package weblogic.servlet.security.internal;

import java.io.IOException;
import java.util.Collection;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.diagnostics.descriptor.WLDFRESTNotificationBean;
import weblogic.servlet.spi.SubjectHandle;
import weblogic.utils.StringUtils;
import weblogic.utils.encoders.BASE64Decoder;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:weblogic/servlet/security/internal/BasicSecurityModule.class */
public class BasicSecurityModule extends SecurityModule {
    private static final String DISABLE_BASIC_AUTH = "weblogic.servlet.security.disableBasicAuth";

    /* JADX INFO: Access modifiers changed from: package-private */
    public BasicSecurityModule(ServletSecurityContext servletSecurityContext, WebAppSecurity webAppSecurity, boolean z) {
        super(servletSecurityContext, webAppSecurity, z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // weblogic.servlet.security.internal.SecurityModule
    public boolean postCheckAccess(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.flushBuffer();
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // weblogic.servlet.security.internal.SecurityModule
    public boolean checkUserPerm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionSecurityData sessionSecurityData, ResourceConstraint resourceConstraint, SubjectHandle subjectHandle, boolean z) throws IOException, ServletException {
        boolean hasPermission = this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, subjectHandle, resourceConstraint);
        if (hasPermission) {
            if (wlsAuthCookieMissing(httpServletRequest, sessionSecurityData)) {
                if (DEBUG_SEC.isDebugEnabled()) {
                    DEBUG_SEC.debug("AuthCookie not found - permission denied for " + httpServletRequest);
                }
                handleFailure(httpServletRequest, httpServletResponse, false);
                setAuthCookieForReAuth(getSecurityContext(), sessionSecurityData, this);
                return false;
            }
            if (getRequestFacade().isRequestForProxyServlet(httpServletRequest)) {
                return true;
            }
            if ((!enforceValidBasicAuthCredentials() || (subjectHandle != null && !subjectHandle.isAnonymous())) && !isReAuthenticateRequired(getSecurityContext(), sessionSecurityData)) {
                return true;
            }
            ServletConfig servletConfig = getSecurityContext().getServletConfig(httpServletRequest);
            if (disableBasicAuthCheck(servletConfig)) {
                if (!DEBUG_SEC.isDebugEnabled()) {
                    return true;
                }
                DEBUG_SEC.debug("BASIC authentication is bypassed for request sent to servlet " + servletConfig.getServletName());
                DEBUG_SEC.debug("The detailed request information is " + httpServletRequest);
                return true;
            }
        }
        boolean z2 = this.webAppSecurity.isFullSecurityDelegationRequired() && resourceConstraint != null && resourceConstraint.isForbidden();
        String[] splitAuthHeader = splitAuthHeader(httpServletRequest);
        if (splitAuthHeader == null) {
            if (hasPermission) {
                return true;
            }
            if (z2 || !(subjectHandle == null || isReloginEnabled())) {
                sendForbiddenResponse(httpServletRequest, httpServletResponse);
                return false;
            }
            handleFailure(httpServletRequest, httpServletResponse, z);
            return false;
        }
        SubjectHandle checkAuthenticate = checkAuthenticate(getSecurityContext(), httpServletRequest, httpServletResponse, splitAuthHeader[0], splitAuthHeader[1], false);
        if (checkAuthenticate == null) {
            if (z2 || !(subjectHandle == null || isReloginEnabled())) {
                sendForbiddenResponse(httpServletRequest, httpServletResponse);
                return false;
            }
            handleFailure(httpServletRequest, httpServletResponse, z);
            return false;
        }
        if (!this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, checkAuthenticate, resourceConstraint)) {
            if (z2 || !isReloginEnabled()) {
                sendForbiddenResponse(httpServletRequest, httpServletResponse);
                return false;
            }
            handleFailure(httpServletRequest, httpServletResponse, z);
            return false;
        }
        if (!wlsAuthCookieMissing(httpServletRequest, sessionSecurityData)) {
            if (DEBUG_SEC.isDebugEnabled()) {
                DEBUG_SEC.debug(getSecurityContext().getLogContext() + ": user: " + getUsername(checkAuthenticate) + " has permissions to access " + httpServletRequest);
            }
            login(httpServletRequest, checkAuthenticate, sessionSecurityData);
            return true;
        }
        if (DEBUG_SEC.isDebugEnabled()) {
            DEBUG_SEC.debug("AuthCookie not found - permission denied for " + httpServletRequest);
        }
        handleFailure(httpServletRequest, httpServletResponse, false);
        setAuthCookieForReAuth(getSecurityContext(), sessionSecurityData, this);
        return false;
    }

    protected boolean disableBasicAuthCheck(ServletConfig servletConfig) {
        ServletContext servletContext;
        Collection collection;
        if (servletConfig == null || (servletContext = getSecurityContext().getServletContext()) == null || (collection = (Collection) servletContext.getAttribute(DISABLE_BASIC_AUTH)) == null) {
            return false;
        }
        return collection.contains(servletConfig.getServletName());
    }

    protected boolean enforceValidBasicAuthCredentials() {
        return WebAppSecurity.getProvider().getEnforceValidBasicAuthCredentials();
    }

    private void handleFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException, ServletException {
        if (z && this.webAppSecurity.hasAuthFilters()) {
            this.webAppSecurity.invokeAuthFilterChain(httpServletRequest, httpServletResponse);
        } else {
            sendError(httpServletRequest, httpServletResponse);
        }
    }

    private static String[] splitAuthHeader(HttpServletRequest httpServletRequest) throws IOException {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        String[] split = StringUtils.split(header, ' ');
        if (!split[0].equalsIgnoreCase(WLDFRESTNotificationBean.BASIC_HTTP_AUTH)) {
            return null;
        }
        String[] split2 = StringUtils.split(new String(new BASE64Decoder().decodeBuffer(split[1])), ':');
        return new String[]{split2[0], split2[1]};
    }
}
