package com.ibm.ws.security.authentication.jaas.modules;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.InvalidTokenException;
import com.ibm.websphere.security.auth.TokenExpiredException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.AccessIdUtil;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule;
import com.ibm.ws.security.jaas.common.callback.AuthenticationHelper;
import com.ibm.ws.security.jaas.common.callback.TokenCallback;
import com.ibm.wsspi.security.ltpa.Token;
import java.io.IOException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.authentication.builtin_1.0.14.jar:com/ibm/ws/security/authentication/jaas/modules/TokenLoginModule.class */
public class TokenLoginModule extends ServerCommonLoginModule implements LoginModule {
    private static final TraceComponent tc = Tr.register(TokenLoginModule.class);
    private String accessId = null;
    private Token recreatedToken;
    static final long serialVersionUID = -4079650138805076390L;

    @FFDCIgnore({InvalidTokenException.class, TokenExpiredException.class})
    public boolean login() throws LoginException {
        if (isAlreadyProcessed()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Already processed by other login module, abstaining.", new Object[0]);
            return false;
        }
        try {
            byte[] token = ((TokenCallback) getRequiredCallbacks(this.callbackHandler)[0]).getToken();
            if (token == null) {
                return false;
            }
            setAlreadyProcessed();
            this.recreatedToken = getTokenManager().recreateTokenFromBytes(AuthenticationHelper.copyCredToken(token));
            this.accessId = this.recreatedToken.getAttributes("u")[0];
            if (AccessIdUtil.isServerAccessId(this.accessId)) {
                setUpTemporaryServerSubject();
            } else {
                setUpTemporaryUserSubject();
            }
            updateSharedState();
            return true;
        } catch (InvalidTokenException e) {
            throw new AuthenticationException(e.getLocalizedMessage(), e);
        } catch (TokenExpiredException e2) {
            throw new AuthenticationException(e2.getLocalizedMessage(), e2);
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule", "84", this, new Object[0]);
            throw new AuthenticationException(e3.getLocalizedMessage(), e3);
        }
    }

    @Override // com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule
    public Callback[] getRequiredCallbacks(CallbackHandler callbackHandler) throws IOException, UnsupportedCallbackException {
        Callback[] callbackArr = {new TokenCallback()};
        callbackHandler.handle(callbackArr);
        return callbackArr;
    }

    private void setUpTemporaryServerSubject() throws Exception {
        this.temporarySubject = new Subject();
        this.temporarySubject.getPrivateCredentials().add(this.recreatedToken);
        setPrincipalAndCredentials(this.temporarySubject, AccessIdUtil.getUniqueId(this.accessId), null, this.accessId, "token");
    }

    private void setUpTemporaryUserSubject() throws Exception {
        this.temporarySubject = new Subject();
        this.temporarySubject.getPrivateCredentials().add(this.recreatedToken);
        String userSecurityName = getUserRegistry().getUserSecurityName(AccessIdUtil.getUniqueId(this.accessId));
        setPrincipalAndCredentials(this.temporarySubject, getSecurityName(userSecurityName, userSecurityName), null, this.accessId, "token");
    }

    @Override // com.ibm.ws.security.jaas.common.modules.CommonLoginModule
    public boolean commit() throws LoginException {
        if (this.accessId != null) {
            setUpSubject();
            return true;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
            return false;
        }
        Tr.event(tc, "Authentication did not occur for this login module, abstaining.", new Object[0]);
        return false;
    }

    @Override // com.ibm.ws.security.jaas.common.modules.CommonLoginModule
    public boolean abort() {
        cleanUpSubject();
        this.accessId = null;
        return true;
    }

    @Override // com.ibm.ws.security.jaas.common.modules.CommonLoginModule
    public boolean logout() {
        cleanUpSubject();
        this.accessId = null;
        return true;
    }
}
