package com.ibm.ws.security.jaspi;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.ManualTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.JaspiService;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.WebAppSecurityConfig;
import com.ibm.ws.webcontainer.security.WebAuthenticator;
import com.ibm.ws.webcontainer.security.WebProviderAuthenticatorHelper;
import com.ibm.ws.webcontainer.security.WebRequest;
import com.ibm.ws.webcontainer.security.WebRequestImpl;
import com.ibm.ws.webcontainer.security.WebSecurityContext;
import com.ibm.ws.webcontainer.security.metadata.FormLoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.LoginConfiguration;
import com.ibm.ws.webcontainer.security.metadata.SecurityMetadata;
import com.ibm.ws.webcontainer.security.util.WebConfigUtils;
import com.ibm.ws.webcontainer.srt.SRTServletRequest;
import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
import com.ibm.wsspi.kernel.service.location.WsLocationConstants;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.jaspi.ProviderService;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.webcontainer.servlet.IExtendedResponse;
import com.ibm.wsspi.webcontainer.webapp.WebAppConfig;
import java.io.File;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.config.AuthConfigFactory;
import javax.security.auth.message.config.AuthConfigProvider;
import javax.security.auth.message.config.RegistrationListener;
import javax.security.auth.message.config.ServerAuthConfig;
import javax.security.auth.message.config.ServerAuthContext;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {JaspiService.class, WebAuthenticator.class}, name = "com.ibm.ws.security.jaspi", configurationPolicy = ConfigurationPolicy.IGNORE, immediate = true, property = {"service.vendor=IBM", "com.ibm.ws.security.webAuthenticator.type=JASPI"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.jaspic-1.1_1.0.14.jar:com/ibm/ws/security/jaspi/JaspiServiceImpl.class */
public class JaspiServiceImpl implements JaspiService, WebAuthenticator {
    private static final String AUTH_TYPE = "javax.servlet.http.authType";
    private static final String IS_MANDATORY_POLICY = "javax.security.auth.message.MessagePolicy.isMandatory";
    private static final String JACC_POLICY_CONTEXT = "javax.security.jacc.PolicyContext";
    private static final String JASPI_WEB_REQUEST = "com.ibm.websphere.jaspi.request";
    public static final String UNAUTHENTICATED_ID = "UNAUTHENTICATED";
    private static final String KEY_UNAUTHENTICATED_SUBJECT_SERVICE = "unauthenticatedSubjectService";
    private UnauthenticatedSubjectService unauthenticatedSubjectService;
    private static final String KEY_JASPI_PROVIDER = "jaspiProvider";
    public static final String KEY_SECURITY_SERVICE = "securityService";
    static final String KEY_LOCATION_SERVICE = "locationService";
    static final String SERVER_CONFIG_LOCATION = "${server.config.dir}";
    static final long serialVersionUID = -6213942282988926384L;
    private static final TraceComponent tc = Tr.register(JaspiServiceImpl.class);
    private static final AtomicServiceReference<WsLocationAdmin> locationService = new AtomicServiceReference<>("locationService");
    private boolean providerConfigModified = false;
    private WebProviderAuthenticatorHelper authHelper = null;
    private SubjectManager subjectManager = null;
    protected final AtomicServiceReference<ProviderService> jaspiProviderServiceRef = new AtomicServiceReference<>(KEY_JASPI_PROVIDER);
    protected final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>("securityService");

    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    /* loaded from: input_file:wlp/lib/com.ibm.ws.security.jaspic-1.1_1.0.14.jar:com/ibm/ws/security/jaspi/JaspiServiceImpl$PostInvokeJaspiContext.class */
    public static class PostInvokeJaspiContext implements JaspiService.JaspiAuthContext {
        private final ServerAuthContext authContext;
        private final MessageInfo msgInfo;
        private boolean runSecureResponse;
        static final long serialVersionUID = 6123878316387144105L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(PostInvokeJaspiContext.class);

        public PostInvokeJaspiContext(ServerAuthContext serverAuthContext, MessageInfo messageInfo) {
            this.authContext = serverAuthContext;
            this.msgInfo = messageInfo;
        }

        @Override // com.ibm.ws.webcontainer.security.JaspiService.JaspiAuthContext
        public MessageInfo getMessageInfo() {
            return this.msgInfo;
        }

        @Override // com.ibm.ws.webcontainer.security.JaspiService.JaspiAuthContext
        public ServerAuthContext getServerAuthContext() {
            return this.authContext;
        }

        @Override // com.ibm.ws.webcontainer.security.JaspiService.JaspiAuthContext
        public boolean runSecureResponse() {
            return this.runSecureResponse;
        }

        @Override // com.ibm.ws.webcontainer.security.JaspiService.JaspiAuthContext
        public void setRunSecureResponse(boolean z) {
            this.runSecureResponse = z;
        }
    }

    @Reference(name = KEY_UNAUTHENTICATED_SUBJECT_SERVICE, service = UnauthenticatedSubjectService.class, cardinality = ReferenceCardinality.MANDATORY, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setUnauthenticatedSubjectService(UnauthenticatedSubjectService unauthenticatedSubjectService) {
        this.unauthenticatedSubjectService = unauthenticatedSubjectService;
    }

    protected void unsetUnauthenticatedSubjectService(UnauthenticatedSubjectService unauthenticatedSubjectService) {
        if (this.unauthenticatedSubjectService == unauthenticatedSubjectService) {
            this.unauthenticatedSubjectService = null;
        }
    }

    @Reference(name = KEY_JASPI_PROVIDER, service = ProviderService.class, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setJaspiProvider(ServiceReference<ProviderService> serviceReference) {
        this.jaspiProviderServiceRef.setReference(serviceReference);
        this.providerConfigModified = true;
        Tr.info(tc, "JASPI_PROVIDER_SERVICE_ACTIVATED", this.jaspiProviderServiceRef.getService().getClass());
    }

    protected void unsetJaspiProvider(ServiceReference<ProviderService> serviceReference) {
        TraceComponent traceComponent = tc;
        Object[] objArr = new Object[1];
        objArr[0] = this.jaspiProviderServiceRef.getService() != null ? this.jaspiProviderServiceRef.getService().getClass() : null;
        Tr.info(traceComponent, "JASPI_PROVIDER_SERVICE_DEACTIVATED", objArr);
        this.jaspiProviderServiceRef.unsetReference(serviceReference);
        this.providerConfigModified = true;
    }

    @Reference(name = "securityService", service = SecurityService.class, cardinality = ReferenceCardinality.MANDATORY, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    @Reference(service = WsLocationAdmin.class, name = "locationService", policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setLocationService(ServiceReference<WsLocationAdmin> serviceReference) {
        locationService.setReference(serviceReference);
    }

    protected void unsetLocationService(ServiceReference<WsLocationAdmin> serviceReference) {
        locationService.unsetReference(serviceReference);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getServerResourceAbsolutePath(String str) {
        String str2 = null;
        if (new File(str).isAbsolute()) {
            str2 = str;
        } else {
            WsLocationAdmin serviceWithException = locationService.getServiceWithException();
            if (serviceWithException != null) {
                str2 = serviceWithException.resolveString(WsLocationConstants.SYMBOL_SERVER_CONFIG_DIR + str);
            }
        }
        return str2;
    }

    @Activate
    protected void activate(ComponentContext componentContext) {
        locationService.activate(componentContext);
        this.jaspiProviderServiceRef.activate(componentContext);
        this.securityServiceRef.activate(componentContext);
        AuthConfigFactoryWrapper.setFactoryImplementation();
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        locationService.deactivate(componentContext);
        this.jaspiProviderServiceRef.deactivate(componentContext);
        this.securityServiceRef.deactivate(componentContext);
    }

    @Override // com.ibm.ws.webcontainer.security.JaspiService
    public Hashtable<String, Object> getCustomCredentials(final Subject subject) {
        if (subject == null) {
            return null;
        }
        return (Hashtable) AccessController.doPrivileged(new PrivilegedAction<Hashtable<String, Object>>() { // from class: com.ibm.ws.security.jaspi.JaspiServiceImpl.1
            static final long serialVersionUID = -5597777338924605232L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Hashtable<String, Object> run() {
                Set privateCredentials = subject.getPrivateCredentials(Hashtable.class);
                if (privateCredentials != null && !privateCredentials.isEmpty()) {
                    return (Hashtable) privateCredentials.iterator().next();
                }
                if (!JaspiServiceImpl.tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(JaspiServiceImpl.tc, "Subject has no Hashtable with custom credentials, return null.", new Object[0]);
                return null;
            }
        });
    }

    private void removeCustomCredentials(final Subject subject, final Hashtable hashtable) {
        if (subject != null) {
            AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.ibm.ws.security.jaspi.JaspiServiceImpl.2
                static final long serialVersionUID = -2665581598521713908L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass2.class);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    Set<Hashtable> privateCredentials = subject.getPrivateCredentials(Hashtable.class);
                    if (privateCredentials == null || privateCredentials.isEmpty()) {
                        if (!JaspiServiceImpl.tc.isDebugEnabled()) {
                            return null;
                        }
                        Tr.debug(JaspiServiceImpl.tc, "No custom credentials to remove from Subject.", new Object[0]);
                        return null;
                    }
                    for (Hashtable hashtable2 : privateCredentials) {
                        if (hashtable2 == hashtable) {
                            privateCredentials.remove(hashtable2);
                            return null;
                        }
                    }
                    return null;
                }
            });
        }
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    @FFDCIgnore({AuthenticationException.class})
    public AuthenticationResult authenticate(WebRequest webRequest) {
        AuthenticationResult authenticationResult;
        JaspiRequest jaspiRequest = new JaspiRequest(webRequest, null);
        AuthConfigProvider authConfigProvider = getAuthConfigProvider(jaspiRequest.getAppContext());
        if (authConfigProvider != null) {
            try {
                if (jaspiRequest.getWebSecurityContext() != null) {
                    webRequest.getWebSecurityContext().setJaspiAuthContext(getJaspiAuthContext(jaspiRequest, authConfigProvider));
                }
                Subject sessionSubject = getSessionSubject(jaspiRequest);
                if (sessionSubject != null) {
                    SubjectManager subjectManager = new SubjectManager();
                    subjectManager.setCallerSubject(sessionSubject);
                    subjectManager.setInvocationSubject(sessionSubject);
                }
                authenticationResult = authenticate(new Subject(), getJaspiAuthType(jaspiRequest), jaspiRequest, authConfigProvider);
            } catch (AuthenticationException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Internal error during JASPI authentication", e);
                }
                authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
            }
        } else {
            authenticationResult = new AuthenticationResult(AuthResult.CONTINUE, "No JASPIC provider found for request: " + webRequest.getHttpServletRequest().getRequestURI());
        }
        return authenticationResult;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    @FFDCIgnore({AuthenticationException.class})
    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap<String, Object> hashMap) throws Exception {
        AuthenticationResult authenticationResult;
        WebRequestImpl webRequestImpl = new WebRequestImpl(httpServletRequest, httpServletResponse, ((WebAppConfig) hashMap.get("webAppConfig")).getApplicationName(), null, (SecurityMetadata) hashMap.get("securityMetadata"), null, (WebAppSecurityConfig) hashMap.get("webAppSecurityConfig"));
        JaspiRequest jaspiRequest = new JaspiRequest(webRequestImpl, (WebAppConfig) hashMap.get("webAppConfig"));
        AuthConfigProvider authConfigProvider = getAuthConfigProvider(jaspiRequest.getAppContext());
        if (authConfigProvider != null) {
            try {
                if (jaspiRequest.getWebSecurityContext() != null) {
                    webRequestImpl.getWebSecurityContext().setJaspiAuthContext(getJaspiAuthContext(jaspiRequest, authConfigProvider));
                }
                authenticationResult = authenticate(new Subject(), getJaspiAuthType(jaspiRequest), jaspiRequest, authConfigProvider);
            } catch (AuthenticationException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Internal error during JASPI authentication", e);
                }
                authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
            }
        } else {
            authenticationResult = new AuthenticationResult(AuthResult.CONTINUE, "No JASPI provider found for request: " + httpServletRequest.getRequestURI());
        }
        return authenticationResult;
    }

    @FFDCIgnore({AuthException.class, WSLoginFailedException.class})
    @ManualTrace
    private AuthenticationResult authenticate(Subject subject, String str, JaspiRequest jaspiRequest, AuthConfigProvider authConfigProvider) throws AuthenticationException {
        AuthenticationResult mapToAuthenticationResult;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate", subject, str, jaspiRequest, authConfigProvider);
        }
        WebSecurityContext webSecurityContext = jaspiRequest.getWebSecurityContext();
        jaspiRequest.getHttpServletRequest().getServletContext().setAttribute("com.ibm.ws.security.jaspi.authenticated", Boolean.toString(Boolean.TRUE.booleanValue()));
        try {
            ServerAuthContext serverAuthContext = getServerAuthContext(jaspiRequest, authConfigProvider);
            MessageInfo messageInfo = jaspiRequest.getMessageInfo();
            setRequestAuthType(jaspiRequest.getHttpServletRequest(), str);
            if (webSecurityContext != null) {
                setRunSecureResponse(true, (JaspiService.JaspiAuthContext) webSecurityContext.getJaspiAuthContext());
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "calling authContext.validateRequest", "authContext=" + serverAuthContext, subject, messageInfo);
            }
            AuthStatus validateRequest = serverAuthContext.validateRequest(messageInfo, subject, null);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateRequest status: " + validateRequest, new Object[0]);
            }
            if (AuthStatus.SUCCESS == validateRequest || AuthStatus.SEND_SUCCESS == validateRequest) {
                Map map = messageInfo.getMap();
                if (map != null) {
                    String str2 = (String) map.get("javax.servlet.http.registerSession");
                    if (Boolean.valueOf(str2).booleanValue()) {
                        HashMap hashMap = new HashMap();
                        hashMap.put("javax.servlet.http.registerSession", str2);
                        jaspiRequest.getWebRequest().setProperties(hashMap);
                    }
                }
                Object requestMessage = messageInfo.getRequestMessage();
                if (requestMessage != null && requestMessage != jaspiRequest.getHttpServletRequest()) {
                    jaspiRequest.getHttpServletRequest().getServletContext().setAttribute("com.ibm.ws.security.jaspi.servlet.request.wrapper", requestMessage);
                }
                Object responseMessage = messageInfo.getResponseMessage();
                if (responseMessage != null && responseMessage != jaspiRequest.getHttpServletResponse()) {
                    jaspiRequest.getHttpServletRequest().getServletContext().setAttribute("com.ibm.ws.security.jaspi.servlet.response.wrapper", responseMessage);
                }
                mapToAuthenticationResult = mapToAuthenticationResult(validateRequest, jaspiRequest, doHashTableLogin(subject, jaspiRequest));
                setRequestAuthType(messageInfo, jaspiRequest);
            } else {
                mapToAuthenticationResult = mapToAuthenticationResult(validateRequest, jaspiRequest, null);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "authenticate", validateRequest);
            }
            return mapToAuthenticationResult;
        } catch (WSLoginFailedException e) {
            AuthenticationException authenticationException = new AuthenticationException("Custom login failure after JASPI authentication completed successfully, exception: " + e);
            authenticationException.initCause(e);
            throw authenticationException;
        } catch (AuthException e2) {
            AuthenticationException authenticationException2 = new AuthenticationException("JASPI authentication failure: " + e2);
            authenticationException2.initCause(e2);
            if (webSecurityContext != null) {
                setRunSecureResponse(false, (JaspiService.JaspiAuthContext) webSecurityContext.getJaspiAuthContext());
            }
            throw authenticationException2;
        }
    }

    private AuthConfigProvider getAuthConfigProvider(String str) {
        AuthConfigProvider authConfigProvider = null;
        AuthConfigFactory factory = AuthConfigFactoryWrapper.getFactory();
        if (factory != null) {
            if (this.providerConfigModified && (factory instanceof ProviderRegistry)) {
                ((ProviderRegistry) factory).setProvider(this.jaspiProviderServiceRef.getService());
                this.providerConfigModified = false;
            }
            authConfigProvider = factory.getConfigProvider("HttpServlet", str, (RegistrationListener) null);
        }
        return authConfigProvider;
    }

    public JaspiService.JaspiAuthContext getJaspiAuthContext(JaspiRequest jaspiRequest, AuthConfigProvider authConfigProvider) throws AuthenticationException {
        PostInvokeJaspiContext postInvokeJaspiContext = null;
        try {
            ServerAuthContext serverAuthContext = getServerAuthContext(jaspiRequest, authConfigProvider);
            if (serverAuthContext != null) {
                postInvokeJaspiContext = new PostInvokeJaspiContext(serverAuthContext, jaspiRequest.getMessageInfo());
            }
            return postInvokeJaspiContext;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiServiceImpl", "476", this, new Object[]{jaspiRequest, authConfigProvider});
            AuthenticationException authenticationException = new AuthenticationException("Unable to get JASPI ServerAuthContext.");
            authenticationException.initCause(e);
            throw authenticationException;
        }
    }

    protected MessageInfo newMessageInfo(JaspiRequest jaspiRequest) {
        JaspiMessageInfo jaspiMessageInfo = new JaspiMessageInfo(jaspiRequest.getHttpServletRequest(), jaspiRequest.getHttpServletResponse());
        jaspiMessageInfo.getMap().put(IS_MANDATORY_POLICY, Boolean.toString(jaspiRequest.isProtected()));
        return jaspiMessageInfo;
    }

    protected ServerAuthContext getAuthContextFromProvider(JaspiRequest jaspiRequest, AuthConfigProvider authConfigProvider) throws AuthException, SecurityException {
        ServerAuthContext serverAuthContext = null;
        String appContext = jaspiRequest.getAppContext();
        if (authConfigProvider != null) {
            ServerAuthConfig serverAuthConfig = authConfigProvider.getServerAuthConfig("HttpServlet", appContext, new JaspiCallbackHandler(this));
            MessageInfo newMessageInfo = newMessageInfo(jaspiRequest);
            jaspiRequest.setMessageInfo(newMessageInfo);
            serverAuthContext = serverAuthConfig.getAuthContext(serverAuthConfig.getAuthContextID(newMessageInfo), null, getAuthContextProps(jaspiRequest));
        }
        return serverAuthContext;
    }

    protected ServerAuthContext getServerAuthContext(JaspiRequest jaspiRequest, AuthConfigProvider authConfigProvider) throws AuthenticationException {
        ServerAuthContext authContextFromProvider;
        JaspiService.JaspiAuthContext jaspiAuthContext;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getServerAuthContext", jaspiRequest.getWebSecurityContext(), authConfigProvider);
        }
        WebSecurityContext webSecurityContext = jaspiRequest.getWebSecurityContext();
        if (webSecurityContext == null || (jaspiAuthContext = (JaspiService.JaspiAuthContext) webSecurityContext.getJaspiAuthContext()) == null) {
            try {
                authContextFromProvider = getAuthContextFromProvider(jaspiRequest, authConfigProvider);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiServiceImpl", "518", this, new Object[]{jaspiRequest, authConfigProvider});
                AuthenticationException authenticationException = new AuthenticationException("Unable to get JASPI ServerAuthContext.");
                authenticationException.initCause(e);
                throw authenticationException;
            }
        } else {
            authContextFromProvider = (ServerAuthContext) jaspiAuthContext.getServerAuthContext();
        }
        return authContextFromProvider;
    }

    protected void setRequestAuthType(MessageInfo messageInfo, JaspiRequest jaspiRequest) {
        String dDAuthMethod;
        if (messageInfo.getMap().containsKey(AUTH_TYPE)) {
            dDAuthMethod = (String) messageInfo.getMap().get(AUTH_TYPE);
        } else {
            dDAuthMethod = getDDAuthMethod(jaspiRequest);
            if (dDAuthMethod == null) {
                dDAuthMethod = "JASPI";
            }
        }
        setRequestAuthType((HttpServletRequest) messageInfo.getRequestMessage(), dDAuthMethod);
    }

    protected String getDDAuthMethod(JaspiRequest jaspiRequest) {
        LoginConfiguration loginConfig;
        String str = null;
        if (jaspiRequest != null && (loginConfig = jaspiRequest.getLoginConfig()) != null) {
            str = loginConfig.getAuthenticationMethod();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "login configuration", loginConfig, str);
            }
        }
        return str;
    }

    protected String getJaspiAuthType(JaspiRequest jaspiRequest) {
        String dDAuthMethod = getDDAuthMethod(jaspiRequest);
        return (dDAuthMethod == null || dDAuthMethod.equals("BASIC") || dDAuthMethod.equals("CLIENT_CERT")) ? "BASIC" : "FORM";
    }

    protected void setRequestAuthType(HttpServletRequest httpServletRequest, String str) {
        if (str != null) {
            setPrivateAttributes(httpServletRequest, "AUTH_TYPE", str);
        }
    }

    protected int getResponseStatus(HttpServletResponse httpServletResponse) {
        if (httpServletResponse instanceof IExtendedResponse) {
            return ((IExtendedResponse) httpServletResponse).getStatusCode();
        }
        return 500;
    }

    @ManualTrace
    protected AuthenticationResult mapToAuthenticationResult(AuthStatus authStatus, JaspiRequest jaspiRequest, Subject subject) {
        AuthenticationResult authenticationResult;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapToAuthenticationResult", "AuthStatus=" + authStatus);
        }
        String str = "FAILURE";
        if (AuthStatus.SUCCESS == authStatus || AuthStatus.SEND_SUCCESS == authStatus) {
            authenticationResult = new AuthenticationResult(AuthResult.SUCCESS, subject);
            str = "SUCCESS";
        } else if (AuthStatus.SEND_CONTINUE == authStatus) {
            int responseStatus = getResponseStatus(jaspiRequest.getHttpServletResponse());
            HttpServletRequest httpServletRequest = jaspiRequest.getHttpServletRequest();
            switch (responseStatus) {
                case 302:
                case 303:
                case 307:
                    String loginURL = getLoginURL(jaspiRequest, httpServletRequest);
                    String queryString = httpServletRequest.getQueryString();
                    String stringBuffer = httpServletRequest.getRequestURL().append(queryString != null ? queryString : "").toString();
                    authenticationResult = new AuthenticationResult(AuthResult.REDIRECT, loginURL);
                    str = "REDIRECT";
                    new ReferrerURLCookieHandler(WebConfigUtils.getWebAppSecurityConfig()).setReferrerURLCookie(httpServletRequest, authenticationResult, stringBuffer);
                    break;
                case 401:
                    authenticationResult = new AuthenticationResult(AuthResult.SEND_401, (String) null);
                    str = "SEND_401";
                    break;
                default:
                    authenticationResult = new AuthenticationResult(AuthResult.RETURN, "Returning response from JASPIC provider with status: " + responseStatus);
                    break;
            }
        } else if (AuthStatus.SEND_FAILURE == authStatus) {
            String str2 = "Authentication failed, JASPI AuthStatus: " + authStatus + ", AuthResult.FAILURE";
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, str2);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str2, new Object[0]);
            }
        } else {
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, "Authentication failed, unexpected JASPI AuthStatus: " + authStatus);
        }
        if (authenticationResult.getStatus().equals(AuthResult.FAILURE)) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[3];
            objArr[0] = authStatus;
            objArr[1] = jaspiRequest.getHttpServletRequest().getRequestURI();
            objArr[2] = this.jaspiProviderServiceRef.getService() != null ? this.jaspiProviderServiceRef.getService().getClass() : null;
            Tr.info(traceComponent, "JASPI_PROVIDER_FAILED_AUTHENTICATE", objArr);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapToAuthenticationResult", "AuthenticationResult=" + str);
        }
        return authenticationResult;
    }

    protected Subject doHashTableLogin(Subject subject, JaspiRequest jaspiRequest) throws WSLoginFailedException {
        String str;
        Subject subject2;
        final Hashtable<String, Object> customCredentials = getCustomCredentials(subject);
        if (customCredentials == null) {
            Subject sessionSubject = getSessionSubject(jaspiRequest);
            if (sessionSubject != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No HashTable returned by the JASPI provider. Using JASPI session subject.", new Object[0]);
                }
                return sessionSubject;
            }
            if (Boolean.parseBoolean((String) jaspiRequest.getMessageInfo().getMap().get(IS_MANDATORY_POLICY))) {
                throw new WSLoginFailedException("JASPI HashTable login cannot be performed, JASPI provider did not return a HashTable.");
            }
            str = UNAUTHENTICATED_ID;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Web resource is unprotected and Subject does not have a HashTable.", new Object[0]);
            }
        } else {
            str = (String) customCredentials.get(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME);
        }
        if (UNAUTHENTICATED_ID.equals(str)) {
            subject2 = getUnauthenticatedSubject();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JASPI Subject is unauthenticated, HashTable login is not necessary.", new Object[0]);
            }
        } else {
            if (str == null) {
                str = "";
            }
            Subject subject3 = subject;
            final Subject sessionSubject2 = getSessionSubject(jaspiRequest);
            if (sessionSubject2 != null) {
                final Subject subject4 = new Subject();
                AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.ibm.ws.security.jaspi.JaspiServiceImpl.3
                    static final long serialVersionUID = -398835155026648219L;
                    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass3.class);

                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public Void run() {
                        subject4.getPrivateCredentials().addAll(sessionSubject2.getPrivateCredentials());
                        subject4.getPublicCredentials().addAll(sessionSubject2.getPublicCredentials());
                        subject4.getPrincipals().addAll(sessionSubject2.getPrincipals());
                        subject4.getPrivateCredentials().add(customCredentials);
                        return null;
                    }
                });
                subject3 = subject4;
            }
            HttpServletRequest httpServletRequest = jaspiRequest.getHttpServletRequest();
            HttpServletResponse httpServletResponse = (HttpServletResponse) jaspiRequest.getMessageInfo().getResponseMessage();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JASPI login with HashTable: " + customCredentials, new Object[0]);
            }
            subject2 = getWebProviderAuthenticatorHelper().loginWithHashtable(httpServletRequest, httpServletResponse, subject3).getSubject();
            if (sessionSubject2 != null) {
                removeCustomCredentials(sessionSubject2, customCredentials);
            }
            if (subject2 == null) {
                throw new WSLoginFailedException("JASPI HashTable login failed, user: " + str);
            }
        }
        return subject2;
    }

    private Subject getSessionSubject(JaspiRequest jaspiRequest) {
        Subject subject = null;
        Map<String, Object> properties = jaspiRequest.getWebRequest().getProperties();
        if (properties != null) {
            subject = (Subject) properties.get("javax.servlet.http.registerSession.subject");
        }
        return subject;
    }

    protected synchronized WebProviderAuthenticatorHelper getWebProviderAuthenticatorHelper() {
        if (this.authHelper == null) {
            this.authHelper = new WebProviderAuthenticatorHelper(this.securityServiceRef);
        }
        return this.authHelper;
    }

    void setRunSecureResponse(boolean z, JaspiService.JaspiAuthContext jaspiAuthContext) {
        if (jaspiAuthContext != null) {
            jaspiAuthContext.setRunSecureResponse(z);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "setRunSecureResponse: " + z, new Object[0]);
            }
        }
    }

    private Map<String, String> getAuthContextProps(JaspiRequest jaspiRequest) {
        HashMap hashMap = new HashMap();
        String str = "href:" + jaspiRequest.getApplicationName() + "/" + jaspiRequest.getModuleName();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "JACC Policy Context: " + str, new Object[0]);
        }
        hashMap.put(JACC_POLICY_CONTEXT, str);
        return hashMap;
    }

    @Override // com.ibm.ws.webcontainer.security.JaspiService
    public Subject getUnauthenticatedSubject() {
        return this.unauthenticatedSubjectService.getUnauthenticatedSubject();
    }

    private static void setPrivateAttributes(HttpServletRequest httpServletRequest, String str, Object obj) {
        HttpServletRequest httpServletRequest2 = httpServletRequest;
        if (httpServletRequest2 instanceof HttpServletRequestWrapper) {
            ServletRequest request = ((HttpServletRequestWrapper) httpServletRequest2).getRequest();
            while (true) {
                httpServletRequest2 = (HttpServletRequest) request;
                if (httpServletRequest2 == null || !(httpServletRequest2 instanceof HttpServletRequestWrapper)) {
                    break;
                } else {
                    request = ((HttpServletRequestWrapper) httpServletRequest2).getRequest();
                }
            }
        }
        if (httpServletRequest2 == null || !(httpServletRequest2 instanceof SRTServletRequest)) {
            return;
        }
        ((SRTServletRequest) httpServletRequest2).setPrivateAttribute(str, obj);
    }

    private String getLoginURL(JaspiRequest jaspiRequest, HttpServletRequest httpServletRequest) {
        FormLoginConfiguration formLoginConfiguration;
        String str = null;
        LoginConfiguration loginConfig = jaspiRequest.getLoginConfig();
        if (loginConfig != null && (formLoginConfiguration = loginConfig.getFormLoginConfiguration()) != null) {
            String loginPage = formLoginConfiguration.getLoginPage();
            StringBuilder sb = new StringBuilder(httpServletRequest.getRequestURL());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getFormURL", "formLoginPageURL=" + loginPage, " requestURL=" + ((Object) sb));
            }
            sb.replace(sb.indexOf("/", sb.indexOf("//") + 2), sb.length(), normalizeURL(loginPage, httpServletRequest.getContextPath()));
            str = sb.toString();
        }
        return str;
    }

    private String normalizeURL(String str, String str2) {
        if (str2.equals("/")) {
            str2 = "";
        }
        if (!str.startsWith("/")) {
            str = "/" + str;
        }
        return str2 + str;
    }

    @Override // com.ibm.ws.webcontainer.security.JaspiService
    public void postInvoke(WebSecurityContext webSecurityContext) throws AuthenticationException {
        if (webSecurityContext != null) {
            JaspiService.JaspiAuthContext jaspiAuthContext = (JaspiService.JaspiAuthContext) webSecurityContext.getJaspiAuthContext();
            if (!jaspiAuthContext.runSecureResponse()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "postInvoke", "skip secureResponse.");
                    return;
                }
                return;
            }
            MessageInfo messageInfo = (MessageInfo) jaspiAuthContext.getMessageInfo();
            ServerAuthContext serverAuthContext = (ServerAuthContext) jaspiAuthContext.getServerAuthContext();
            Subject receivedSubject = webSecurityContext.getReceivedSubject();
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "secureResponse with Jaspi", "authContext=" + serverAuthContext, "serviceSubject=" + receivedSubject, messageInfo);
                }
                AuthStatus secureResponse = serverAuthContext.secureResponse(messageInfo, receivedSubject);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "secureResponse status: " + secureResponse, new Object[0]);
                }
                if (AuthStatus.SEND_SUCCESS == secureResponse || AuthStatus.SEND_FAILURE == secureResponse || AuthStatus.SEND_CONTINUE == secureResponse) {
                    return;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "secureResponse  AuthStatus=" + secureResponse, new Object[0]);
                }
                throw new AuthenticationException("Unexpected AuthStatus received during secureResponse() status=" + secureResponse + ", MessageInfo=" + messageInfo + ", ServerAuthContext=" + serverAuthContext);
            } catch (AuthException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiServiceImpl", "879", this, new Object[]{webSecurityContext});
                throw new AuthenticationException("JASPI authentication failed after invoking the requested target service.", e);
            }
        }
    }

    @Override // com.ibm.ws.webcontainer.security.JaspiService
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) throws AuthenticationException {
        JaspiRequest jaspiRequest = new JaspiRequest(new WebRequestImpl(httpServletRequest, httpServletResponse, null, null, null, null, webAppSecurityConfig), null);
        AuthConfigProvider authConfigProvider = getAuthConfigProvider(jaspiRequest.getAppContext());
        if (authConfigProvider != null) {
            try {
                ServerAuthContext serverAuthContext = getServerAuthContext(jaspiRequest, authConfigProvider);
                MessageInfo newMessageInfo = newMessageInfo(jaspiRequest);
                Subject invocationSubject = getSubjectManager().getInvocationSubject();
                if (invocationSubject == null) {
                    invocationSubject = new Subject();
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "cleanSubject with Jaspi", "authContext=" + serverAuthContext, newMessageInfo);
                }
                serverAuthContext.cleanSubject(newMessageInfo, invocationSubject);
            } catch (AuthException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiServiceImpl", "917", this, new Object[]{httpServletRequest, httpServletResponse, webAppSecurityConfig});
                AuthenticationException authenticationException = new AuthenticationException("JASPI cleanSubject failure: " + e);
                authenticationException.initCause(e);
                throw authenticationException;
            }
        }
    }

    private synchronized SubjectManager getSubjectManager() {
        if (this.subjectManager == null) {
            this.subjectManager = new SubjectManager();
        }
        return this.subjectManager;
    }

    @Override // com.ibm.ws.webcontainer.security.JaspiService
    public boolean isAnyProviderRegistered() {
        boolean z = true;
        AuthConfigFactory factory = AuthConfigFactoryWrapper.getFactory();
        if (factory != null && (factory instanceof ProviderRegistry)) {
            if (this.providerConfigModified) {
                ((ProviderRegistry) factory).setProvider(this.jaspiProviderServiceRef.getService());
            }
            this.providerConfigModified = false;
            z = ((ProviderRegistry) factory).isAnyProviderRegistered();
        }
        return z;
    }
}
