessor(iServletContext, this.webAppSecConfig, getAuthenticateApi(this.webAppSecConfig, this.oidcServerRef, this.securityServiceRef, this.collabUtils));
    }

    public Principal getUserPrincipal() {
        return this.collabUtils.getCallerPrincipal(false, (String) null, true, this.isJaspiEnabled);
    }

    public void handleException(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Throwable th) throws ServletException, IOException, ClassCastException {
        WebReply webReply = ((WebSecurityCollaboratorException) th).getWebReply();
        if (webReply.getStatusCode() != 500) {
            webReply.writeResponse(httpServletResponse);
            return;
        }
        String str = null;
        if (httpServletRequest != null) {
            str = httpServletRequest.getMethod();
        }
        throw new ServletException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "SEC_WEB_INTERNAL_SERVER_ERROR", new Object[]{str, getRequestURL(httpServletRequest)}, "CWWKS9115E: The server encountered an unexpected condition which prevented it from fulfilling the request of method {0} for URL {1}. Review the server logs for more information."), th);
    }

    public boolean isUserInRole(String str, IExtendedRequest iExtendedRequest) {
        Subject callerSubject;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "isUserInRole role = " + str, new Object[0]);
        }
        if (str == null || (callerSubject = this.subjectManager.getCallerSubject()) == null) {
            return false;
        }
        return this.wasch.isUserInRole(str, iExtendedRequest, callerSubject);
    }

    public void postInvoke(Object obj) throws ServletException {
        WebAuthenticator service;
        if (obj != null) {
            WebSecurityContext webSecurityContext = (WebSecurityContext) obj;
            if (webSecurityContext.getJaspiAuthContext() != null && this.webAuthenticatorRef != null && (service = this.webAuthenticatorRef.getService(JASPI_SERVICE_COMPONENT_NAME)) != null) {
                try {
                    ((JaspiService) service).postInvoke(webSecurityContext);
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl", "483", this, new Object[]{obj});
                    throw new ServletException(e);
                }
            }
            Subject invokedSubject = webSecurityContext.getInvokedSubject();
            this.subjectManager.setCallerSubject(webSecurityContext.getReceivedSubject());
            this.subjectManager.setInvocationSubject(invokedSubject);
            try {
                resetSyncToOSThread(webSecurityContext);
            } catch (ThreadIdentityException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl", "496", this, new Object[]{obj});
                throw new ServletException(e2);
            }
        }
    }

    public Object preInvoke(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, boolean z) throws SecurityViolationException, IOException {
        Subject invocationSubject = this.subjectManager.getInvocationSubject();
        Subject callerSubject = this.subjectManager.getCallerSubject();
        WebSecurityContext webSecurityContext = new WebSecurityContext(invocationSubject, callerSubject);
        setUnauthenticatedSubjectIfNeeded(invocationSubject, callerSubject);
        if (z) {
            if (httpServletRequest != null) {
                performSecurityChecks(httpServletRequest, httpServletResponse, callerSubject, webSecurityContext);
            }
            performDelegation(str);
            syncToOSThread(webSecurityContext);
        }
        return webSecurityContext;
    }

    private void syncToOSThread(WebSecurityContext webSecurityContext) throws SecurityViolationException {
        try {
            webSecurityContext.setSyncToOSThreadToken(ThreadIdentityManager.setAppThreadIdentity(this.subjectManager.getInvocationSubject()));
        } catch (ThreadIdentityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl", "546", this, new Object[]{webSecurityContext});
            throw convertWebSecurityException(new WebSecurityCollaboratorException(e.getMessage(), DENY_AUTHZ_FAILED, webSecurityContext));
        }
    }

    private void resetSyncToOSThread(WebSecurityContext webSecurityContext) throws ThreadIdentityException {
        Object syncToOSThreadToken = webSecurityContext.getSyncToOSThreadToken();
        if (syncToOSThreadToken != null) {
            ThreadIdentityManager.resetChecked(syncToOSThreadToken);
        }
    }

    private void performSecurityChecks(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject, WebSecurityContext webSecurityContext) throws SecurityViolationException, IOException {
        String servletURI = new URLHandler(this.webAppSecConfig).getServletURI(httpServletRequest);
        WebRequestImpl webRequestImpl = new WebRequestImpl(httpServletRequest, httpServletResponse, getApplicationName(), webSecurityContext, getSecurityMetadata(), getMatchResponse(httpServletRequest), this.webAppSecConfig);
        WebReply webReply = null;
        if (this.isJaspiEnabled && ((JaspiService) this.webAuthenticatorRef.getService(JASPI_SERVICE_COMPONENT_NAME)).isAnyProviderRegistered()) {
            webReply = handleJaspi(subject, servletURI, webRequestImpl, webSecurityContext);
        }
        if (webReply == null) {
            performPrecludedAccessTests(webRequestImpl, webSecurityContext, servletURI);
            optionallyAuthenticateUnprotectedResource(webRequestImpl);
            webReply = determineWebReply(subject, servletURI, webRequestImpl);
        }
        validateWebReply(webSecurityContext, webReply);
        webReply.writeResponse(httpServletResponse);
    }

    private WebReply handleJaspi(Subject subject, String str, WebRequest webRequest, WebSecurityContext webSecurityContext) throws SecurityViolationException, IOException {
        performPrecludedAccessTests(webRequest, webSecurityContext, str);
        WebReply unprotectedSpecialURI = unprotectedSpecialURI(webRequest, str, webRequest.getHttpServletRequest().getMethod());
        if (unprotectedSpecialURI == null) {
            AuthenticationResult handleJaspi = this.providerAuthenticatorProxy.handleJaspi(webRequest, null);
            if (handleJaspi.getStatus() == AuthResult.RETURN) {
                ReturnReply returnReply = new ReturnReply(webRequest.getHttpServletResponse().getStatus(), handleJaspi.getReason());
                throw convertWebSecurityException(new WebSecurityCollaboratorException(returnReply.message, returnReply, webSecurityContext));
            }
            if (handleJaspi.getStatus() != AuthResult.CONTINUE) {
                unprotectedSpecialURI = determineWebReply(subject, str, webRequest, handleJaspi);
            }
        }
        return unprotectedSpecialURI;
    }

    private void performPrecludedAccessTests(WebRequest webRequest, WebSecurityContext webSecurityContext, String str) throws SecurityViolationException {
        WebReply checkPrecludedAccess = this.wasch.checkPrecludedAccess(webRequest, str);
        if (checkPrecludedAccess != null) {
            validateWebReply(webSecurityContext, checkPrecludedAccess);
        }
    }

    private void validateWebReply(WebSecurityContext webSecurityContext, WebReply webReply) throws SecurityViolationException {
        if (webReply.getStatusCode() != 200) {
            throw convertWebSecurityException(new WebSecurityCollaboratorException(webReply.message, webReply, webSecurityContext));
        }
    }

    public void optionallyAuthenticateUnprotectedResource(WebRequest webRequest) {
        if (this.webAppSecConfig.isUseAuthenticationDataForUnprotectedResourceEnabled() && unprotectedResource(webRequest) == PERMIT_REPLY && needToAuthenticateSubject(webRequest)) {
            webRequest.disableFormLoginRedirect();
            setAuthenticatedSubjectIfNeeded(webRequest);
        }
    }

    private boolean needToAuthenticateSubject(WebRequest webRequest) {
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        OAuth20Service service = this.oauthServiceRef.getService();
        OidcServer service2 = this.oidcServerRef.getService();
        if (!isProviderSpecialProtectedURI(httpServletRequest, service, service2, false)) {
            if (webRequest.hasAuthenticationData()) {
                return true;
            }
            return isUnprotectedResourceAuthenRequired(webRequest);
        }
        if (!isProviderSpecialProtectedURI(httpServletRequest, service, service2, true)) {
            return false;
        }
        webRequest.setProviderSpecialUnprotectedURI(true);
        return true;
    }

    private WebReply unprotectedResource(WebRequest webRequest) {
        List<String> requiredRoles = webRequest.getRequiredRoles();
        if (requiredRoles.isEmpty()) {
            webRequest.setUnprotectedURI(true);
            return PERMIT_REPLY;
        }
        AuthorizationService authorizationService = this.securityServiceRef.getService().getAuthorizationService();
        if (authorizationService == null) {
            return new DenyReply("An internal error occured. Unable to perform authorization check.");
        }
        if (!authorizationService.isEveryoneGranted(webRequest.getApplicationName(), requiredRoles)) {
            return null;
        }
        webRequest.setUnprotectedURI(true);
        return PERMIT_REPLY;
    }

    public void setAuthenticatedSubjectIfNeeded(WebRequest webRequest) {
        AuthenticationResult authenticateRequest = authenticateRequest(webRequest);
        if (authenticateRequest == null || authenticateRequest.getStatus() != AuthResult.SUCCESS) {
            return;
        }
        new SubjectManager().setCallerSubject(authenticateRequest.getSubject());
    }

    private void performDelegation(String str) {
        String runAsRoleForServlet;
        Subject callerSubject = this.subjectManager.getCallerSubject();
        SecurityMetadata securityMetadata = getSecurityMetadata();
        if (securityMetadata != null && (runAsRoleForServlet = securityMetadata.getRunAsRoleForServlet(str)) != null) {
            try {
                callerSubject = this.securityServiceRef.getService().getAuthenticationService().delegate(runAsRoleForServlet, getApplicationName());
            } catch (IllegalArgumentException e) {
                FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl", "742", this, new Object[]{str});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception performing delegation.", e);
                }
            }
        }
        if (callerSubject != null) {
            this.subjectManager.setInvocationSubject(callerSubject);
        }
    }

    public WebReply determineWebReply(Subject subject, String str, WebRequest webRequest) {
        WebReply performInitialChecks = performInitialChecks(webRequest, str);
        return performInitialChecks != null ? performInitialChecks : determineWebReply(subject, str, webRequest, authenticateRequest(webRequest));
    }

    private WebReply determineWebReply(Subject subject, String str, WebRequest webRequest, AuthenticationResult authenticationResult) {
        if (authenticationResult != null && authenticationResult.getStatus() != AuthResult.SUCCESS) {
            String str2 = authenticationResult.realm;
            if (str2 == null) {
                str2 = this.collabUtils.getUserRegistryRealm(this.securityServiceRef);
            }
            return createReplyForAuthnFailure(authenticationResult, str2);
        }
        boolean z = false;
        if (authenticationResult != null) {
            this.subjectManager.setCallerSubject(authenticationResult.getSubject());
            z = this.wasch.authorize(authenticationResult, webRequest, str);
        }
        if (z) {
            this.subjectManager.setInvocationSubject(authenticationResult.getSubject());
            return new PermitReply();
        }
        this.subjectManager.setCallerSubject(subject);
        return DENY_AUTHZ_FAILED;
    }

    public Object preInvoke(String str) throws SecurityViolationException, IOException {
        return preInvoke(null, null, str, true);
    }

    public Object preInvoke() throws SecurityViolationException {
        this.subjectManager.clearSubjects();
        return null;
    }

    public boolean authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (!this.subjectHelper.isUnauthenticated(this.subjectManager.getCallerSubject())) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "The underlying login mechanism has committed", new Object[0]);
            return true;
        }
        WebReply webReply = PERMIT_REPLY;
        boolean z = true;
        AuthenticationResult authenticateRequest = authenticateRequest(new WebRequestImpl(httpServletRequest, httpServletResponse, getSecurityMetadata(), this.webAppSecConfig));
        if (authenticateRequest.getStatus() == AuthResult.SUCCESS) {
            this.authenticateApi = getAuthenticateApi(this.webAppSecConfig, this.oidcServerRef, this.securityServiceRef, this.collabUtils);
            this.authenticateApi.postProgrammaticAuthenticate(httpServletRequest, httpServletResponse, authenticateRequest);
        } else {
            String str = authenticateRequest.realm;
            if (str == null) {
                str = this.collabUtils.getUserRegistryRealm(this.securityServiceRef);
            }
            webReply = createReplyForAuthnFailure(authenticateRequest, str);
            z = false;
        }
        webReply.writeResponse(httpServletResponse);
        return z;
    }

    public List<String> getURIsInSecurityConstraints(String str, String str2, String str3, List<String> list) {
        SecurityMetadata securityMetadata = getSecurityMetadata();
        ArrayList arrayList = null;
        for (String str4 : list) {
            SecurityConstraintCollection securityConstraintCollection = securityMetadata.getSecurityConstraintCollection();
            if (securityConstraintCollection != null) {
                Iterator<SecurityConstraint> it = securityConstraintCollection.getSecurityConstraints().iterator();
                while (it.hasNext()) {
                    Iterator<WebResourceCollection> it2 = it.next().getWebResourceCollections().iterator();
                    while (it2.hasNext()) {
                        if (it2.next().getUrlPatterns().contains(str4)) {
                            if (arrayList == null) {
                                arrayList = new ArrayList();
                            }
                            arrayList.add(str4);
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    public void login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, @Sensitive String str2) throws ServletException {
        BasicAuthAuthenticator basicAuthAuthenticator = getBasicAuthAuthenticator();
        if (basicAuthAuthenticator == null) {
            throw new ServletException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "SEC_WEB_NULL_AUTHENTICATOR", new Object[]{getRequestURL(httpServletRequest), str}, "CWWKS9116E: Login to the URL {0} failed for user {1} due to an internal error. Review the server logs for more information."));
        }
        getAuthenticateApi(this.webAppSecConfig, this.oidcServerRef, this.securityServiceRef, this.collabUtils).login(httpServletRequest, httpServletResponse, str, str2, this.webAppSecConfig, basicAuthAuthenticator);
        SRTServletRequestUtils.setPrivateAttribute(httpServletRequest, AUTH_TYPE, getSecurityMetadata().getLoginConfiguration().getAuthenticationMethod());
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        getAuthenticateApi(this.webAppSecConfig, this.oidcServerRef, this.securityServiceRef, this.collabUtils).logoutServlet30(httpServletRequest, httpServletResponse, this.webAppSecConfig);
    }

    private SecurityViolationException convertWebSecurityException(WebSecurityCollaboratorException webSecurityCollaboratorException) {
        int i = 403;
        WebReply webReply = webSecurityCollaboratorException.getWebReply();
        if (webReply != null) {
            i = webReply.getStatusCode();
        }
        SecurityViolationException securityViolationException = new SecurityViolationException(webSecurityCollaboratorException.getMessage(), i);
        securityViolationException.initCause(webSecurityCollaboratorException);
        securityViolationException.setWebSecurityContext(webSecurityCollaboratorException.getWebSecurityContext());
        return securityViolationException;
    }

    private boolean setUnauthenticatedSubjectIfNeeded(Subject subject, Subject subject2) {
        if (subject != null || subject2 != null) {
            return false;
        }
        new SubjectManager().setInvocationSubject(this.unauthenticatedSubjectService.getUnauthenticatedSubject());
        return true;
    }

    public AuthenticationResult authenticateRequest(WebRequest webRequest) {
        return getWebAuthenticatorProxy().authenticate(webRequest);
    }

    protected WebAuthenticatorProxy getWebAuthenticatorProxy() {
        return this.authenticatorProxy;
    }

    public BasicAuthAuthenticator getBasicAuthAuthenticator() {
        return getWebAuthenticatorProxy().getBasicAuthAuthenticator();
    }

    public WebReply createReplyForAuthnFailure(AuthenticationResult authenticationResult, String str) {
        switch (authenticationResult.getStatus()) {
            case FAILURE:
                return DENY_AUTHN_FAILED;
            case SEND_401:
                return new ChallengeReply(str);
            case TAI_CHALLENGE:
                return new TAIChallengeReply(authenticationResult.getTAIChallengeCode());
            case REDIRECT:
                return new RedirectReply(authenticationResult.getRedirectURL(), authenticationResult.getCookies());
            case UNKNOWN:
            case CONTINUE:
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication failed with status [" + authenticationResult.getStatus() + "] and reason [" + authenticationResult.getReason() + "]", new Object[0]);
                }
                return DENY_AUTHN_FAILED;
            default:
                return null;
        }
    }

    public boolean authorize(AuthenticationResult authenticationResult, String str, String str2, Subject subject, List<String> list) {
        this.subjectManager.setCallerSubject(authenticationResult.getSubject());
        boolean authorize = authorize(authenticationResult, str, str2, list);
        if (authorize) {
            this.subjectManager.setInvocationSubject(authenticationResult.getSubject());
        } else {
            this.subjectManager.setCallerSubject(subject);
        }
        return authorize;
    }

    private boolean authorize(AuthenticationResult authenticationResult, String str, String str2, List<String> list) {
        SecurityService service = this.securityServiceRef.getService();
        if (service == null) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Authorization failed due to null securityService object. Known to occur when a request comes during server shutdown.", new Object[0]);
            return false;
        }
        AuthorizationService authorizationService = service.getAuthorizationService();
        if (authorizationService == null) {
            return false;
        }
        boolean isAuthorized = authorizationService.isAuthorized(str, list, authenticationResult.getSubject());
        if (!isAuthorized) {
            String userName = authenticationResult.getUserName();
            String realm = authenticationResult.getRealm();
            if (realm == null || userName == null) {
                Tr.audit(tc, "SEC_AUTHZ_FAILED", ((WSPrincipal) authenticationResult.getSubject().getPrincipals(WSPrincipal.class).iterator().next()).getName(), str, str2, list);
            } else {
                Tr.audit(tc, "SEC_AUTHZ_FAILED", userName.concat(":").concat(realm), str, str2, list);
            }
        }
        return isAuthorized;
    }

    public WebReply performInitialChecks(WebRequest webRequest, String str) {
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        String method = httpServletRequest.getMethod();
        if (str == null || str.length() == 0) {
            return new DenyReply("Invalid URI passed to Security Collaborator.");
        }
        if (unsupportedAuthMech()) {
            return new DenyReply("Authentication Failed : DIGEST not supported");
        }
        if (this.wasch.isSSLRequired(webRequest, str)) {
            return this.httpsRedirectHandler.getHTTPSRedirectWebReply(httpServletRequest);
        }
        WebReply unprotectedSpecialURI = unprotectedSpecialURI(webRequest, str, method);
        if (unprotectedSpecialURI != null) {
            return unprotectedSpecialURI;
        }
        WebReply unprotectedResource = unprotectedResource(webRequest);
        if (unprotectedResource != PERMIT_REPLY || shouldWePerformTAIForUnProtectedURI(webRequest)) {
            return null;
        }
        return unprotectedResource;
    }

    private boolean shouldWePerformTAIForUnProtectedURI(WebRequest webRequest) {
        if (this.taiServiceRef.getService() != null) {
            return this.taiServiceRef.getService().isInvokeForUnprotectedURI();
        }
        return false;
    }

    public boolean unsupportedAuthMech() {
        LoginConfiguration loginConfiguration;
        boolean z = false;
        SecurityMetadata securityMetadata = getSecurityMetadata();
        if (securityMetadata != null && (loginConfiguration = securityMetadata.getLoginConfiguration()) != null && "DIGEST".equalsIgnoreCase(loginConfiguration.getAuthenticationMethod())) {
            z = true;
        }
        return z;
    }

    private MatchResponse getMatchResponse(HttpServletRequest httpServletRequest) throws SecurityViolationException {
        MatchResponse matchResponse = MatchResponse.NO_MATCH_RESPONSE;
        if (httpServletRequest != null) {
            String method = httpServletRequest.getMethod();
            String servletURI = new URLHandler(this.webAppSecConfig).getServletURI(httpServletRequest);
            SecurityConstraintCollection securityConstraintCollection = getSecurityMetadata().getSecurityConstraintCollection();
            if (null != securityConstraintCollection) {
                matchResponse = securityConstraintCollection.getMatchResponse(servletURI, method);
            }
            if (MatchResponse.CUSTOM_NO_MATCH_RESPONSE.equals(matchResponse)) {
                throw new SecurityViolationException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "SEC_WEB_ILLEGAL_REQUEST", new Object[]{method, getRequestURL(httpServletRequest)}, "CWWKS9117E: The method {0} is not allowed to process for URL {1}. If this error is unexpected, ensure that the application allows the methods that the client is requesting."), 403);
            }
        }
        return matchResponse;
    }

    protected String getApplicationName() {
        return ComponentMetaDataAccessorImpl.getComponentMetaDataAccessor().getComponentMetaData().getModuleMetaData().getConfiguration().getApplicationName();
    }

    protected String getModuleName() {
        return ComponentMetaDataAccessorImpl.getComponentMetaDataAccessor().getComponentMetaData().getModuleMetaData().getConfiguration().getModuleName();
    }

    public SecurityMetadata getSecurityMetadata() {
        return (SecurityMetadata) ComponentMetaDataAccessorImpl.getComponentMetaDataAccessor().getComponentMetaData().getModuleMetaData().getSecurityMetaData();
    }

    protected void setSecurityMetadata(SecurityMetadata securityMetadata) {
        ComponentMetaDataAccessorImpl.getComponentMetaDataAccessor().getComponentMetaData().getModuleMetaData().setSecurityMetaData(securityMetadata);
    }

    private boolean isValidAuthMethodForFormLogin(String str) {
        return LoginConfiguration.FORM.equals(str) || (LoginConfiguration.CLIENT_CERT.equals(str) && this.webAppSecConfig.getAllowFailOverToFormLogin());
    }

    private WebReply unprotectedSpecialURI(WebRequest webRequest, String str, String str2) {
        LoginConfiguration loginConfig = webRequest.getLoginConfig();
        if (loginConfig == null) {
            return null;
        }
        String authenticationMethod = loginConfig.getAuthenticationMethod();
        FormLoginConfiguration formLoginConfiguration = loginConfig.getFormLoginConfiguration();
        if (formLoginConfiguration == null || authenticationMethod == null) {
            return null;
        }
        String loginPage = formLoginConfiguration.getLoginPage();
        String errorPage = formLoginConfiguration.getErrorPage();
        if (!isValidAuthMethodForFormLogin(authenticationMethod) || loginPage == null || errorPage == null) {
            if (!webRequest.getHttpServletRequest().getDispatcherType().equals(DispatcherType.ERROR)) {
                return null;
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "authorize, error page[" + str + "]  requested, permit: ", PERMIT_REPLY);
            }
            return PERMIT_REPLY;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, " We have a custom login or error page request, web app login URL:[" + loginPage + "], errorPage URL:[" + errorPage + "], and the requested URI:[" + str + "]", new Object[0]);
        }
        if (loginPage.equals(str) || errorPage.equals(str)) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "authorize, login or error page[" + str + "]  requested, permit: ", PERMIT_REPLY);
            }
            return PERMIT_REPLY;
        }
        if (str == null || !str.equals("/j_security_check") || str2 == null || !str2.equals("POST")) {
            return null;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "authorize, login or error page[" + str + "]  requested, permit: ", PERMIT_REPLY);
        }
        return PERMIT_REPLY;
    }

    protected String getRequestURL(HttpServletRequest httpServletRequest) {
        String str = null;
        if (httpServletRequest != null) {
            StringBuffer requestURL = httpServletRequest.getRequestURL();
            String queryString = httpServletRequest.getQueryString();
            if (queryString != null && queryString.length() > 0) {
                requestURL.append("?").append(queryString);
            }
            str = requestURL.toString();
        }
        return str;
    }

    public static void setGlobalWebAppSecurityConfig(WebAppSecurityConfig webAppSecurityConfig) {
        globalConfig = webAppSecurityConfig;
    }

    public static WebAppSecurityConfig getGlobalWebAppSecurityConfig() {
        return globalConfig;
    }

    protected AuthenticateApi getAuthenticateApi(WebAppSecurityConfig webAppSecurityConfig, AtomicServiceReference<OidcServer> atomicServiceReference, AtomicServiceReference<SecurityService> atomicServiceReference2, CollaboratorUtils collaboratorUtils) {
        if (this.authenticateApi == null) {
            this.authenticateApi = new AuthenticateApi(new SSOCookieHelperImpl(webAppSecurityConfig, atomicServiceReference), atomicServiceReference2, collaboratorUtils, this.webAuthenticatorRef, this.unprotectedResourceServiceRef);
        }
        return this.authenticateApi;
    }

    protected boolean isProviderSpecialProtectedURI(HttpServletRequest httpServletRequest, OAuth20Service oAuth20Service, OidcServer oidcServer, boolean z) {
        if (oidcServer == null || !oidcServer.isOIDCSpecificURI(httpServletRequest, z)) {
            return oAuth20Service != null && oAuth20Service.isOauthSpecificURI(httpServletRequest, z);
        }
        return true;
    }

    private boolean isServletSpec31() {
        return WebContainer.getServletContainerSpecLevel() >= 31;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public WebAppConfig getWebAppConfig() {
        WebAppConfig webAppConfig = null;
        WebComponentMetaData componentMetaData = ComponentMetaDataAccessorImpl.getComponentMetaDataAccessor().getComponentMetaData();
        if (componentMetaData instanceof WebComponentMetaData) {
            webAppConfig = componentMetaData.getModuleMetaData().getConfiguration();
            if (!(webAppConfig instanceof WebAppConfiguration)) {
                webAppConfig = null;
            }
        }
        return webAppConfig;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAppAuthorizationHelper
    public boolean isUserInRole(String str, IExtendedRequest iExtendedRequest, Subject subject) {
        String str2;
        RequestProcessor currentServletReference = iExtendedRequest.getWebAppDispatcherContext().getCurrentServletReference();
        if (currentServletReference != null) {
            str2 = getSecurityMetadata().getSecurityRoleReferenced(currentServletReference.getName(), str);
        } else {
            str2 = str;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "isUserInRole realRole = " + str2, new Object[0]);
        }
        if (str2 != null && str2.equals(ALL_AUTHENTICATED_ROLE)) {
            str2 = STARSTAR_ROLE;
        }
        if (str2 == null) {
            if (!str.equals(ALL_AUTHENTICATED_ROLE) || !isServletSpec31()) {
                return false;
            }
            str2 = ALL_AUTHENTICATED_ROLE;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(str2);
        AuthorizationService authorizationService = this.securityServiceRef.getService().getAuthorizationService();
        if (authorizationService == null) {
            return false;
        }
        return authorizationService.isAuthorized(getApplicationName(), arrayList, subject);
    }

    @Override // com.ibm.ws.webcontainer.security.WebAppAuthorizationHelper
    public boolean authorize(AuthenticationResult authenticationResult, WebRequest webRequest, String str) {
        return authorize(authenticationResult, webRequest.getApplicationName(), str, webRequest.getRequiredRoles());
    }

    @Override // com.ibm.ws.webcontainer.security.WebAppAuthorizationHelper
    public boolean isSSLRequired(WebRequest webRequest, String str) {
        return this.httpsRedirectHandler.shouldRedirectToHttps(webRequest);
    }

    @Override // com.ibm.ws.webcontainer.security.WebAppAuthorizationHelper
    public WebReply checkPrecludedAccess(WebRequest webRequest, String str) {
        DenyReply denyReply = null;
        if (webRequest.isAccessPrecluded()) {
            denyReply = new DenyReply("Access is precluded because security constraints are specified, but the required roles are empty.");
        } else if (MatchResponse.DENY_MATCH_RESPONSE.equals(webRequest.getMatchResponse())) {
            denyReply = new DenyReply("Http uncovered method found, denying reply.");
        } else {
            HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
            List<String> requiredRoles = webRequest.getRequiredRoles();
            if (((String) httpServletRequest.getAttribute("com.ibm.ws.webcontainer.security.checkdefaultmethod")) == "TRACE" && requiredRoles.isEmpty()) {
                denyReply = new DenyReply("Illegal request. Default implementation of TRACE not allowed.");
            }
        }
        return denyReply;
    }

    boolean isUnprotectedResourceAuthenRequired(WebRequest webRequest) {
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        Iterator<String> it = this.unprotectedResourceServiceRef.keySet().iterator();
        while (it.hasNext()) {
            if (this.unprotectedResourceServiceRef.getService(it.next()).isAuthenticationRequired(httpServletRequest)) {
                return true;
            }
        }
        return false;
    }
}
