package com.sun.web.security;

import com.sun.enterprise.deployment.Application;
import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.WebComponentDescriptor;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.SecurityUtil;
import com.sun.enterprise.security.WebSecurityDeployerProbeProvider;
import com.sun.enterprise.security.auth.digest.api.Constants;
import com.sun.enterprise.security.auth.digest.api.DigestAlgorithmParameter;
import com.sun.enterprise.security.auth.digest.api.DigestParameterGenerator;
import com.sun.enterprise.security.auth.digest.api.Key;
import com.sun.enterprise.security.auth.digest.impl.HttpAlgorithmParameterImpl;
import com.sun.enterprise.security.auth.login.DigestCredentials;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.security.integration.RealmInitializer;
import com.sun.enterprise.security.jmac.config.HttpServletConstants;
import com.sun.enterprise.security.jmac.config.HttpServletHelper;
import com.sun.enterprise.security.web.integration.WebPrincipal;
import com.sun.enterprise.security.web.integration.WebSecurityManager;
import com.sun.enterprise.security.web.integration.WebSecurityManagerFactory;
import com.sun.logging.LogDomains;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.config.ServerAuthConfig;
import javax.security.auth.message.config.ServerAuthContext;
import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Authenticator;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.HttpRequest;
import org.apache.catalina.HttpResponse;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.RealmBase;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.internal.api.ServerContext;
import org.jvnet.hk2.annotations.Inject;
import org.jvnet.hk2.annotations.Scoped;
import org.jvnet.hk2.annotations.Service;
import org.jvnet.hk2.component.Habitat;
import org.jvnet.hk2.component.PerLookup;
import org.jvnet.hk2.component.PostConstruct;

@Service
@Scoped(PerLookup.class)
/* loaded from: input_file:com/sun/web/security/RealmAdapter.class */
public class RealmAdapter extends RealmBase implements RealmInitializer, PostConstruct {
    private static final Logger _logger;
    private static final ResourceBundle rb;
    public static final String SECURITY_CONTEXT = "SecurityContext";
    public static final String BASIC = "BASIC";
    public static final String FORM = "FORM";
    private static final String SERVER_AUTH_CONTEXT = "__javax.security.auth.message.ServerAuthContext";
    private static final String MESSAGE_INFO = "__javax.security.auth.message.MessageInfo";
    private static final WebSecurityDeployerProbeProvider websecurityProbeProvider;
    private static final String SYSTEM_HTTPSERVLET_SECURITY_PROVIDER = "system_httpservlet_security_provider";
    private WebBundleDescriptor webDesc;
    private HashMap<String, String> runAsPrincipals;
    private String _realmName;
    protected static final String name = "J2EE-RI-RealmAdapter";
    private String CONTEXT_ID;
    private Container virtualServer;
    protected volatile WebSecurityManager webSecurityManager;
    protected WebSecurityManagerFactory webSecurityManagerFactory;
    protected boolean isCurrentURIincluded;
    protected final ReadWriteLock rwLock;
    private boolean contextEvaluated;
    private String loginPage;
    private String errorPage;
    private static final SecurityConstraint[] emptyConstraints;
    private static String defaultSystemProviderID;
    private String moduleID;
    private boolean isSystemApp;
    private HttpServletHelper helper;

    @Inject
    private ServerContext serverContext;

    @Inject
    private Habitat habitat;
    private static String PROXY_AUTH_TYPE;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sun/web/security/RealmAdapter$AuthenticatorProxy.class */
    public static class AuthenticatorProxy extends AuthenticatorBase {
        private AuthenticatorBase authBase;
        private Principal principal;
        private String authType;

        @Override // org.apache.catalina.authenticator.AuthenticatorBase
        public boolean getCache() {
            return this.authBase.getCache();
        }

        @Override // org.apache.catalina.authenticator.AuthenticatorBase, org.apache.catalina.valves.ValveBase, org.apache.catalina.Contained
        public Container getContainer() {
            return this.authBase.getContainer();
        }

        AuthenticatorProxy(Authenticator authenticator, Principal principal, String str) throws LifecycleException {
            this.authBase = (AuthenticatorBase) authenticator;
            this.principal = principal;
            this.authType = str == null ? RealmAdapter.PROXY_AUTH_TYPE : str;
            setCache(this.authBase.getCache());
            setContainer(this.authBase.getContainer());
            start();
        }

        @Override // org.apache.catalina.authenticator.AuthenticatorBase
        public boolean authenticate(HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig) throws IOException {
            register(httpRequest, httpResponse, this.principal, this.authType, this.principal.getName(), null);
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sun/web/security/RealmAdapter$HttpMessageInfo.class */
    public static class HttpMessageInfo implements MessageInfo {
        private Object request;
        private Object response;
        private Map map;

        HttpMessageInfo() {
            this.request = null;
            this.response = null;
            this.map = new HashMap();
        }

        HttpMessageInfo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            this.request = null;
            this.response = null;
            this.map = new HashMap();
            this.request = httpServletRequest;
            this.response = httpServletResponse;
        }

        @Override // javax.security.auth.message.MessageInfo
        public Object getRequestMessage() {
            return this.request;
        }

        @Override // javax.security.auth.message.MessageInfo
        public Object getResponseMessage() {
            return this.response;
        }

        @Override // javax.security.auth.message.MessageInfo
        public void setRequestMessage(Object obj) {
            this.request = obj;
        }

        @Override // javax.security.auth.message.MessageInfo
        public void setResponseMessage(Object obj) {
            this.response = obj;
        }

        @Override // javax.security.auth.message.MessageInfo
        public Map getMap() {
            return this.map;
        }
    }

    public RealmAdapter() {
        this.webDesc = null;
        this.runAsPrincipals = null;
        this._realmName = null;
        this.CONTEXT_ID = null;
        this.webSecurityManager = null;
        this.webSecurityManagerFactory = null;
        this.isCurrentURIincluded = false;
        this.rwLock = new ReentrantReadWriteLock();
        this.contextEvaluated = false;
        this.loginPage = null;
        this.errorPage = null;
        this.helper = null;
    }

    public RealmAdapter(String str, String str2) {
        this.webDesc = null;
        this.runAsPrincipals = null;
        this._realmName = null;
        this.CONTEXT_ID = null;
        this.webSecurityManager = null;
        this.webSecurityManagerFactory = null;
        this.isCurrentURIincluded = false;
        this.rwLock = new ReentrantReadWriteLock();
        this.contextEvaluated = false;
        this.loginPage = null;
        this.errorPage = null;
        this.helper = null;
        this._realmName = str;
        this.moduleID = str2;
    }

    @Override // org.apache.catalina.realm.RealmBase
    public void destroy() {
        super.destroy();
        if (this.helper != null) {
            this.helper.disable();
        }
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void setVirtualServer(Object obj) {
        this.virtualServer = (Container) obj;
    }

    public WebBundleDescriptor getWebDescriptor() {
        return this.webDesc;
    }

    public WebSecurityManager getWebSecurityManager(boolean z) {
        if (this.webSecurityManager == null) {
            synchronized (this) {
                this.webSecurityManager = this.webSecurityManagerFactory.getManager(this.CONTEXT_ID, null, false);
            }
            if (this.webSecurityManager == null && z) {
                _logger.log(Level.WARNING, "realmAdapter.noWebSecMgr", this.CONTEXT_ID);
            }
        }
        return this.webSecurityManager;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasRole(HttpRequest httpRequest, HttpResponse httpResponse, Principal principal, String str) {
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        String canonicalName = getCanonicalName(httpRequest);
        boolean hasRoleRefPermission = webSecurityManager.hasRoleRefPermission(canonicalName, str, principal);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("Checking if servlet " + canonicalName + " with principal " + principal + " has role " + str + " isGranted: " + hasRoleRefPermission);
        }
        return hasRoleRefPermission;
    }

    public boolean hasRole(String str, Principal principal, String str2) {
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        return webSecurityManager.hasRoleRefPermission(str, str2, principal);
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void logout() {
        setSecurityContext(null);
        resetPolicyContext();
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(HttpServletRequest httpServletRequest) {
        try {
            DigestAlgorithmParameter[] generateParameters = DigestParameterGenerator.getInstance(DigestParameterGenerator.HTTP_DIGEST).generateParameters(new HttpAlgorithmParameterImpl(httpServletRequest));
            Key key = null;
            int i = 0;
            while (true) {
                if (i >= generateParameters.length) {
                    break;
                }
                DigestAlgorithmParameter digestAlgorithmParameter = generateParameters[i];
                if (Constants.A1.equals(digestAlgorithmParameter.getName()) && (digestAlgorithmParameter instanceof Key)) {
                    key = (Key) digestAlgorithmParameter;
                    break;
                }
                i++;
            }
            DigestCredentials digestCredentials = new DigestCredentials(this._realmName, key.getUsername(), generateParameters);
            LoginContextDriver.login(digestCredentials);
            return new WebPrincipal(digestCredentials.getUserName(), (char[]) null, SecurityContext.getCurrent());
        } catch (Exception e) {
            if (!_logger.isLoggable(Level.WARNING)) {
                return null;
            }
            _logger.log(Level.WARNING, "web.login.failed", e.toString());
            return null;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, char[] cArr) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("Tomcat callback for authenticate user/password");
            _logger.fine("usename = " + str);
        }
        if (!authenticate(str, cArr, null)) {
            return null;
        }
        SecurityContext current = SecurityContext.getCurrent();
        if ($assertionsDisabled || current != null) {
            return new WebPrincipal(str, cArr, current);
        }
        throw new AssertionError();
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        if (!authenticate(null, null, x509CertificateArr)) {
            return null;
        }
        SecurityContext current = SecurityContext.getCurrent();
        if ($assertionsDisabled || current != null) {
            return new WebPrincipal(x509CertificateArr, current);
        }
        throw new AssertionError();
    }

    public boolean authenticate(WebPrincipal webPrincipal) {
        return webPrincipal.isUsingCertificate() ? authenticate(null, null, webPrincipal.getCertificates()) : authenticate(webPrincipal.getName(), webPrincipal.getPassword(), null);
    }

    protected boolean authenticate(String str, char[] cArr, X509Certificate[] x509CertificateArr) {
        boolean z;
        try {
            if (x509CertificateArr != null) {
                Subject subject = new Subject();
                subject.getPublicCredentials().add(x509CertificateArr[0].getSubjectDN());
                subject.getPublicCredentials().add(Arrays.asList(x509CertificateArr));
                LoginContextDriver.doX500Login(subject, this.moduleID);
            } else {
                LoginContextDriver.login(str, cArr, this._realmName);
            }
            z = true;
        } catch (Exception e) {
            z = false;
            if (_logger.isLoggable(Level.WARNING)) {
                _logger.log(Level.WARNING, "web.login.failed", e.toString());
            }
        }
        if (z && _logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Web login succeeded for: " + str);
        }
        return z;
    }

    public void preSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        String str;
        if ((this.runAsPrincipals != null && this.runAsPrincipals.isEmpty()) || (servletName = getServletName(componentInvocation)) == null || (str = this.runAsPrincipals.get(servletName)) == null) {
            return;
        }
        componentInvocation.setOldSecurityContext(getSecurityContext());
        loginForRunAs(str);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("run-as principal for " + servletName + " set to: " + str);
        }
    }

    private String getServletName(ComponentInvocation componentInvocation) {
        Object componentInvocation2 = componentInvocation.getInstance();
        if (!(componentInvocation2 instanceof HttpServlet)) {
            return null;
        }
        HttpServlet httpServlet = (HttpServlet) componentInvocation2;
        if (httpServlet.getServletConfig() != null) {
            return httpServlet.getServletName();
        }
        return null;
    }

    public void postSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        if ((this.runAsPrincipals != null && this.runAsPrincipals.isEmpty()) || (servletName = getServletName(componentInvocation)) == null || this.runAsPrincipals.get(servletName) == null) {
            return;
        }
        setSecurityContext((SecurityContext) componentInvocation.getOldSecurityContext());
    }

    private void loginForRunAs(String str) {
        LoginContextDriver.loginPrincipal(str, this._realmName);
    }

    private SecurityContext getSecurityContext() {
        return SecurityContext.getCurrent();
    }

    private void setSecurityContext(SecurityContext securityContext) {
        SecurityContext.setCurrent(securityContext);
    }

    private boolean principalSetContainsOnlyAnonymousPrincipal(Set<Principal> set) {
        boolean z = false;
        Principal defaultCallerPrincipal = SecurityContext.getDefaultCallerPrincipal();
        if (defaultCallerPrincipal != null && set != null) {
            z = set.contains(defaultCallerPrincipal);
        }
        if (z) {
            Iterator<Principal> it = set.iterator();
            while (it.hasNext()) {
                if (!it.next().equals(defaultCallerPrincipal)) {
                    return false;
                }
            }
        }
        return z;
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected char[] getPassword(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    public Principal createFailOveredPrincipal(String str) {
        _logger.log(Level.FINEST, "IN createFailOveredPrincipal (" + str + ")");
        loginForRunAs(str);
        SecurityContext current = SecurityContext.getCurrent();
        _logger.log(Level.FINE, "Security context is " + current);
        if (!$assertionsDisabled && current == null) {
            throw new AssertionError();
        }
        WebPrincipal webPrincipal = new WebPrincipal(str, (char[]) null, current);
        _logger.log(Level.INFO, "Principal created for FailOvered user " + webPrincipal);
        return webPrincipal;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasResourcePermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        boolean z = false;
        try {
            z = invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr);
            if (z) {
                return z;
            }
            ((HttpServletResponse) httpResponse.getResponse()).sendError(403);
            httpResponse.setDetailMessage(rb.getString("realmBase.forbidden"));
            invokePostAuthenticateDelegate(httpRequest, httpResponse, context);
            return z;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            _logger.log(Level.SEVERE, "web_server.excep_authenticate_realmadapter", th);
            ((HttpServletResponse) httpResponse.getResponse()).sendError(503);
            httpResponse.setDetailMessage(rb.getString("realmBase.forbidden"));
            return z;
        }
    }

    private boolean invokeWebSecurityManager(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        try {
            this.rwLock.readLock().lock();
            boolean z = this.contextEvaluated;
            this.rwLock.readLock().unlock();
            if (!z) {
                try {
                    this.rwLock.writeLock().lock();
                    if (!this.contextEvaluated) {
                        LoginConfig loginConfig = ((Context) getContainer()).getLoginConfig();
                        if (loginConfig != null && "FORM".equals(loginConfig.getAuthMethod())) {
                            this.loginPage = loginConfig.getLoginPage();
                            this.errorPage = loginConfig.getErrorPage();
                        }
                        this.contextEvaluated = true;
                    }
                } finally {
                    this.rwLock.writeLock().unlock();
                }
            }
            if (this.loginPage != null || this.errorPage != null) {
                String messageBytes = httpRequest.getRequestPathMB().toString();
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.fine("[Web-Security]  requestURI: " + messageBytes + " loginPage: " + this.loginPage);
                }
                if (this.loginPage != null && this.loginPage.equals(messageBytes)) {
                    if (!_logger.isLoggable(Level.FINE)) {
                        return true;
                    }
                    _logger.fine(" Allow access to login page " + this.loginPage);
                    return true;
                }
                if (this.errorPage != null && this.errorPage.equals(messageBytes)) {
                    if (!_logger.isLoggable(Level.FINE)) {
                        return true;
                    }
                    _logger.fine(" Allow access to error page " + this.errorPage);
                    return true;
                }
                if (messageBytes.endsWith("/j_security_check")) {
                    if (!_logger.isLoggable(Level.FINE)) {
                        return true;
                    }
                    _logger.fine(" Allow access to username/password submission");
                    return true;
                }
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
            if (httpServletRequest.getServletPath() == null) {
                httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("[Web-Security] [ hasResourcePermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
            }
            WebSecurityManager webSecurityManager = getWebSecurityManager(true);
            if (webSecurityManager == null) {
                return false;
            }
            return webSecurityManager.hasResourcePermission(httpServletRequest);
        } catch (Throwable th) {
            this.rwLock.readLock().unlock();
            throw th;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        return hasUserDataPermission(httpRequest, httpResponse, securityConstraintArr, null, null);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, String str, String str2) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
        if (httpServletRequest.getServletPath() == null) {
            httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("[Web-Security][ hasUserDataPermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
        }
        if (httpRequest.getRequest().isSecure()) {
            if (!_logger.isLoggable(Level.FINE)) {
                return true;
            }
            _logger.fine("[Web-Security] request.getRequest().isSecure(): " + httpRequest.getRequest().isSecure());
            return true;
        }
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        try {
            int hasUserDataPermission = webSecurityManager.hasUserDataPermission(httpServletRequest, str, str2);
            if (hasUserDataPermission == -1) {
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.fine("[Web-Security] redirecting using SSL");
                }
                return redirect(httpRequest, httpResponse);
            }
            if (hasUserDataPermission != 0) {
                return true;
            }
            ((HttpServletResponse) httpResponse.getResponse()).sendError(403, rb.getString("realmBase.forbidden"));
            return false;
        } catch (IllegalArgumentException e) {
            _logger.log(Level.WARNING, rb.getString("realmAdapter.badRequestWithId"), (Throwable) e);
            ((HttpServletResponse) httpResponse.getResponse()).sendError(400, rb.getString("realmAdapter.badRequest"));
            return false;
        }
    }

    private boolean redirect(HttpRequest httpRequest, HttpResponse httpResponse) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
        HttpServletResponse httpServletResponse = (HttpServletResponse) httpResponse.getResponse();
        int redirectPort = httpRequest.getConnector().getRedirectPort();
        if (redirectPort <= 0) {
            if (_logger.isLoggable(Level.INFO)) {
                _logger.fine("[Web-Security]  SSL redirect is disabled");
            }
            httpServletResponse.sendError(403, httpServletRequest.getRequestURI());
            return false;
        }
        String serverName = httpServletRequest.getServerName();
        StringBuffer stringBuffer = new StringBuffer(httpServletRequest.getRequestURI());
        String requestedSessionId = httpServletRequest.getRequestedSessionId();
        if (requestedSessionId != null && httpServletRequest.isRequestedSessionIdFromURL()) {
            stringBuffer.append(";jsessionid=");
            stringBuffer.append(requestedSessionId);
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            stringBuffer.append('?');
            stringBuffer.append(queryString);
        }
        try {
            httpServletResponse.sendRedirect(new URL("https", serverName, redirectPort, stringBuffer.toString()).toString());
            return false;
        } catch (MalformedURLException e) {
            httpServletResponse.sendError(500, httpServletRequest.getRequestURI());
            return false;
        }
    }

    private String getCanonicalName(HttpRequest httpRequest) {
        return httpRequest.getWrapper().getServletName();
    }

    private String getResourceName(String str, String str2) {
        return str2.length() < str.length() ? str.substring(str2.length()) : "";
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getName() {
        return name;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public String getRealmName() {
        return this._realmName;
    }

    public void setRealmName(String str) {
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public SecurityConstraint[] findSecurityConstraints(HttpRequest httpRequest, Context context) {
        if (this.helper == null) {
            initConfigHelper();
        }
        WebSecurityManager webSecurityManager = getWebSecurityManager(false);
        if (webSecurityManager == null || !webSecurityManager.hasNoConstrainedResources() || isSecurityExtensionEnabled()) {
            return emptyConstraints;
        }
        return null;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public SecurityConstraint[] findSecurityConstraints(String str, String str2, Context context) {
        if (this.helper == null) {
            initConfigHelper();
        }
        WebSecurityManager webSecurityManager = getWebSecurityManager(false);
        if (webSecurityManager == null || !webSecurityManager.hasNoConstrainedResources() || isSecurityExtensionEnabled()) {
            return emptyConstraints;
        }
        return null;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public int preAuthenticateCheck(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, boolean z, boolean z2, boolean z3) throws IOException {
        try {
            if (((HttpServletRequest) httpRequest.getRequest()).getUserPrincipal() == null) {
                SecurityContext.setUnauthenticatedContext();
            }
            if (this.helper != null && this.helper.getServerAuthConfig() != null) {
                return 1;
            }
            if (!invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr)) {
                if (((HttpServletRequest) httpRequest).getUserPrincipal() == null) {
                    disableProxyCaching(httpRequest, httpResponse, z, z2);
                    return 1;
                }
                ((HttpServletResponse) httpResponse.getResponse()).sendError(403);
                httpResponse.setDetailMessage(rb.getString("realmBase.forbidden"));
                return -1;
            }
            if (((HttpServletRequest) httpRequest).getUserPrincipal() == null) {
                return 0;
            }
            disableProxyCaching(httpRequest, httpResponse, z, z2);
            if (!z3) {
                return 0;
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
            if (getWebSecurityManager(true).permitAll(httpServletRequest)) {
                return 0;
            }
            httpServletRequest.getSession(true);
            return 0;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            _logger.log(Level.SEVERE, "web_server.excep_authenticate_realmadapter", th);
            ((HttpServletResponse) httpResponse.getResponse()).sendError(503);
            httpResponse.setDetailMessage(rb.getString("realmBase.forbidden"));
            return -1;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean invokeAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context, Authenticator authenticator, boolean z) throws IOException {
        LoginConfig loginConfig = context.getLoginConfig();
        ServerAuthConfig serverAuthConfig = null;
        try {
            if (this.helper != null) {
                serverAuthConfig = this.helper.getServerAuthConfig();
            }
            return serverAuthConfig != null ? validate(httpRequest, httpResponse, loginConfig, authenticator, z) : ((AuthenticatorBase) authenticator).authenticate(httpRequest, httpResponse, loginConfig);
        } catch (Exception e) {
            IOException iOException = new IOException();
            iOException.initCause(e);
            throw iOException;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean invokePostAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context) throws IOException {
        MessageInfo messageInfo;
        boolean z = false;
        ServerAuthContext serverAuthContext = null;
        try {
            try {
                if (this.helper != null && (messageInfo = (MessageInfo) ((HttpServletRequest) httpRequest.getRequest()).getAttribute(MESSAGE_INFO)) != null) {
                    serverAuthContext = (ServerAuthContext) messageInfo.getMap().get(SERVER_AUTH_CONTEXT);
                    if (serverAuthContext != null) {
                        z = AuthStatus.SUCCESS.equals(serverAuthContext.secureResponse(messageInfo, null));
                    }
                }
                return z;
            } catch (AuthException e) {
                IOException iOException = new IOException();
                iOException.initCause(e);
                throw iOException;
            }
        } finally {
            if (this.helper != null && serverAuthContext != null) {
                if (httpRequest instanceof HttpRequestWrapper) {
                    httpRequest.removeNote(Globals.WRAPPED_REQUEST);
                }
                if (httpResponse instanceof HttpResponseWrapper) {
                    httpRequest.removeNote(Globals.WRAPPED_RESPONSE);
                }
            }
        }
    }

    public boolean isSecurityExtensionEnabled() {
        if (this.helper == null) {
            initConfigHelper();
        }
        try {
            return this.helper.getServerAuthConfig() != null;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private HttpServletHelper getConfigHelper() {
        HashMap hashMap = new HashMap();
        hashMap.put(HttpServletConstants.WEB_BUNDLE, this.webDesc);
        return new HttpServletHelper(getAppContextID(), hashMap, null, this._realmName, this.isSystemApp, defaultSystemProviderID);
    }

    private String getAppContextID() {
        return this.virtualServer.getName() + " " + this.webDesc.getContextRoot();
    }

    private boolean validate(HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig, Authenticator authenticator, boolean z) throws IOException {
        ServerAuthContext serverAuthContext;
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
        HttpServletResponse httpServletResponse = (HttpServletResponse) httpResponse.getResponse();
        Subject subject = new Subject();
        HttpMessageInfo httpMessageInfo = new HttpMessageInfo(httpServletRequest, httpServletResponse);
        boolean z2 = false;
        boolean z3 = true;
        try {
            z3 = !getWebSecurityManager(true).permitAll(httpServletRequest);
            if (z3 || z) {
                httpMessageInfo.getMap().put(HttpServletConstants.IS_MANDATORY, Boolean.TRUE.toString());
            }
            serverAuthContext = this.helper.getServerAuthContext(httpMessageInfo, null);
        } catch (AuthException e) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "JMAC: http msg authentication fail", (Throwable) e);
            }
            httpServletResponse.setStatus(500);
        }
        if (serverAuthContext == null) {
            throw new AuthException("null ServerAuthContext");
        }
        z2 = AuthStatus.SUCCESS.equals(serverAuthContext.validateRequest(httpMessageInfo, subject, null));
        if (z2) {
            httpMessageInfo.getMap().put(SERVER_AUTH_CONTEXT, serverAuthContext);
            httpServletRequest.setAttribute(MESSAGE_INFO, httpMessageInfo);
        }
        if (z2) {
            Set<Principal> principals = subject.getPrincipals();
            if (principals != null && !principals.isEmpty() && !principalSetContainsOnlyAnonymousPrincipal(principals)) {
                SecurityContext securityContext = new SecurityContext(subject);
                WebPrincipal webPrincipal = new WebPrincipal(securityContext.getCallerPrincipal(), securityContext);
                try {
                    String str = (String) httpMessageInfo.getMap().get(HttpServletHelper.AUTH_TYPE);
                    boolean containsKey = httpMessageInfo.getMap().containsKey(HttpServletConstants.REGISTER_WITH_AUTHENTICATOR);
                    if (str == null && loginConfig != null && loginConfig.getAuthMethod() != null) {
                        str = loginConfig.getAuthMethod();
                    }
                    if (containsKey) {
                        new AuthenticatorProxy(authenticator, webPrincipal, str).authenticate(httpRequest, httpResponse, loginConfig);
                    } else {
                        httpRequest.setAuthType(str == null ? PROXY_AUTH_TYPE : str);
                        httpRequest.setUserPrincipal(webPrincipal);
                    }
                } catch (LifecycleException e2) {
                    _logger.log(Level.SEVERE, "[Web-Security] unable to register session", (Throwable) e2);
                }
                HttpServletRequest httpServletRequest2 = (HttpServletRequest) httpMessageInfo.getRequestMessage();
                if (httpServletRequest2 != httpServletRequest) {
                    httpRequest.setNote(Globals.WRAPPED_REQUEST, new HttpRequestWrapper(httpRequest, httpServletRequest2));
                }
                HttpServletResponse httpServletResponse2 = (HttpServletResponse) httpMessageInfo.getResponseMessage();
                if (httpServletResponse2 != httpServletResponse) {
                    httpRequest.setNote(Globals.WRAPPED_RESPONSE, new HttpResponseWrapper(httpResponse, httpServletResponse2));
                }
            } else if (z3) {
                z2 = false;
            }
        }
        return z2;
    }

    private static String getDefaultSystemProviderID() {
        String property = System.getProperty(SYSTEM_HTTPSERVLET_SECURITY_PROVIDER);
        if (property != null) {
            property = property.trim();
            if (property.length() == 0) {
                property = null;
            }
        }
        return property;
    }

    private void resetPolicyContext() {
        ((PolicyContextHandlerImpl) PolicyContextHandlerImpl.getInstance()).reset();
        PolicyContext.setContextID(null);
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void initializeRealm(Object obj, boolean z, String str) {
        this.isSystemApp = z;
        this.webDesc = (WebBundleDescriptor) obj;
        Application application = this.webDesc.getApplication();
        LoginConfiguration loginConfiguration = this.webDesc.getLoginConfiguration();
        this._realmName = application.getRealm();
        if (this._realmName == null && loginConfiguration != null) {
            this._realmName = loginConfiguration.getRealmName();
        }
        if (str != null && (this._realmName == null || this._realmName.equals(""))) {
            this._realmName = str;
        }
        this.CONTEXT_ID = WebSecurityManager.getContextID(this.webDesc);
        this.runAsPrincipals = new HashMap<>();
        for (WebComponentDescriptor webComponentDescriptor : this.webDesc.getWebComponentDescriptors()) {
            RunAsIdentityDescriptor runAsIdentity = webComponentDescriptor.getRunAsIdentity();
            if (runAsIdentity != null) {
                String principal = runAsIdentity.getPrincipal();
                String canonicalName = webComponentDescriptor.getCanonicalName();
                if (principal == null || canonicalName == null) {
                    _logger.warning("web.realmadapter.norunas");
                } else {
                    this.runAsPrincipals.put(canonicalName, principal);
                    _logger.fine("Servlet " + canonicalName + " will run-as: " + principal);
                }
            }
        }
        this.moduleID = this.webDesc.getModuleID();
    }

    protected void configureSecurity(WebBundleDescriptor webBundleDescriptor, boolean z) {
        try {
            this.webSecurityManagerFactory.createManager(webBundleDescriptor, true, this.serverContext);
            String contextID = WebSecurityManager.getContextID(webBundleDescriptor);
            SecurityUtil.generatePolicyFile(contextID);
            if (z && contextID.equals("__admingui/__admingui")) {
                websecurityProbeProvider.policyCreationEvent(contextID);
            }
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "policy.configure", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    private SecurityContext getSecurityContextForPrincipal(final Principal principal) {
        if (principal == null) {
            return null;
        }
        return principal instanceof WebPrincipal ? ((WebPrincipal) principal).getSecurityContext() : (SecurityContext) AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() { // from class: com.sun.web.security.RealmAdapter.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityContext run() {
                Subject subject = new Subject();
                subject.getPrincipals().add(principal);
                return new SecurityContext(principal.getName(), subject);
            }
        });
    }

    public void setCurrentSecurityContextWithWebPrincipal(Principal principal) {
        if (principal instanceof WebPrincipal) {
            SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
        }
    }

    public void setCurrentSecurityContext(Principal principal) {
        SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
    }

    public synchronized void initConfigHelper() {
        if (this.helper != null) {
            return;
        }
        this.helper = getConfigHelper();
    }

    @Override // org.jvnet.hk2.component.PostConstruct
    public void postConstruct() {
        this.webSecurityManagerFactory = (WebSecurityManagerFactory) this.habitat.getComponent(WebSecurityManagerFactory.class);
    }

    static {
        $assertionsDisabled = !RealmAdapter.class.desiredAssertionStatus();
        _logger = LogDomains.getLogger(RealmAdapter.class, LogDomains.WEB_LOGGER);
        rb = _logger.getResourceBundle();
        websecurityProbeProvider = new WebSecurityDeployerProbeProvider();
        emptyConstraints = new SecurityConstraint[0];
        defaultSystemProviderID = getDefaultSystemProviderID();
        PROXY_AUTH_TYPE = "PLUGGABLE_PROVIDER";
    }
}
