package org.nuxeo.ecm.platform.ui.web.auth;

import com.codahale.metrics.Counter;
import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.SharedMetricRegistries;
import com.codahale.metrics.Timer;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.naming.NamingException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.common.utils.URIUtils;
import org.nuxeo.ecm.core.api.NuxeoPrincipal;
import org.nuxeo.ecm.core.api.SimplePrincipal;
import org.nuxeo.ecm.core.api.local.ClientLoginModule;
import org.nuxeo.ecm.core.event.EventProducer;
import org.nuxeo.ecm.core.event.impl.UnboundEventContext;
import org.nuxeo.ecm.directory.DirectoryException;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfoCallbackHandler;
import org.nuxeo.ecm.platform.login.PrincipalImpl;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.LoginResponseHandler;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthPreFilter;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPluginLogoutExtension;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPropagator;
import org.nuxeo.ecm.platform.ui.web.auth.service.AuthenticationPluginDescriptor;
import org.nuxeo.ecm.platform.ui.web.auth.service.NuxeoAuthFilterChain;
import org.nuxeo.ecm.platform.ui.web.auth.service.OpenUrlDescriptor;
import org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService;
import org.nuxeo.ecm.platform.usermanager.UserManager;
import org.nuxeo.ecm.platform.web.common.session.NuxeoHttpSessionMonitor;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.api.login.LoginConfiguration;
import org.nuxeo.runtime.metrics.MetricsService;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/NuxeoAuthenticationFilter.class */
public class NuxeoAuthenticationFilter implements Filter {
    public static final String DEFAULT_START_PAGE = "nxstartup.faces";
    public static final String LOGIN_DOMAIN = "nuxeo-ecm-web";
    protected static final String XMLHTTP_REQUEST_TYPE = "XMLHttpRequest";
    protected static final String LOGIN_JMS_CATEGORY = "NuxeoAuthentication";
    protected static Boolean isLoginSynchronized;
    private static String anonymous;
    protected volatile PluggableAuthenticationService service;
    protected List<String> unAuthenticatedURLPrefix;
    private static final Log log = LogFactory.getLog(NuxeoAuthenticationFilter.class);
    protected static final Principal DIRECTORY_ERROR_PRINCIPAL = new PrincipalImpl("__DIRECTORY_ERROR__������");
    protected final boolean avoidReauthenticate = true;
    protected ReentrantReadWriteLock unAuthenticatedURLPrefixLock = new ReentrantReadWriteLock();
    protected boolean byPassAuthenticationLog = false;
    protected String securityDomain = LOGIN_DOMAIN;
    protected final MetricRegistry registry = SharedMetricRegistries.getOrCreate(MetricsService.class.getName());
    protected final Timer requestTimer = this.registry.timer(MetricRegistry.name("nuxeo", new String[]{"web", "authentication", "requests", "count"}));
    protected final Counter concurrentCount = this.registry.counter(MetricRegistry.name("nuxeo", new String[]{"web", "authentication", "requests", "concurrent", "count"}));
    protected final Counter concurrentMaxCount = this.registry.counter(MetricRegistry.name("nuxeo", new String[]{"web", "authentication", "requests", "concurrent", "max"}));
    protected final Counter loginCount = this.registry.counter(MetricRegistry.name("nuxeo", new String[]{"web", "authentication", "logged-users"}));

    public void destroy() {
    }

    protected static boolean sendAuthenticationEvent(UserIdentificationInfo userIdentificationInfo, String str, String str2) {
        LoginContext loginContext = null;
        try {
            try {
                loginContext = Framework.login();
                EventProducer eventProducer = (EventProducer) Framework.getService(EventProducer.class);
                SimplePrincipal simplePrincipal = new SimplePrincipal(userIdentificationInfo.getUserName());
                HashMap hashMap = new HashMap();
                hashMap.put("AuthenticationPlugin", userIdentificationInfo.getAuthPluginName());
                hashMap.put("LoginPlugin", userIdentificationInfo.getLoginPluginName());
                hashMap.put("category", LOGIN_JMS_CATEGORY);
                hashMap.put("comment", str2);
                eventProducer.fireEvent(new UnboundEventContext(simplePrincipal, hashMap).newEvent(str));
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e) {
                        log.error("Unable to logout: " + e.getMessage());
                    }
                }
                return true;
            } catch (LoginException e2) {
                log.error("Unable to log in in order to log Login event" + e2.getMessage());
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e3) {
                        log.error("Unable to logout: " + e3.getMessage());
                    }
                }
                return false;
            }
        } catch (Throwable th) {
            if (loginContext != null) {
                try {
                    loginContext.logout();
                } catch (LoginException e4) {
                    log.error("Unable to logout: " + e4.getMessage());
                }
            }
            throw th;
        }
    }

    protected boolean logAuthenticationAttempt(UserIdentificationInfo userIdentificationInfo, boolean z) {
        String str;
        String str2;
        if (this.byPassAuthenticationLog) {
            return true;
        }
        String userName = userIdentificationInfo.getUserName();
        if (userName == null || userName.length() == 0) {
            userName = userIdentificationInfo.getToken();
        }
        if (z) {
            str = "loginSuccess";
            str2 = userName + " successfully logged in using " + userIdentificationInfo.getAuthPluginName() + "Authentication";
            this.loginCount.inc();
        } else {
            str = NXAuthConstants.LOGIN_FAILED;
            str2 = userName + " failed to authenticate using " + userIdentificationInfo.getAuthPluginName() + "Authentication";
        }
        return sendAuthenticationEvent(userIdentificationInfo, str, str2);
    }

    protected boolean logLogout(UserIdentificationInfo userIdentificationInfo) {
        if (this.byPassAuthenticationLog) {
            return true;
        }
        this.loginCount.dec();
        String userName = userIdentificationInfo.getUserName();
        if (userName == null || userName.length() == 0) {
            userName = userIdentificationInfo.getToken();
        }
        return sendAuthenticationEvent(userIdentificationInfo, NXAuthConstants.LOGOUT_PAGE, userName + " logged out");
    }

    protected static boolean isLoginSynchronized() {
        if (isLoginSynchronized != null) {
            return isLoginSynchronized.booleanValue();
        }
        if (Framework.getRuntime() == null) {
            return false;
        }
        synchronized (NuxeoAuthenticationFilter.class) {
            if (isLoginSynchronized != null) {
                return isLoginSynchronized.booleanValue();
            }
            Boolean valueOf = Boolean.valueOf(!Boolean.parseBoolean(Framework.getProperty("org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.isLoginNotSynchronized", "true")));
            isLoginSynchronized = valueOf;
            return valueOf.booleanValue();
        }
    }

    protected Principal doAuthenticate(CachableUserIdentificationInfo cachableUserIdentificationInfo, HttpServletRequest httpServletRequest) {
        try {
            LoginContext loginContext = new LoginContext(this.securityDomain, this.service.getCallbackHandler(cachableUserIdentificationInfo.getUserInfo()));
            if (isLoginSynchronized()) {
                synchronized (NuxeoAuthenticationFilter.class) {
                    loginContext.login();
                }
            } else {
                loginContext.login();
            }
            Principal principal = (Principal) loginContext.getSubject().getPrincipals().toArray()[0];
            cachableUserIdentificationInfo.setPrincipal(principal);
            cachableUserIdentificationInfo.setAlreadyAuthenticated(true);
            cachableUserIdentificationInfo.getUserInfo().setUserName(principal.getName());
            logAuthenticationAttempt(cachableUserIdentificationInfo.getUserInfo(), true);
            httpServletRequest.setAttribute(NXAuthConstants.LOGINCONTEXT_KEY, loginContext);
            cachableUserIdentificationInfo.setLoginContext(loginContext);
            HttpSession session = httpServletRequest.getSession(needSessionSaving(cachableUserIdentificationInfo.getUserInfo()));
            if (session != null) {
                session.setAttribute(NXAuthConstants.USERIDENT_KEY, cachableUserIdentificationInfo);
            }
            this.service.onAuthenticatedSessionCreated(httpServletRequest, session, cachableUserIdentificationInfo);
            return cachableUserIdentificationInfo.getPrincipal();
        } catch (LoginException e) {
            log.info("Login failed for " + cachableUserIdentificationInfo.getUserInfo().getUserName());
            logAuthenticationAttempt(cachableUserIdentificationInfo.getUserInfo(), false);
            Throwable cause = e.getCause();
            if (!(cause instanceof DirectoryException)) {
                return null;
            }
            if ((cause.getCause() instanceof NamingException) && cause.getMessage().contains("LDAP response read timed out")) {
                httpServletRequest.setAttribute(NXAuthConstants.LOGIN_STATUS_CODE, 408);
            }
            return DIRECTORY_ERROR_PRINCIPAL;
        }
    }

    private boolean switchUser(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String str = (String) httpServletRequest.getAttribute(NXAuthConstants.SWITCH_USER_KEY);
        String str2 = (String) httpServletRequest.getAttribute(NXAuthConstants.PAGE_AFTER_SWITCH);
        if (str2 == null) {
            str2 = DEFAULT_START_PAGE;
        }
        CachableUserIdentificationInfo retrieveIdentityFromCache = retrieveIdentityFromCache(httpServletRequest);
        String userName = retrieveIdentityFromCache.getUserInfo().getUserName();
        if (str == null) {
            String originatingUser = retrieveIdentityFromCache.getPrincipal().getOriginatingUser();
            if (originatingUser == null) {
                return false;
            }
            str = originatingUser;
            userName = null;
        }
        try {
            retrieveIdentityFromCache.getLoginContext().logout();
        } catch (LoginException e) {
            log.error("Error while logout from main identity", e);
        }
        httpServletRequest.getSession(false);
        this.service.reinitSession(httpServletRequest);
        CachableUserIdentificationInfo cachableUserIdentificationInfo = new CachableUserIdentificationInfo(str, str);
        cachableUserIdentificationInfo.getUserInfo().setLoginPluginName("Trusting_LM");
        cachableUserIdentificationInfo.getUserInfo().setAuthPluginName(retrieveIdentityFromCache.getUserInfo().getAuthPluginName());
        NuxeoPrincipal doAuthenticate = doAuthenticate(cachableUserIdentificationInfo, httpServletRequest);
        if (doAuthenticate != null && doAuthenticate != DIRECTORY_ERROR_PRINCIPAL) {
            NuxeoPrincipal nuxeoPrincipal = doAuthenticate;
            if (userName != null) {
                nuxeoPrincipal.setOriginatingUser(userName);
            }
            propagateUserIdentificationInformation(retrieveIdentityFromCache);
        }
        servletRequest.setAttribute(NXAuthConstants.DISABLE_REDIRECT_REQUEST_KEY, Boolean.TRUE);
        ((HttpServletResponse) servletResponse).sendRedirect(this.service.getBaseURL(servletRequest) + str2);
        return true;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Timer.Context time = this.requestTimer.time();
        this.concurrentCount.inc();
        if (this.concurrentCount.getCount() > this.concurrentMaxCount.getCount()) {
            this.concurrentMaxCount.inc();
        }
        try {
            doInitIfNeeded();
            List<NuxeoAuthPreFilter> preFilters = this.service.getPreFilters();
            if (preFilters == null) {
                doFilterInternal(servletRequest, servletResponse, filterChain);
            } else {
                new NuxeoAuthFilterChain(preFilters, filterChain, this).doFilter(servletRequest, servletResponse);
            }
            ClientLoginModule.clearThreadLocalLogin();
            LoginConfiguration.INSTANCE.cleanupThisThread();
            time.stop();
            this.concurrentCount.dec();
        } catch (Throwable th) {
            ClientLoginModule.clearThreadLocalLogin();
            LoginConfiguration.INSTANCE.cleanupThisThread();
            time.stop();
            this.concurrentCount.dec();
            throw th;
        }
    }

    public void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String parameter;
        NuxeoAuthenticationPropagator.CleanupCallback cleanupCallback;
        if (bypassAuth((HttpServletRequest) servletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (getRequestedPage(servletRequest).equals(NXAuthConstants.SWITCH_USER_PAGE) && switchUser(servletRequest, servletResponse, filterChain)) {
            return;
        }
        if (servletRequest instanceof NuxeoSecuredRequestWrapper) {
            log.debug("ReEntering Nuxeo Authentication Filter ... exiting directly");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (this.service.canBypassRequest(servletRequest)) {
            log.debug("ReEntering Nuxeo Authentication Filter after URL rewrite ... exiting directly");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        log.debug("Entering Nuxeo Authentication Filter");
        String str = null;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        NuxeoAuthenticationPropagator.CleanupCallback cleanupCallback2 = null;
        if (userPrincipal == null) {
            try {
                log.debug("Principal not found inside Request via getUserPrincipal");
                log.debug("Try getting authentication from cache");
                CachableUserIdentificationInfo retrieveIdentityFromCache = retrieveIdentityFromCache(httpServletRequest);
                if (retrieveIdentityFromCache != null && retrieveIdentityFromCache.getUserInfo() != null && this.service.needResetLogin(servletRequest)) {
                    HttpSession session = httpServletRequest.getSession(false);
                    if (session != null) {
                        session.removeAttribute(NXAuthConstants.USERIDENT_KEY);
                    }
                    cleanupCallback2 = this.service.propagateUserIdentificationInformation(retrieveIdentityFromCache);
                    try {
                        this.service.invalidateSession(servletRequest);
                        if (cleanupCallback2 != null) {
                            cleanupCallback2.cleanup();
                            cleanupCallback2 = null;
                        }
                        retrieveIdentityFromCache = null;
                    } catch (Throwable th) {
                        if (cleanupCallback2 != null) {
                            cleanupCallback2.cleanup();
                        }
                        throw th;
                    }
                }
                if (retrieveIdentityFromCache != null && retrieveIdentityFromCache.getUserInfo() != null) {
                    log.debug("userIdent found in cache, get the Principal from it without reloggin");
                    NuxeoHttpSessionMonitor.instance().updateEntry(httpServletRequest);
                    userPrincipal = retrieveIdentityFromCache.getPrincipal();
                    log.debug("Principal = " + userPrincipal.getName());
                    cleanupCallback2 = this.service.propagateUserIdentificationInformation(retrieveIdentityFromCache);
                    if (getRequestedPage(httpServletRequest).equals(NXAuthConstants.LOGOUT_PAGE)) {
                        boolean handleLogout = handleLogout(servletRequest, servletResponse, retrieveIdentityFromCache);
                        retrieveIdentityFromCache = null;
                        userPrincipal = null;
                        if (handleLogout && httpServletRequest.getParameter(NXAuthConstants.FORM_SUBMITTED_MARKER) == null) {
                            if (cleanupCallback2 != null) {
                                cleanupCallback2.cleanup();
                                return;
                            }
                            return;
                        }
                    } else {
                        str = getSavedRequestedURL(httpServletRequest, httpServletResponse);
                    }
                }
                if (retrieveIdentityFromCache == null || retrieveIdentityFromCache.getUserInfo() == null) {
                    UserIdentificationInfo handleRetrieveIdentity = handleRetrieveIdentity(httpServletRequest, httpServletResponse);
                    if (handleRetrieveIdentity != null && handleRetrieveIdentity.getUserName().equals(getAnonymousId()) && (parameter = httpServletRequest.getParameter(NXAuthConstants.FORCE_ANONYMOUS_LOGIN)) != null && parameter.equals("true")) {
                        handleRetrieveIdentity = null;
                    }
                    if ((handleRetrieveIdentity != null && handleRetrieveIdentity.containsValidIdentity()) || bypassAuth(httpServletRequest)) {
                        str = getSavedRequestedURL(httpServletRequest, httpServletResponse);
                    } else if (handleLoginPrompt(httpServletRequest, httpServletResponse)) {
                        if (cleanupCallback2 != null) {
                            cleanupCallback2.cleanup();
                            return;
                        }
                        return;
                    }
                    if (handleRetrieveIdentity != null && handleRetrieveIdentity.containsValidIdentity()) {
                        CachableUserIdentificationInfo cachableUserIdentificationInfo = new CachableUserIdentificationInfo(handleRetrieveIdentity);
                        userPrincipal = doAuthenticate(cachableUserIdentificationInfo, httpServletRequest);
                        if (userPrincipal == null || userPrincipal == DIRECTORY_ERROR_PRINCIPAL) {
                            NuxeoAuthenticationPlugin authenticator = getAuthenticator(cachableUserIdentificationInfo);
                            if (!(authenticator instanceof LoginResponseHandler)) {
                                httpServletRequest.setAttribute(NXAuthConstants.LOGIN_ERROR, userPrincipal == DIRECTORY_ERROR_PRINCIPAL ? NXAuthConstants.ERROR_CONNECTION_FAILED : NXAuthConstants.ERROR_AUTHENTICATION_FAILED);
                                if (handleLoginPrompt(httpServletRequest, httpServletResponse)) {
                                    if (cleanupCallback2 != null) {
                                        cleanupCallback2.cleanup();
                                        return;
                                    }
                                    return;
                                }
                            } else if (((LoginResponseHandler) authenticator).onError((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
                                if (cleanupCallback2 != null) {
                                    cleanupCallback2.cleanup();
                                    return;
                                }
                                return;
                            }
                        } else {
                            cleanupCallback2 = this.service.propagateUserIdentificationInformation(cachableUserIdentificationInfo);
                            NuxeoAuthenticationPlugin authenticator2 = getAuthenticator(cachableUserIdentificationInfo);
                            if ((authenticator2 instanceof LoginResponseHandler) && ((LoginResponseHandler) authenticator2).onSuccess((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
                                if (cleanupCallback2 != null) {
                                    cleanupCallback2.cleanup();
                                    return;
                                }
                                return;
                            }
                        }
                    }
                }
            } finally {
                if (cleanupCallback2 != null) {
                    cleanupCallback2.cleanup();
                }
            }
        }
        if (userPrincipal == null) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            if (str != null && str.length() > 0) {
                String baseURL = this.service.getBaseURL(servletRequest);
                if (XMLHTTP_REQUEST_TYPE.equalsIgnoreCase(httpServletRequest.getHeader("X-Requested-With"))) {
                    if (cleanupCallback != null) {
                        return;
                    } else {
                        return;
                    }
                }
                httpServletResponse.sendRedirect(baseURL + str);
                if (cleanupCallback2 != null) {
                    cleanupCallback2.cleanup();
                    return;
                }
                return;
            }
            filterChain.doFilter(new NuxeoSecuredRequestWrapper(httpServletRequest, userPrincipal), servletResponse);
        }
        if (cleanupCallback2 != null) {
            cleanupCallback2.cleanup();
        }
        log.debug("Exit Nuxeo Authentication filter");
    }

    public NuxeoAuthenticationPlugin getAuthenticator(CachableUserIdentificationInfo cachableUserIdentificationInfo) {
        String authPluginName = cachableUserIdentificationInfo.getUserInfo().getAuthPluginName();
        if (authPluginName != null) {
            return this.service.getPlugin(authPluginName);
        }
        return null;
    }

    protected static CachableUserIdentificationInfo retrieveIdentityFromCache(HttpServletRequest httpServletRequest) {
        CachableUserIdentificationInfo cachableUserIdentificationInfo;
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || (cachableUserIdentificationInfo = (CachableUserIdentificationInfo) session.getAttribute(NXAuthConstants.USERIDENT_KEY)) == null) {
            return null;
        }
        return cachableUserIdentificationInfo;
    }

    private String getAnonymousId() throws ServletException {
        if (anonymous == null) {
            anonymous = ((UserManager) Framework.getService(UserManager.class)).getAnonymousUserId();
        }
        return anonymous;
    }

    protected void doInitIfNeeded() throws ServletException {
        if (this.service != null || Framework.getRuntime() == null) {
            return;
        }
        synchronized (this) {
            if (this.service != null) {
                return;
            }
            this.service = (PluggableAuthenticationService) Framework.getRuntime().getComponent(PluggableAuthenticationService.NAME);
            this.service.initPreFilters();
            if (this.service == null) {
                log.error("Unable to get Service org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService");
                throw new ServletException("Can't initialize Nuxeo Pluggable Authentication Service");
            }
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("byPassAuthenticationLog");
        if (initParameter != null && Boolean.parseBoolean(initParameter)) {
            this.byPassAuthenticationLog = true;
        }
        String initParameter2 = filterConfig.getInitParameter("securityDomain");
        if (initParameter2 != null) {
            this.securityDomain = initParameter2;
        }
    }

    public boolean saveRequestedURLBeforeRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String requestedUrl;
        boolean z = !StringUtils.isBlank(httpServletRequest.getRequestedSessionId());
        HttpSession session = httpServletRequest.getSession(false);
        boolean z2 = session == null && z;
        if (!httpServletResponse.isCommitted()) {
            session = httpServletRequest.getSession(true);
        }
        if (session == null) {
            return false;
        }
        boolean z3 = false;
        if (httpServletRequest.getParameter(NXAuthConstants.REQUESTED_URL) != null) {
            z3 = true;
            requestedUrl = httpServletRequest.getParameter(NXAuthConstants.REQUESTED_URL);
        } else {
            requestedUrl = getRequestedUrl(httpServletRequest);
        }
        if (requestedUrl == null) {
            return false;
        }
        if (!z2 || requestedUrl.equals(DEFAULT_START_PAGE)) {
            session.removeAttribute(NXAuthConstants.SESSION_TIMEOUT);
        } else {
            session.setAttribute(NXAuthConstants.SESSION_TIMEOUT, Boolean.TRUE);
        }
        if (requestedUrl.startsWith(DEFAULT_START_PAGE)) {
            return true;
        }
        if (!isStartPageValid(requestedUrl)) {
            return false;
        }
        if (z3) {
            return true;
        }
        session.setAttribute(NXAuthConstants.START_PAGE_SAVE_KEY, requestedUrl);
        return true;
    }

    public static String getRequestedUrl(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        String queryString = httpServletRequest.getQueryString();
        String substring = requestURI.substring((httpServletRequest.getContextPath() + '/').length());
        if (queryString != null && queryString.length() > 0) {
            if (queryString.contains("conversationId")) {
                queryString = queryString.replace("conversationId", "old_conversationId");
            }
            substring = substring + '?' + queryString;
        }
        return substring;
    }

    protected static String getSavedRequestedURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str = null;
        if (httpServletRequest.getParameter(NXAuthConstants.REQUESTED_URL) != null) {
            String parameter = httpServletRequest.getParameter(NXAuthConstants.REQUESTED_URL);
            if (parameter != null && !"".equals(parameter)) {
                try {
                    str = URLDecoder.decode(parameter, "UTF-8");
                } catch (UnsupportedEncodingException e) {
                    log.error("Unable to get the requestedUrl parameter" + e);
                }
            }
        } else {
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                str = (String) session.getAttribute(NXAuthConstants.START_PAGE_SAVE_KEY);
                if (str != null) {
                    session.removeAttribute(NXAuthConstants.START_PAGE_SAVE_KEY);
                }
            }
            Cookie[] cookies = httpServletRequest.getCookies();
            if (cookies != null) {
                for (Cookie cookie : cookies) {
                    if (NXAuthConstants.SSO_INITIAL_URL_REQUEST_KEY.equals(cookie.getName())) {
                        str = cookie.getValue();
                        cookie.setPath("/");
                        cookie.setMaxAge(0);
                        httpServletResponse.addCookie(cookie);
                    }
                }
            }
        }
        String parameter2 = httpServletRequest.getParameter(NXAuthConstants.LANGUAGE_PARAMETER);
        if (str == null || "".equals(str) || parameter2 == null) {
            return str;
        }
        HashMap hashMap = new HashMap();
        if (!URIUtils.getRequestParameters(str).containsKey(NXAuthConstants.LANGUAGE_PARAMETER)) {
            hashMap.put(NXAuthConstants.LANGUAGE_PARAMETER, parameter2);
        }
        return URIUtils.addParametersToURIQuery(str, hashMap);
    }

    protected boolean isStartPageValid(String str) {
        if (str == null) {
            return false;
        }
        try {
            doInitIfNeeded();
            Iterator<String> it = this.service.getStartURLPatterns().iterator();
            while (it.hasNext()) {
                if (str.startsWith(it.next())) {
                    return true;
                }
            }
            return false;
        } catch (ServletException e) {
            return false;
        }
    }

    protected boolean handleLogout(ServletRequest servletRequest, ServletResponse servletResponse, CachableUserIdentificationInfo cachableUserIdentificationInfo) throws ServletException {
        logLogout(cachableUserIdentificationInfo.getUserInfo());
        this.service.invalidateSession(servletRequest);
        servletRequest.setAttribute(NXAuthConstants.DISABLE_REDIRECT_REQUEST_KEY, Boolean.TRUE);
        HashMap hashMap = new HashMap();
        String parameter = servletRequest.getParameter(NXAuthConstants.SECURITY_ERROR);
        if (parameter != null) {
            hashMap.put(NXAuthConstants.SECURITY_ERROR, parameter);
        }
        if (cachableUserIdentificationInfo.getPrincipal().getName().equals(getAnonymousId())) {
            hashMap.put(NXAuthConstants.FORCE_ANONYMOUS_LOGIN, "true");
        }
        String parameter2 = servletRequest.getParameter(NXAuthConstants.REQUESTED_URL);
        if (parameter2 != null) {
            hashMap.put(NXAuthConstants.REQUESTED_URL, parameter2);
        }
        Cookie cookie = new Cookie("JSESSIONID", (String) null);
        cookie.setMaxAge(0);
        cookie.setPath("/");
        ((HttpServletResponse) servletResponse).addCookie(cookie);
        NuxeoAuthenticationPlugin plugin = this.service.getPlugin(cachableUserIdentificationInfo.getUserInfo().getAuthPluginName());
        NuxeoAuthenticationPluginLogoutExtension nuxeoAuthenticationPluginLogoutExtension = null;
        if (plugin instanceof NuxeoAuthenticationPluginLogoutExtension) {
            nuxeoAuthenticationPluginLogoutExtension = (NuxeoAuthenticationPluginLogoutExtension) plugin;
        }
        boolean z = false;
        if (nuxeoAuthenticationPluginLogoutExtension != null) {
            z = Boolean.TRUE.equals(nuxeoAuthenticationPluginLogoutExtension.handleLogout((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse));
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!z && !XMLHTTP_REQUEST_TYPE.equalsIgnoreCase(httpServletRequest.getHeader("X-Requested-With"))) {
            try {
                ((HttpServletResponse) servletResponse).sendRedirect(URIUtils.addParametersToURIQuery(this.service.getBaseURL(servletRequest) + DEFAULT_START_PAGE, hashMap));
                z = true;
            } catch (IOException e) {
                log.error("Unable to redirect to default start page after logout : " + e.getMessage());
            }
        }
        try {
            cachableUserIdentificationInfo.getLoginContext().logout();
        } catch (LoginException e2) {
            log.error("Unable to logout " + e2.getMessage());
        }
        return z;
    }

    protected void propagateUserIdentificationInformation(CachableUserIdentificationInfo cachableUserIdentificationInfo) {
        this.service.propagateUserIdentificationInformation(cachableUserIdentificationInfo);
    }

    protected void initUnAuthenticatedURLPrefix() {
        this.unAuthenticatedURLPrefix = new ArrayList();
        Iterator<String> it = this.service.getAuthChain().iterator();
        while (it.hasNext()) {
            List<String> unAuthenticatedURLPrefix = this.service.getPlugin(it.next()).getUnAuthenticatedURLPrefix();
            if (unAuthenticatedURLPrefix != null && !unAuthenticatedURLPrefix.isEmpty()) {
                this.unAuthenticatedURLPrefix.addAll(unAuthenticatedURLPrefix);
            }
        }
    }

    protected boolean bypassAuth(HttpServletRequest httpServletRequest) {
        if (this.unAuthenticatedURLPrefix == null) {
            try {
                this.unAuthenticatedURLPrefixLock.writeLock().lock();
                initUnAuthenticatedURLPrefix();
            } finally {
                this.unAuthenticatedURLPrefixLock.writeLock().unlock();
            }
        }
        try {
            this.unAuthenticatedURLPrefixLock.readLock().lock();
            String requestedPage = getRequestedPage(httpServletRequest);
            Iterator<String> it = this.unAuthenticatedURLPrefix.iterator();
            while (it.hasNext()) {
                if (requestedPage.startsWith(it.next())) {
                    return true;
                }
            }
            this.unAuthenticatedURLPrefixLock.readLock().unlock();
            Iterator<OpenUrlDescriptor> it2 = this.service.getOpenUrls().iterator();
            while (it2.hasNext()) {
                if (it2.next().allowByPassAuth(httpServletRequest)) {
                    return true;
                }
            }
            return false;
        } finally {
            this.unAuthenticatedURLPrefixLock.readLock().unlock();
        }
    }

    public static String getRequestedPage(ServletRequest servletRequest) {
        if (servletRequest instanceof HttpServletRequest) {
            return getRequestedPage((HttpServletRequest) servletRequest);
        }
        return null;
    }

    protected static String getRequestedPage(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().substring((httpServletRequest.getContextPath() + '/').length());
    }

    protected boolean handleLoginPrompt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String baseURL = this.service.getBaseURL(httpServletRequest);
        for (String str : this.service.getAuthChain(httpServletRequest)) {
            NuxeoAuthenticationPlugin plugin = this.service.getPlugin(str);
            AuthenticationPluginDescriptor descriptor = this.service.getDescriptor(str);
            if (Boolean.TRUE.equals(plugin.needLoginPrompt(httpServletRequest))) {
                if (descriptor.getNeedStartingURLSaving()) {
                    saveRequestedURLBeforeRedirect(httpServletRequest, httpServletResponse);
                }
                return Boolean.TRUE.equals(plugin.handleLoginPrompt(httpServletRequest, httpServletResponse, baseURL));
            }
        }
        log.warn("No auth plugin can be found to do the Login Prompt");
        return false;
    }

    protected UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CachableUserIdentificationInfo retrieveIdentityFromCache;
        UserIdentificationInfo userIdentificationInfo = null;
        Iterator<String> it = this.service.getAuthChain(httpServletRequest).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            NuxeoAuthenticationPlugin plugin = this.service.getPlugin(next);
            if (plugin != null) {
                log.debug("Trying to retrieve userIdentification using plugin " + next);
                userIdentificationInfo = plugin.handleRetrieveIdentity(httpServletRequest, httpServletResponse);
                if (userIdentificationInfo != null && userIdentificationInfo.containsValidIdentity()) {
                    userIdentificationInfo.setAuthPluginName(next);
                    userIdentificationInfo.setLoginPluginName(this.service.getDescriptor(next).getLoginModulePlugin());
                    Map<String, String> parameters = this.service.getDescriptor(next).getParameters();
                    if (userIdentificationInfo.getLoginParameters() != null) {
                        if (parameters == null) {
                            parameters = new HashMap();
                        }
                        parameters.putAll(userIdentificationInfo.getLoginParameters());
                    }
                    userIdentificationInfo.setLoginParameters(parameters);
                }
            } else {
                log.error("Auth plugin " + next + " can not be retrieved from service");
            }
        }
        if (userIdentificationInfo == null || !userIdentificationInfo.containsValidIdentity()) {
            log.debug("user/password not found in request, try into identity cache");
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null && httpServletRequest.isRequestedSessionIdValid()) {
                session = httpServletRequest.getSession(true);
            }
            if (session != null && (retrieveIdentityFromCache = retrieveIdentityFromCache(httpServletRequest)) != null) {
                log.debug("Found User identity in cache :" + retrieveIdentityFromCache.getUserInfo().getUserName() + '/' + retrieveIdentityFromCache.getUserInfo().getPassword());
                userIdentificationInfo = new UserIdentificationInfo(retrieveIdentityFromCache.getUserInfo());
                retrieveIdentityFromCache.setPrincipal(null);
            }
        } else {
            log.debug("User/Password found as parameter of the request");
        }
        return userIdentificationInfo;
    }

    protected boolean needSessionSaving(UserIdentificationInfo userIdentificationInfo) {
        AuthenticationPluginDescriptor descriptor = this.service.getDescriptor(userIdentificationInfo.getAuthPluginName());
        if (descriptor.getStateful()) {
            return true;
        }
        return descriptor.getNeedStartingURLSaving();
    }

    public static LoginContext loginAs(String str) throws LoginException {
        UserIdentificationInfo userIdentificationInfo = new UserIdentificationInfo(str, "");
        userIdentificationInfo.setLoginPluginName("Trusting_LM");
        PluggableAuthenticationService pluggableAuthenticationService = (PluggableAuthenticationService) Framework.getRuntime().getComponent(PluggableAuthenticationService.NAME);
        LoginContext loginContext = new LoginContext(LOGIN_DOMAIN, pluggableAuthenticationService != null ? pluggableAuthenticationService.getCallbackHandler(userIdentificationInfo) : new UserIdentificationInfoCallbackHandler(userIdentificationInfo));
        if (isLoginSynchronized()) {
            synchronized (NuxeoAuthenticationFilter.class) {
                loginContext.login();
            }
        } else {
            loginContext.login();
        }
        return loginContext;
    }
}
