package com.sun.web.security;

import com.sun.enterprise.config.ConfigException;
import com.sun.enterprise.config.serverbeans.ServerBeansFactory;
import com.sun.enterprise.deployment.Group;
import com.sun.enterprise.deployment.PrincipalImpl;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.interfaces.SecurityRoleMapperFactory;
import com.sun.enterprise.deployment.interfaces.SecurityRoleMapperFactoryMgr;
import com.sun.enterprise.deployment.runtime.common.SecurityRoleMapping;
import com.sun.enterprise.deployment.runtime.web.SunWebApp;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.PermissionCache;
import com.sun.enterprise.security.PermissionCacheFactory;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.audit.AuditManager;
import com.sun.enterprise.security.audit.AuditManagerFactory;
import com.sun.enterprise.security.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.server.ApplicationServer;
import com.sun.enterprise.web.WebContainer;
import com.sun.jdo.spi.persistence.utility.generator.JavaClassWriterHelper;
import com.sun.logging.LogDomains;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:119166-15/SUNWascmn/reloc/appserver/lib/appserv-rt.jar:com/sun/web/security/WebSecurityManager.class */
public class WebSecurityManager {
    private static final String RESOURCE = "hasResourcePermission";
    private static final String USERDATA = "hasUserDataPermission";
    private static final String ROLEREF = "hasRoleRefPermission";
    private static final String DEFAULT_PATTERN = "/";
    private static final String EMPTY_STRING = "";
    private String CONTEXT_ID;
    private String CODEBASE = null;
    private String codebase = null;
    protected Policy policy = Policy.getPolicy();
    protected PolicyConfiguration policyConfiguration = null;
    protected PolicyConfigurationFactory policyConfigurationFactory = null;
    protected CodeSource codesource = null;
    private Map protectionDomainCache = Collections.synchronizedMap(new WeakHashMap());
    private String[] methodCache = new String[1];
    private PermissionCache uncheckedPermissionCache = null;
    private WebBundleDescriptor wbd;
    static Class class$javax$security$jacc$WebResourcePermission;
    static Class class$javax$security$jacc$WebUserDataPermission;
    private static Logger logger = Logger.getLogger(LogDomains.SECURITY_LOGGER);
    private static AuditManager auditManager = AuditManagerFactory.getAuditManagerInstance();
    private static final PolicyContextHandlerImpl pcHandlerImpl = (PolicyContextHandlerImpl) PolicyContextHandlerImpl.getInstance();
    private static final Map ADMIN_PRINCIPAL = new HashMap();
    private static final Map ADMIN_GROUP = new HashMap();
    private static Set defaultPrincipalSet = SecurityContext.getDefaultSecurityContext().getPrincipalSet();
    private static SecurityRoleMapperFactory factory = SecurityRoleMapperFactoryMgr.getFactory();

    public WebSecurityManager(WebBundleDescriptor webBundleDescriptor) throws PolicyContextException {
        this.CONTEXT_ID = null;
        this.wbd = null;
        this.wbd = webBundleDescriptor;
        this.CONTEXT_ID = getContextID(webBundleDescriptor);
        factory.setAppNameForContext(getAppId(), this.CONTEXT_ID);
        initialise();
    }

    private String removeSpaces(String str) {
        return str.replace(' ', '_');
    }

    public static String getContextID(WebBundleDescriptor webBundleDescriptor) {
        if (webBundleDescriptor == null) {
            return null;
        }
        String contextRoot = webBundleDescriptor.getModuleDescriptor().getContextRoot();
        String registrationName = webBundleDescriptor.getApplication().getRegistrationName();
        if (contextRoot == null) {
            return registrationName;
        }
        if (contextRoot.length() != 0 && contextRoot.indexOf(47) >= 0) {
            if (contextRoot.indexOf("./") >= 0) {
                contextRoot = contextRoot.replaceAll("\\.\\/", "");
            }
            contextRoot = contextRoot.replaceAll("\\/", "_");
        }
        if (!contextRoot.equals("")) {
            registrationName = new StringBuffer().append(registrationName).append("_").append(contextRoot).toString();
        }
        return registrationName;
    }

    private void initialise() throws PolicyContextException {
        Class cls;
        Class cls2;
        LoginConfiguration loginConfiguration;
        SecurityRoleMapping[] securityRoleMapping;
        String registrationName = this.wbd.getApplication().getRegistrationName();
        this.CODEBASE = removeSpaces(this.CONTEXT_ID);
        if (WebContainer.ADMIN_VS.equals(getVirtualServers(registrationName)) && (loginConfiguration = this.wbd.getLoginConfiguration()) != null) {
            String realmName = loginConfiguration.getRealmName();
            SunWebApp sunDescriptor = this.wbd.getSunDescriptor();
            if (sunDescriptor != null && (securityRoleMapping = sunDescriptor.getSecurityRoleMapping()) != null) {
                for (int i = 0; i < securityRoleMapping.length; i++) {
                    String[] principalName = securityRoleMapping[i].getPrincipalName();
                    if (principalName != null) {
                        for (int i2 = 0; i2 < principalName.length; i2++) {
                            ADMIN_PRINCIPAL.put(new StringBuffer().append(realmName).append(principalName[i2]).toString(), new PrincipalImpl(principalName[i2]));
                        }
                    }
                    String[] groupName = securityRoleMapping[i].getGroupName();
                    if (groupName != null) {
                        for (int i3 = 0; i3 < groupName.length; i3++) {
                            ADMIN_GROUP.put(new StringBuffer().append(realmName).append(groupName[i3]).toString(), new Group(groupName[i3]));
                        }
                    }
                }
            }
        }
        try {
            try {
                if (logger.isLoggable(Level.FINE)) {
                    logger.log(Level.FINE, new StringBuffer().append("[Web-Security] Creating a Codebase URI with = ").append(this.CODEBASE).toString());
                }
                URI uri = new URI(new StringBuffer().append("file:///").append(this.CODEBASE).toString());
                if (uri != null) {
                    this.codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
                }
                if (logger.isLoggable(Level.FINE)) {
                    logger.fine(new StringBuffer().append("[Web-Security] Context id (id under which  WEB component in application will be created) = ").append(this.CONTEXT_ID).toString());
                    logger.fine(new StringBuffer().append("[Web-Security] Codebase (module id for web component) ").append(this.CODEBASE).toString());
                }
                if (!getFactory().inService(this.CONTEXT_ID)) {
                    this.policyConfiguration = getFactory().getPolicyConfiguration(this.CONTEXT_ID, false);
                    generatePermissions();
                }
                if (this.uncheckedPermissionCache != null) {
                    this.uncheckedPermissionCache.reset();
                    return;
                }
                String str = this.CONTEXT_ID;
                CodeSource codeSource = this.codesource;
                Class[] clsArr = new Class[2];
                if (class$javax$security$jacc$WebResourcePermission == null) {
                    cls = class$("javax.security.jacc.WebResourcePermission");
                    class$javax$security$jacc$WebResourcePermission = cls;
                } else {
                    cls = class$javax$security$jacc$WebResourcePermission;
                }
                clsArr[0] = cls;
                if (class$javax$security$jacc$WebUserDataPermission == null) {
                    cls2 = class$("javax.security.jacc.WebUserDataPermission");
                    class$javax$security$jacc$WebUserDataPermission = cls2;
                } else {
                    cls2 = class$javax$security$jacc$WebUserDataPermission;
                }
                clsArr[1] = cls2;
                this.uncheckedPermissionCache = PermissionCacheFactory.createPermissionCache(str, codeSource, clsArr, null);
            } catch (URISyntaxException e) {
                logger.log(Level.FINE, "[Web-Security] Error Creating URI ", (Throwable) e);
                throw new RuntimeException(e);
            }
        } catch (MalformedURLException e2) {
            logger.log(Level.SEVERE, "ejbsm.codesourceerror", (Throwable) e2);
            throw new RuntimeException(e2);
        }
    }

    private String getAppId() {
        return this.wbd.getApplication().getRegistrationName();
    }

    protected boolean checkPermission(Permission permission, Set set) {
        try {
            setPolicyContext(this.CONTEXT_ID);
            boolean checkPermission = this.uncheckedPermissionCache != null ? this.uncheckedPermissionCache.checkPermission(permission) : false;
            if (!checkPermission) {
                ProtectionDomain protectionDomain = (ProtectionDomain) this.protectionDomainCache.get(set);
                if (protectionDomain == null) {
                    Principal[] principalArr = set == null ? null : (Principal[]) set.toArray(new Principal[0]);
                    if (logger.isLoggable(Level.FINE)) {
                        logger.log(Level.FINE, "[Web-Security] Generating a protection domain for Permission check.");
                        for (Principal principal : principalArr) {
                            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] Checking with Principal : ").append(principal.toString()).toString());
                        }
                    }
                    protectionDomain = new ProtectionDomain(this.codesource, null, null, principalArr);
                    this.protectionDomainCache.put(set, protectionDomain);
                }
                if (logger.isLoggable(Level.FINE)) {
                    logger.log(Level.FINE, new StringBuffer().append("[Web-Security] Codesource with Web URL: ").append(this.codesource.getLocation().toString()).toString());
                    logger.log(Level.FINE, new StringBuffer().append("[Web-Security] Checking Web Permission with Principals : ").append(principalSetToString(set)).toString());
                    logger.log(Level.FINE, new StringBuffer().append("[Web-Security] Web Permission = ").append(permission.toString()).toString());
                }
                checkPermission = this.policy.implies(protectionDomain, permission);
            }
            return checkPermission;
        } catch (Throwable th) {
            logger.log(Level.FINE, "[Web-Security] Web Permission Access Denied.", th);
            return false;
        }
    }

    protected PolicyConfigurationFactory getFactory() throws PolicyContextException {
        if (this.policyConfigurationFactory == null) {
            try {
                this.policyConfigurationFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
            } catch (ClassNotFoundException e) {
                throw new PolicyContextException(e);
            }
        }
        return this.policyConfigurationFactory;
    }

    public boolean hasResourcePermission(HttpServletRequest httpServletRequest) {
        SecurityContext securityContext = getSecurityContext(httpServletRequest.getUserPrincipal());
        WebResourcePermission webResourcePermission = new WebResourcePermission(httpServletRequest);
        setSecurityInfo(httpServletRequest);
        boolean checkPermission = checkPermission(webResourcePermission, securityContext.getPrincipalSet());
        SecurityContext.setCurrent(securityContext);
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] hasResource isGranted: ").append(checkPermission).toString());
            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] hasResource perm: ").append(webResourcePermission).toString());
        }
        if (auditManager.isAuditOn()) {
            Principal userPrincipal = httpServletRequest.getUserPrincipal();
            auditManager.webInvocation(userPrincipal != null ? userPrincipal.getName() : null, httpServletRequest, RESOURCE, checkPermission);
        }
        return checkPermission;
    }

    public boolean hasRoleRefPermission(String str, String str2, Principal principal) {
        Set principalSet = getSecurityContext(principal).getPrincipalSet();
        WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission(str, str2);
        boolean checkPermission = checkPermission(webRoleRefPermission, principalSet);
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] hasRoleRef perm: ").append(webRoleRefPermission).toString());
            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] hasRoleRef isGranted: ").append(checkPermission).toString());
        }
        return checkPermission;
    }

    public int hasUserDataPermission(HttpServletRequest httpServletRequest) {
        setSecurityInfo(httpServletRequest);
        WebUserDataPermission webUserDataPermission = new WebUserDataPermission(httpServletRequest);
        boolean checkPermission = checkPermission(webUserDataPermission, defaultPrincipalSet);
        int i = 0;
        if (checkPermission) {
            i = 1;
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] hasUserDataPermission perm: ").append(webUserDataPermission).toString());
            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] hasUserDataPermission isGranted: ").append(checkPermission).toString());
        }
        if (auditManager.isAuditOn()) {
            Principal userPrincipal = httpServletRequest.getUserPrincipal();
            auditManager.webInvocation(userPrincipal != null ? userPrincipal.getName() : null, httpServletRequest, USERDATA, checkPermission);
        }
        if (!checkPermission) {
            this.methodCache[0] = httpServletRequest.getMethod();
            if (checkPermission(new WebUserDataPermission(webUserDataPermission.getName(), this.methodCache, "CONFIDENTIAL"), defaultPrincipalSet)) {
                i = -1;
            }
        }
        return i;
    }

    private void generatePermissions() {
        try {
            WebPermissionUtil.processConstraints(this.wbd, this.policyConfiguration);
            WebPermissionUtil.createWebRoleRefPermission(this.wbd, this.policyConfiguration);
        } catch (PolicyContextException e) {
            logger.log(Level.FINE, new StringBuffer().append("[Web-Security] FATAL Permission Generation: ").append(e.getMessage()).toString());
            throw new RuntimeException("Fatal error creating web permissions", e);
        }
    }

    public void destroy() throws PolicyContextException {
        boolean inService = getFactory().inService(this.CONTEXT_ID);
        if (this.policyConfiguration == null) {
            this.policyConfiguration = getFactory().getPolicyConfiguration(this.CONTEXT_ID, false);
        }
        if (inService) {
            this.policy.refresh();
            PermissionCacheFactory.removePermissionCache(this.uncheckedPermissionCache);
            this.uncheckedPermissionCache = null;
        }
        factory.removeAppNameForContext(this.CONTEXT_ID);
    }

    private static String setPolicyContext(String str) throws Throwable {
        String contextID = PolicyContext.getContextID();
        if (contextID != str && (contextID == null || str == null || !contextID.equals(str))) {
            if (logger.isLoggable(Level.FINE)) {
                logger.fine(new StringBuffer().append("[Web-Security] Setting Policy Context ID: old = ").append(contextID).append(" ctxID = ").append(str).toString());
            }
            try {
                AccessController.doPrivileged(new PrivilegedExceptionAction(str) { // from class: com.sun.web.security.WebSecurityManager.1
                    private final String val$ctxID;

                    {
                        this.val$ctxID = str;
                    }

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        PolicyContext.setContextID(this.val$ctxID);
                        return null;
                    }
                });
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (cause instanceof AccessControlException) {
                    logger.log(Level.SEVERE, "[Web-Security] setPolicy SecurityPermission required to call PolicyContext.setContextID", cause);
                } else {
                    logger.log(Level.SEVERE, "[Web-Security] Unexpected Exception while setting policy context", cause);
                }
                throw cause;
            }
        } else if (logger.isLoggable(Level.FINE)) {
            logger.fine(new StringBuffer().append("[Web-Security] Policy Context ID was: ").append(contextID).toString());
        }
        return contextID;
    }

    private SecurityContext getSecurityContext(Principal principal) {
        SecurityContext securityContext = null;
        if (principal != null) {
            securityContext = principal instanceof WebPrincipal ? ((WebPrincipal) principal).getSecurityContext() : new SecurityContext(principal.getName(), null);
        }
        if (securityContext == null) {
            securityContext = SecurityContext.getDefaultSecurityContext();
        }
        return securityContext;
    }

    private void setSecurityInfo(HttpServletRequest httpServletRequest) {
        if (httpServletRequest != null) {
            pcHandlerImpl.getHandlerData().setHttpServletRequest(httpServletRequest);
        }
    }

    private String principalSetToString(Set set) {
        String str = null;
        if (set != null) {
            Principal[] principalArr = (Principal[]) set.toArray(new Principal[0]);
            int i = 0;
            while (i < principalArr.length) {
                str = i == 0 ? principalArr[i].toString() : new StringBuffer().append(str).append(JavaClassWriterHelper.paramSeparator_).append(new String(principalArr[i].toString())).toString();
                i++;
            }
        }
        return str;
    }

    private String getVirtualServers(String str) {
        String str2 = null;
        try {
            str2 = ServerBeansFactory.getVirtualServersByAppName(ApplicationServer.getServerContext().getConfigContext(), str);
        } catch (ConfigException e) {
            logger.log(Level.FINE, new StringBuffer().append("Cannot get virtual server for ").append(str).toString(), (Throwable) e);
        }
        return str2;
    }

    public static Principal getAdminPrincipal(String str, String str2) {
        return (Principal) ADMIN_PRINCIPAL.get(new StringBuffer().append(str2).append(str).toString());
    }

    public static Principal getAdminGroup(String str, String str2) {
        return (Principal) ADMIN_GROUP.get(new StringBuffer().append(str2).append(str).toString());
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }
}
