package com.sun.web.security;

import com.sun.enterprise.ComponentInvocation;
import com.sun.enterprise.deployment.Application;
import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.WebComponentDescriptor;
import com.sun.enterprise.deployment.interfaces.SecurityRoleMapper;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.auth.LoginContextDriver;
import com.sun.logging.LogDomains;
import com.sun.messaging.jmq.transport.httptunnel.HttpTunnelDefaults;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Context;
import org.apache.catalina.HttpRequest;
import org.apache.catalina.HttpResponse;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.Constants;
import org.apache.catalina.realm.RealmBase;
import org.apache.catalina.util.StringManager;

/* loaded from: input_file:119167-13/SUNWascmn/reloc/appserver/lib/appserv-rt.jar:com/sun/web/security/RealmAdapter.class */
public class RealmAdapter extends RealmBase {
    private static final String UNCONSTRAINED = "unconstrained";
    static Logger _logger;
    public static final String SECURITY_CONTEXT = "SecurityContext";
    public static final String BASIC = "BASIC";
    public static final String FORM = "FORM";
    private static int MAX_COUNT;
    private static int SLEEP_TIME;
    private SecurityRoleMapper mapper;
    private WebBundleDescriptor webDesc;
    private HashMap runAsPrincipals;
    private String _realmName;
    protected static final String name = "J2EE-RI-RealmAdapter";
    private String CONTEXT_ID;
    protected static StringManager sm;
    protected WebSecurityManager webSecurityManager;
    protected WebSecurityManagerFactory webSecurityManagerFactory;
    protected boolean isCurrentURIincluded;
    private HttpServletRequest currentRequest;
    private ArrayList roles;
    static final boolean $assertionsDisabled;
    static Class class$com$sun$web$security$RealmAdapter;
    static Class class$sun$security$x509$X500Name;

    public RealmAdapter() {
        this.mapper = null;
        this.webDesc = null;
        this.runAsPrincipals = null;
        this._realmName = null;
        this.CONTEXT_ID = null;
        this.webSecurityManagerFactory = WebSecurityManagerFactory.getInstance();
        this.isCurrentURIincluded = false;
        this.currentRequest = null;
        this.roles = null;
    }

    public RealmAdapter(WebBundleDescriptor webBundleDescriptor) {
        this.mapper = null;
        this.webDesc = null;
        this.runAsPrincipals = null;
        this._realmName = null;
        this.CONTEXT_ID = null;
        this.webSecurityManagerFactory = WebSecurityManagerFactory.getInstance();
        this.isCurrentURIincluded = false;
        this.currentRequest = null;
        this.roles = null;
        this.webDesc = webBundleDescriptor;
        Application application = webBundleDescriptor.getApplication();
        this.mapper = application.getRoleMapper();
        LoginConfiguration loginConfiguration = webBundleDescriptor.getLoginConfiguration();
        this._realmName = application.getRealm();
        if (this._realmName == null && loginConfiguration != null) {
            this._realmName = loginConfiguration.getRealmName();
        }
        this.CONTEXT_ID = WebSecurityManager.getContextID(webBundleDescriptor);
        this.runAsPrincipals = new HashMap();
        for (WebComponentDescriptor webComponentDescriptor : this.webDesc.getWebComponentDescriptorsSet()) {
            RunAsIdentityDescriptor runAsIdentity = webComponentDescriptor.getRunAsIdentity();
            if (runAsIdentity != null) {
                String principal = runAsIdentity.getPrincipal();
                String canonicalName = webComponentDescriptor.getCanonicalName();
                if (principal == null || canonicalName == null) {
                    _logger.warning("web.realmadapter.norunas");
                } else {
                    this.runAsPrincipals.put(canonicalName, principal);
                    _logger.fine(new StringBuffer().append("Servlet ").append(canonicalName).append(" will run-as: ").append(principal).toString());
                }
            }
        }
    }

    public WebBundleDescriptor getWebDescriptor() {
        return this.webDesc;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasRole(Principal principal, String str) {
        this.webSecurityManager = this.webSecurityManagerFactory.getWebSecurityManager(this.CONTEXT_ID);
        String resourceName = getResourceName(this.currentRequest.getRequestURI(), this.currentRequest.getContextPath());
        boolean hasRoleRefPermission = this.webSecurityManager.hasRoleRefPermission(resourceName, str, principal);
        if (!hasRoleRefPermission) {
            resourceName = getCanonicalName();
            if (resourceName.equalsIgnoreCase(UNCONSTRAINED)) {
                if (_logger.isLoggable(Level.INFO)) {
                    _logger.log(Level.INFO, new StringBuffer().append("Unable to find a <servlet-name> element which map: ").append(this.currentRequest.getRequestURI()).toString());
                }
                hasRoleRefPermission = this.webSecurityManager.hasRoleRefPermission("", str, principal);
            } else {
                hasRoleRefPermission = this.webSecurityManager.hasRoleRefPermission(resourceName, str, principal);
            }
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine(new StringBuffer().append("Checking if servlet ").append(resourceName).append(" with principal ").append(principal).append(" has role ").append(str).append(" isGranted: ").append(hasRoleRefPermission).toString());
        }
        return hasRoleRefPermission;
    }

    public void logout() {
        setSecurityContext(null);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, byte[] bArr) {
        return authenticate(str, new String(bArr));
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, String str2) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("Tomcat callback for authenticate user/password");
            _logger.fine(new StringBuffer().append("usename = ").append(str).toString());
        }
        if (!authenticate(str, str2, null)) {
            return null;
        }
        SecurityContext current = SecurityContext.getCurrent();
        if ($assertionsDisabled || current != null) {
            return new WebPrincipal(str, str2, current);
        }
        throw new AssertionError();
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        if (!authenticate(null, null, x509CertificateArr)) {
            return null;
        }
        SecurityContext current = SecurityContext.getCurrent();
        if ($assertionsDisabled || current != null) {
            return new WebPrincipal(x509CertificateArr, current);
        }
        throw new AssertionError();
    }

    public boolean authenticate(WebPrincipal webPrincipal) {
        return webPrincipal.isUsingCertificate() ? authenticate(null, null, webPrincipal.getCertificates()) : authenticate(webPrincipal.getName(), webPrincipal.getPassword(), null);
    }

    protected boolean authenticate(String str, String str2, X509Certificate[] x509CertificateArr) {
        boolean z;
        Class cls;
        SecurityContext.setCurrent(null);
        try {
            if (x509CertificateArr != null) {
                Subject subject = new Subject();
                subject.getPublicCredentials().add(x509CertificateArr[0].getSubjectDN());
                if (class$sun$security$x509$X500Name == null) {
                    cls = class$("sun.security.x509.X500Name");
                    class$sun$security$x509$X500Name = cls;
                } else {
                    cls = class$sun$security$x509$X500Name;
                }
                LoginContextDriver.login(subject, cls);
            } else {
                LoginContextDriver.login(str, str2, this._realmName);
            }
            z = true;
        } catch (Exception e) {
            z = false;
            if (_logger.isLoggable(Level.WARNING)) {
                _logger.warning(new StringBuffer().append("Web login failed: ").append(e.getMessage()).toString());
            }
        }
        if (z && _logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, new StringBuffer().append("Web login succeeded for: ").append(str).toString());
        }
        return z;
    }

    public void preSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String str;
        String servletName = getServletName(componentInvocation);
        if (servletName == null || (str = (String) this.runAsPrincipals.get(servletName)) == null) {
            return;
        }
        componentInvocation.setOldSecurityContext(getSecurityContext());
        loginForRunAs(str);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine(new StringBuffer().append("run-as principal for ").append(servletName).append(" set to: ").append(str).toString());
        }
    }

    private String getServletName(ComponentInvocation componentInvocation) {
        Object componentInvocation2 = componentInvocation.getInstance();
        if (!(componentInvocation2 instanceof HttpServlet)) {
            return null;
        }
        HttpServlet httpServlet = (HttpServlet) componentInvocation2;
        if (httpServlet.getServletConfig() != null) {
            return httpServlet.getServletName();
        }
        return null;
    }

    public void postSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName = getServletName(componentInvocation);
        if (servletName == null || ((String) this.runAsPrincipals.get(servletName)) == null) {
            return;
        }
        setSecurityContext(componentInvocation.getOldSecurityContext());
    }

    private void loginForRunAs(String str) {
        LoginContextDriver.loginPrincipal(str, this._realmName);
    }

    private SecurityContext getSecurityContext() {
        return SecurityContext.getCurrent();
    }

    private void setSecurityContext(SecurityContext securityContext) {
        SecurityContext.setCurrent(securityContext);
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getPassword(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    public Principal createFailOveredPrincipal(String str) {
        _logger.log(Level.FINEST, new StringBuffer().append("IN createFailOveredPrincipal (").append(str).append(")").toString());
        loginForRunAs(str);
        SecurityContext current = SecurityContext.getCurrent();
        _logger.log(Level.FINE, new StringBuffer().append("Security context is ").append(current).toString());
        if (!$assertionsDisabled && current == null) {
            throw new AssertionError();
        }
        WebPrincipal webPrincipal = new WebPrincipal(str, null, current);
        _logger.log(Level.INFO, new StringBuffer().append("Principal created for FailOvered user ").append(webPrincipal).toString());
        return webPrincipal;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasResourcePermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        if (securityConstraintArr == null) {
            return true;
        }
        boolean z = false;
        int i = 0;
        while (true) {
            if (i >= securityConstraintArr.length) {
                break;
            }
            if (securityConstraintArr[i].getAuthConstraint()) {
                z = true;
                break;
            }
            i++;
        }
        if (!z) {
            return true;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
        if (httpServletRequest.getServletPath() == null) {
            httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine(new StringBuffer().append("[Web-Security] [ hasResourcePermission ] Principal: ").append(httpServletRequest.getUserPrincipal()).append(" ContextPath: ").append(httpServletRequest.getContextPath()).toString());
        }
        this.currentRequest = httpServletRequest;
        LoginConfig loginConfig = context.getLoginConfig();
        if (loginConfig != null && "FORM".equals(loginConfig.getAuthMethod())) {
            String decodedRequestURI = httpRequest.getDecodedRequestURI();
            String stringBuffer = new StringBuffer().append(context.getPath()).append(loginConfig.getLoginPage()).toString();
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine(new StringBuffer().append("[Web-Security]  requestURI: ").append(decodedRequestURI).append(" loginPage: ").append(stringBuffer).toString());
            }
            if (stringBuffer.equals(decodedRequestURI)) {
                if (!_logger.isLoggable(Level.FINE)) {
                    return true;
                }
                _logger.fine(new StringBuffer().append(" Allow access to login page ").append(stringBuffer).toString());
                return true;
            }
            String stringBuffer2 = new StringBuffer().append(context.getPath()).append(loginConfig.getErrorPage()).toString();
            if (stringBuffer2.equals(decodedRequestURI)) {
                if (!_logger.isLoggable(Level.FINE)) {
                    return true;
                }
                _logger.fine(new StringBuffer().append(" Allow access to error page ").append(stringBuffer2).toString());
                return true;
            }
            if (decodedRequestURI.endsWith("/j_security_check")) {
                if (!_logger.isLoggable(Level.FINE)) {
                    return true;
                }
                _logger.fine(" Allow access to username/password submission");
                return true;
            }
        }
        if (httpServletRequest.getUserPrincipal() == null) {
            ((HttpServletResponse) httpResponse.getResponse()).sendError(403, sm.getString("realmBase.notAuthenticated"));
            return false;
        }
        boolean hasResourcePermission = this.webSecurityManager.hasResourcePermission(httpServletRequest);
        if (hasResourcePermission) {
            return hasResourcePermission;
        }
        ((HttpServletResponse) httpResponse.getResponse()).sendError(403, sm.getString("realmBase.forbidden"));
        return hasResourcePermission;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        if (securityConstraintArr == null) {
            return true;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
        this.currentRequest = httpServletRequest;
        if (httpServletRequest.getServletPath() == null) {
            httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine(new StringBuffer().append("[Web-Security][ hasUserDataPermission ] Principal: ").append(httpServletRequest.getUserPrincipal()).append(" ContextPath: ").append(httpServletRequest.getContextPath()).toString());
        }
        this.webSecurityManager = this.webSecurityManagerFactory.getWebSecurityManager(this.CONTEXT_ID);
        if (httpRequest.getRequest().isSecure()) {
            if (!_logger.isLoggable(Level.FINE)) {
                return true;
            }
            _logger.fine(new StringBuffer().append("[Web-Security] request.getRequest().isSecure(): ").append(httpRequest.getRequest().isSecure()).toString());
            return true;
        }
        int hasUserDataPermission = this.webSecurityManager.hasUserDataPermission(httpServletRequest);
        if (hasUserDataPermission == -1) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("[Web-Security] redirecting using SSL");
            }
            return redirect(httpRequest, httpResponse);
        }
        if (hasUserDataPermission != 0) {
            return true;
        }
        ((HttpServletResponse) httpResponse.getResponse()).sendError(403, sm.getString("realmBase.forbidden"));
        return false;
    }

    private boolean redirect(HttpRequest httpRequest, HttpResponse httpResponse) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
        HttpServletResponse httpServletResponse = (HttpServletResponse) httpResponse.getResponse();
        int redirectPort = httpRequest.getConnector().getRedirectPort();
        if (redirectPort <= 0) {
            if (_logger.isLoggable(Level.INFO)) {
                _logger.fine("[Web-Security]  SSL redirect is disabled");
            }
            httpServletResponse.sendError(403, httpServletRequest.getRequestURI());
            return false;
        }
        String serverName = httpServletRequest.getServerName();
        StringBuffer stringBuffer = new StringBuffer(httpServletRequest.getRequestURI());
        String requestedSessionId = httpServletRequest.getRequestedSessionId();
        if (requestedSessionId != null && httpServletRequest.isRequestedSessionIdFromURL()) {
            stringBuffer.append(";jsessionid=");
            stringBuffer.append(requestedSessionId);
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            stringBuffer.append('?');
            stringBuffer.append(queryString);
        }
        try {
            httpServletResponse.sendRedirect(new URL("https", serverName, redirectPort, stringBuffer.toString()).toString());
            return false;
        } catch (MalformedURLException e) {
            httpServletResponse.sendError(500, httpServletRequest.getRequestURI());
            return false;
        }
    }

    private String getCanonicalName() {
        boolean z = false;
        for (WebComponentDescriptor webComponentDescriptor : this.webDesc.getWebComponentDescriptorsSet()) {
            String webComponentImplementation = webComponentDescriptor.getWebComponentImplementation();
            String resourceName = getResourceName(this.currentRequest.getRequestURI(), this.currentRequest.getContextPath());
            String extension = getExtension(resourceName);
            Iterator it = webComponentDescriptor.getUrlPatternsSet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String obj = it.next().toString();
                String extension2 = getExtension(obj);
                if (obj.equalsIgnoreCase(resourceName)) {
                    z = true;
                    break;
                }
                if (extension2.equalsIgnoreCase(extension) && obj.equalsIgnoreCase(new StringBuffer().append("*").append(extension2).toString())) {
                    z = true;
                    break;
                }
            }
            if (resourceName.equalsIgnoreCase(webComponentImplementation) || z) {
                return webComponentDescriptor.getCanonicalName();
            }
        }
        return UNCONSTRAINED;
    }

    private String getResourceName(String str, String str2) {
        try {
            return str.substring(str2.length());
        } catch (Exception e) {
            return "";
        }
    }

    private String getExtension(String str) {
        try {
            return str.substring(str.lastIndexOf("."));
        } catch (Exception e) {
            return "";
        }
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getName() {
        return name;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public String getRealmName() {
        return this._realmName;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public void setRealmName(String str) {
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$sun$web$security$RealmAdapter == null) {
            cls = class$("com.sun.web.security.RealmAdapter");
            class$com$sun$web$security$RealmAdapter = cls;
        } else {
            cls = class$com$sun$web$security$RealmAdapter;
        }
        $assertionsDisabled = !cls.desiredAssertionStatus();
        _logger = LogDomains.getLogger(LogDomains.WEB_LOGGER);
        MAX_COUNT = 5;
        SLEEP_TIME = HttpTunnelDefaults.CONNECTION_RETRY_INTERVAL;
        sm = StringManager.getManager(Constants.Package);
    }
}
