package weblogic.servlet.security.internal;

import java.io.IOException;
import java.lang.annotation.Annotation;
import java.lang.reflect.InvocationTargetException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.auth.message.config.AuthConfigFactory;
import javax.security.auth.message.config.AuthConfigProvider;
import javax.security.auth.message.config.RegistrationListener;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.tools.ant.types.selectors.SelectorUtils;
import weblogic.apache.org.apache.velocity.servlet.VelocityServlet;
import weblogic.application.ApplicationContextInternal;
import weblogic.application.SecurityRole;
import weblogic.descriptor.BeanUpdateEvent;
import weblogic.descriptor.BeanUpdateListener;
import weblogic.descriptor.BeanUpdateRejectedException;
import weblogic.descriptor.DescriptorBean;
import weblogic.diagnostics.instrumentation.DelegatingMonitor;
import weblogic.diagnostics.instrumentation.DiagnosticMonitor;
import weblogic.diagnostics.instrumentation.InstrumentationSupport;
import weblogic.diagnostics.instrumentation.JoinPoint;
import weblogic.diagnostics.instrumentation.LocalHolder;
import weblogic.diagnostics.instrumentation.PointcutHandlingInfo;
import weblogic.diagnostics.instrumentation.ValueHandlingInfo;
import weblogic.diagnostics.instrumentation.engine.base.InstrumentationEngineConstants;
import weblogic.j2ee.J2EEUtils;
import weblogic.j2ee.descriptor.LoginConfigBean;
import weblogic.j2ee.descriptor.SecurityConstraintBean;
import weblogic.j2ee.descriptor.SecurityRoleBean;
import weblogic.j2ee.descriptor.SecurityRoleRefBean;
import weblogic.j2ee.descriptor.WebAppBean;
import weblogic.j2ee.descriptor.wl.JASPICProviderBean;
import weblogic.j2ee.descriptor.wl.RunAsRoleAssignmentBean;
import weblogic.j2ee.descriptor.wl.SecurityRoleAssignmentBean;
import weblogic.j2ee.descriptor.wl.WeblogicWebAppBean;
import weblogic.logging.Loggable;
import weblogic.management.DeploymentException;
import weblogic.management.configuration.AppDeploymentMBean;
import weblogic.management.configuration.AuthConfigProviderMBean;
import weblogic.management.configuration.AuthModuleMBean;
import weblogic.management.configuration.CustomAuthConfigProviderMBean;
import weblogic.management.configuration.JASPICMBean;
import weblogic.management.configuration.WLSAuthConfigProviderMBean;
import weblogic.protocol.ServerChannel;
import weblogic.protocol.ServerChannelManager;
import weblogic.security.debug.SecurityDebugLogger;
import weblogic.security.debug.SecurityLogger;
import weblogic.security.jaspic.SecurityServices;
import weblogic.security.jaspic.SecurityServicesImpl;
import weblogic.security.jaspic.SimpleAuthConfigProvider;
import weblogic.security.jaspic.servlet.JaspicSecurityModule;
import weblogic.server.GlobalServiceLocator;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ProtocolHandlerHTTPS;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.ServletStubImpl;
import weblogic.servlet.internal.WebAppPartitionManagerInterceptor;
import weblogic.servlet.internal.WebComponentBeanUpdateListener;
import weblogic.servlet.internal.dd.LoginDescriptor;
import weblogic.servlet.security.internal.ResourceConstraint;
import weblogic.servlet.spi.ApplicationSecurity;
import weblogic.servlet.spi.SecurityProvider;
import weblogic.servlet.spi.SubjectHandle;
import weblogic.servlet.spi.WebServerRegistry;
import weblogic.utils.http.HttpParsing;

/* loaded from: input_file:weblogic/servlet/security/internal/WebAppSecurity.class */
public abstract class WebAppSecurity {
    protected ServletSecurityContext securityContext;
    protected SecurityModule delegateModule;
    protected final HashSet<String> roleNames;
    protected final HashMap<String, String[]> roleMapping;
    protected final HashMap<String, String> runAsMapping;
    protected boolean isAnyAuthUserRoleDefinedInDD;
    private String loginPage;
    private String errorPage;
    private String authMethod;
    private String cachedAuthType;
    private boolean formAuth;
    protected static final String NONE = "NONE";
    protected static final String INTEGRAL = "INTEGRAL";
    protected static final String CONFIDENTIAL = "CONFIDENTIAL";
    private static final String LAYER_NAME = "HttpServlet";
    private final Filter[] authFilters;
    private final boolean authFiltersPresent;
    private String authFilter;
    private RequestDispatcher authFilterRD;
    protected final ApplicationSecurity appSecurity;
    private final ExternalRoleChecker externalRoleChecker;
    private Boolean changeSessionIdOnReauthentication;
    private String registrationId;
    private boolean jaspicEnabled;
    private RegistrationListener jaspicListener;
    private SecurityServices securityServices;
    private SecurityDebugLogger athnLogger;
    private BeanUpdateListener beanUpdateListener;
    protected boolean isDenyUncoveredMethodsSet;
    static final /* synthetic */ boolean $assertionsDisabled;
    static final long serialVersionUID = 1329739590084021943L;
    static final String _WLDF$INST_VERSION = "9.0.0";
    static /* synthetic */ Class _WLDF$INST_FLD_class = Class.forName("weblogic.servlet.security.internal.WebAppSecurity");
    static final DelegatingMonitor _WLDF$INST_FLD_Servlet_Check_Access_Around_Medium = (DelegatingMonitor) InstrumentationSupport.getMonitor(_WLDF$INST_FLD_class, "Servlet_Check_Access_Around_Medium");
    static final JoinPoint _WLDF$INST_JPFLD_0 = InstrumentationSupport.createJoinPoint(_WLDF$INST_FLD_class, "WebAppSecurity.java", "weblogic.servlet.security.internal.WebAppSecurity", "checkAccess", "(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;ZZ)Z", 545, "", "", "", InstrumentationSupport.makeMap(new String[]{"Servlet_Check_Access_Around_Medium"}, new PointcutHandlingInfo[]{InstrumentationSupport.createPointcutHandlingInfo(null, InstrumentationSupport.createValueHandlingInfo(InstrumentationEngineConstants.WLDF_LOCALHOLDER_RETURN_FIELDNAME, null, false, true), new ValueHandlingInfo[]{InstrumentationSupport.createValueHandlingInfo(VelocityServlet.REQUEST, "weblogic.diagnostics.instrumentation.gathering.ServletRequestRenderer", false, true), null, null, null})}), false);
    static final DiagnosticMonitor[] _WLDF$INST_JPFLD_JPMONS_0 = {_WLDF$INST_FLD_Servlet_Check_Access_Around_Medium};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/servlet/security/internal/WebAppSecurity$AuthFilterAction.class */
    public static class AuthFilterAction implements PrivilegedAction {
        private HttpServletRequest request;
        private HttpServletResponse response;
        private RequestDispatcher dispatcher;

        AuthFilterAction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RequestDispatcher requestDispatcher) {
            this.request = httpServletRequest;
            this.response = httpServletResponse;
            this.dispatcher = requestDispatcher;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this.dispatcher.include(this.request, this.response);
                return null;
            } catch (Throwable th) {
                return th;
            }
        }
    }

    /* loaded from: input_file:weblogic/servlet/security/internal/WebAppSecurity$HttpServletRegistrationListener.class */
    class HttpServletRegistrationListener implements RegistrationListener {
        HttpServletRegistrationListener() {
        }

        @Override // javax.security.auth.message.config.RegistrationListener
        public void notify(String str, String str2) {
            WebAppSecurity.this.createDelegateModule();
        }
    }

    /* loaded from: input_file:weblogic/servlet/security/internal/WebAppSecurity$ServletAuthenticationFilterAction.class */
    private static class ServletAuthenticationFilterAction implements PrivilegedAction {
        private final HttpServletRequest request;
        private final HttpServletResponse response;
        private final FilterChain chain;

        ServletAuthenticationFilterAction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
            this.request = httpServletRequest;
            this.response = httpServletResponse;
            this.chain = filterChain;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this.chain.doFilter(this.request, this.response);
                return null;
            } catch (Throwable th) {
                return th;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public WebAppSecurity(ServletSecurityContext servletSecurityContext, ApplicationSecurity applicationSecurity, ExternalRoleChecker externalRoleChecker) throws DeploymentException {
        this(servletSecurityContext, applicationSecurity, externalRoleChecker, (SecurityServices) GlobalServiceLocator.getServiceLocator().getService(SecurityServicesImpl.class, new Annotation[0]));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public WebAppSecurity(ServletSecurityContext servletSecurityContext, ApplicationSecurity applicationSecurity, ExternalRoleChecker externalRoleChecker, SecurityServices securityServices) throws DeploymentException {
        this.roleNames = new HashSet<>();
        this.roleMapping = new HashMap<>();
        this.runAsMapping = new HashMap<>();
        this.isAnyAuthUserRoleDefinedInDD = false;
        this.loginPage = null;
        this.errorPage = null;
        this.authMethod = null;
        this.cachedAuthType = null;
        this.formAuth = false;
        this.jaspicListener = new HttpServletRegistrationListener();
        this.athnLogger = new SecurityDebugLogger(SecurityLogger.AUTHN);
        this.appSecurity = applicationSecurity;
        this.securityContext = servletSecurityContext;
        this.authFilters = this.appSecurity.getServletAuthenticationFilters(this.securityContext.getServletContext());
        this.authFiltersPresent = this.authFilters != null && this.authFilters.length > 0;
        this.externalRoleChecker = externalRoleChecker;
        this.securityServices = securityServices;
        this.beanUpdateListener = createBeanUpdateListener();
    }

    public static WebAppSecurity createWebAppSecurity(ApplicationContextInternal applicationContextInternal, ServletSecurityContext servletSecurityContext, String str, String str2, String str3, ExternalRoleCheckerManager externalRoleCheckerManager) throws DeploymentException {
        ServletSecurityServices securityServices = getSecurityServices();
        AppDeploymentMBean appDeploymentMBean = applicationContextInternal == null ? null : applicationContextInternal.getAppDeploymentMBean();
        if (securityServices != null && securityServices.isJACCEnabled() && servletSecurityContext.useJACC(str3)) {
            return new WebAppSecurityJacc(servletSecurityContext, new JACCSecurity(getSecurityServices(), appDeploymentMBean, str2, str, applicationContextInternal, servletSecurityContext.getServerName(), str3), externalRoleCheckerManager);
        }
        return new WebAppSecurityWLS(servletSecurityContext, new WLSSecurity(getSecurityServices(), appDeploymentMBean, str2, str, applicationContextInternal == null ? null : applicationContextInternal.getApplicationSecurityRealmName()), externalRoleCheckerManager);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isChangeSessionIdOnReauthentication() {
        if (this.changeSessionIdOnReauthentication == null) {
            String property = System.getProperty("changeSessionIdOnAuthentication");
            if (property != null) {
                this.changeSessionIdOnReauthentication = Boolean.valueOf(property);
            } else {
                this.changeSessionIdOnReauthentication = Boolean.valueOf(WebServerRegistry.getInstance().getManagementProvider().getDomainMBean().getWebAppContainer().isChangeSessionIDOnAuthentication());
            }
        }
        return this.changeSessionIdOnReauthentication.booleanValue();
    }

    public static SecurityProvider getProvider() {
        return WebServerRegistry.getInstance().getSecurityProvider();
    }

    public static ServletSecurityServices getSecurityServices() {
        return WebServerRegistry.getInstance().getSecurityServices();
    }

    public ApplicationSecurity getAppSecurityProvider() {
        return this.appSecurity;
    }

    public final String getLoginPage() {
        return this.loginPage;
    }

    public final String getErrorPage() {
        return this.errorPage;
    }

    public final String getAuthMethod() {
        return this.authMethod;
    }

    public final boolean isFormAuth() {
        return this.formAuth;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isFullSecurityDelegationRequired() {
        return this.appSecurity.isFullSecurityDelegationRequired();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isNotLastChainedSecurityModule(SecurityModule securityModule) {
        return (this.delegateModule instanceof ChainedSecurityModule) && !((ChainedSecurityModule) this.delegateModule).isLastChainedSecurityModule(securityModule);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isLastSecurityModule(SecurityModule securityModule) {
        if (this.delegateModule instanceof ChainedSecurityModule) {
            return ((ChainedSecurityModule) this.delegateModule).isLastChainedSecurityModule(securityModule);
        }
        return true;
    }

    public final void startDeployment() throws DeploymentException {
        this.appSecurity.startRoleAndPolicyDeployments();
    }

    public final void endDeployment() throws DeploymentException {
        this.appSecurity.endRoleAndPolicyDeployments(this.roleMapping);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasAuthFilters() {
        return this.authFiltersPresent;
    }

    protected abstract void deployRoles() throws DeploymentException;

    protected abstract void mergePolicies(WebAppBean webAppBean, SecurityConstraintBean[] securityConstraintBeanArr) throws DeploymentException;

    protected abstract void deployPolicies() throws DeploymentException;

    public abstract ResourceConstraint getConstraint(HttpServletRequest httpServletRequest);

    public boolean hasPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SubjectHandle subjectHandle, ResourceConstraint resourceConstraint) {
        if (getSecurityContext().isAdminMode() && getSecurityContext().isInternalApp() && this.appSecurity.isRequestSigned(httpServletRequest)) {
            return true;
        }
        if (getSecurityContext().isAdminMode() && !getSecurityContext().isInternalApp() && !WebAppPartitionManagerInterceptor.isPartitionShutdown() && !WebAppPartitionManagerInterceptor.isPartitionSuspending()) {
            return checkAdminMode(subjectHandle);
        }
        if (this.appSecurity.isFullSecurityDelegationRequired()) {
            if (resourceConstraint != null && resourceConstraint.isLoginRequired() && subjectHandle == null) {
                return false;
            }
        } else {
            if (resourceConstraint == null || resourceConstraint.isUnrestricted()) {
                return true;
            }
            if (resourceConstraint.isForbidden()) {
                return false;
            }
            if (resourceConstraint.isLoginRequired()) {
                return subjectHandle != null;
            }
            if (subjectHandle == null) {
                return false;
            }
        }
        if (subjectHandle == null) {
            subjectHandle = getProvider().getAnonymousSubject();
        }
        return this.appSecurity.hasPermission(subjectHandle, httpServletRequest, httpServletResponse, getRelativeURI(httpServletRequest));
    }

    public abstract boolean isSubjectInRole(SubjectHandle subjectHandle, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ServletConfig servletConfig);

    public abstract void registerRoleRefs(ServletConfig servletConfig) throws DeploymentException;

    protected abstract void deployRoleLink(ServletConfig servletConfig, String str, String str2) throws DeploymentException;

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract boolean checkTransport(ResourceConstraint resourceConstraint, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException;

    public abstract boolean isSSLRequired(String str, String str2);

    public void initContextHandler(HttpServletRequest httpServletRequest) {
    }

    public void resetContextHandler() {
    }

    public Subject toSubject(SubjectHandle subjectHandle) {
        return getSecurityServices().toSubject(subjectHandle);
    }

    public SubjectHandle toSubjectHandle(Subject subject) {
        return getSecurityServices().toSubjectHandle(subject);
    }

    public String getRunAsPrincipalName(String str, String str2) throws DeploymentException {
        if (str != null) {
            return str;
        }
        String runAsIdentity = getRunAsIdentity(str2);
        if (runAsIdentity != null) {
            return runAsIdentity;
        }
        String firstPrincipal = getFirstPrincipal(str2);
        if (firstPrincipal != null) {
            HTTPLogger.logImplicitMappingForRunAsRole(getSecurityContext().getLogContext(), "run-as", str2, J2EEUtils.WEB_DD_NAME, firstPrincipal);
            return firstPrincipal;
        }
        if (!this.appSecurity.isCompatibilitySecMode()) {
            SecurityRole securityRole = getSecurityContext().getSecurityRole(str2);
            if (securityRole != null) {
                String[] principalNames = securityRole.getPrincipalNames();
                if (!securityRole.isExternallyDefined() && principalNames != null && principalNames.length > 0) {
                    return principalNames[0];
                }
            }
            if (this.appSecurity.isApplicationSecMode()) {
                throw new DeploymentException("Cannot resolve role-Name " + str2);
            }
        }
        HTTPLogger.logImplicitMappingForRunAsRoleToSelf(getSecurityContext().getLogContext(), "run-as", str2, J2EEUtils.WEB_DD_NAME);
        return str2;
    }

    public void unregisterRolesAndPolicies() {
        this.appSecurity.destroyServletAuthenticationFilters(this.authFilters);
    }

    public void undeploy() {
        unregisterRolesAndPolicies();
        unregisterJaspicProvider();
    }

    public void unregisterJaspicProvider() {
        AuthConfigFactory factory = AuthConfigFactory.getFactory();
        if (factory != null) {
            factory.detachListener(this.jaspicListener, LAYER_NAME, SecurityModule.getAppContextId(this.securityContext));
            if (this.registrationId != null) {
                factory.removeRegistration(this.registrationId);
                this.athnLogger.debug("Removing AuthConfigProvider registration: " + this.registrationId);
            }
        }
    }

    protected boolean isExternalRole(String str) {
        return this.externalRoleChecker.isExternalRole(str);
    }

    public final void deployPolicyAndRole() throws DeploymentException {
        deployPolicies();
        deployRoles();
    }

    public final void registerSecurityConstraints(WebAppBean webAppBean, SecurityConstraintBean[] securityConstraintBeanArr) throws DeploymentException {
        mergePolicies(webAppBean, securityConstraintBeanArr);
    }

    public void registerSecurityRoles(WebAppBean webAppBean, WeblogicWebAppBean weblogicWebAppBean) throws DeploymentException {
        SecurityRoleBean[] securityRoles = webAppBean.getSecurityRoles();
        if (securityRoles != null) {
            for (int i = 0; i < securityRoles.length; i++) {
                this.roleNames.add(securityRoles[i].getRoleName());
                if (SelectorUtils.DEEP_TREE_MATCH.equals(securityRoles[i].getRoleName())) {
                    this.isAnyAuthUserRoleDefinedInDD = true;
                }
            }
        }
        this.roleNames.add(SelectorUtils.DEEP_TREE_MATCH);
        if (weblogicWebAppBean != null) {
            setRoleMapping(weblogicWebAppBean.getSecurityRoleAssignments());
            RunAsRoleAssignmentBean[] runAsRoleAssignments = weblogicWebAppBean.getRunAsRoleAssignments();
            if (runAsRoleAssignments != null) {
                for (RunAsRoleAssignmentBean runAsRoleAssignmentBean : runAsRoleAssignments) {
                    if (this.roleNames.contains(runAsRoleAssignmentBean.getRoleName())) {
                        this.runAsMapping.put(runAsRoleAssignmentBean.getRoleName(), runAsRoleAssignmentBean.getRunAsPrincipalName());
                    } else if (!isExternalRole(runAsRoleAssignmentBean.getRoleName())) {
                        Loggable logUndefinedSecurityRoleLoggable = HTTPLogger.logUndefinedSecurityRoleLoggable(runAsRoleAssignmentBean.getRoleName(), "run-as-role-assignment");
                        logUndefinedSecurityRoleLoggable.log();
                        throw new DeploymentException(logUndefinedSecurityRoleLoggable.getMessage());
                    }
                }
            }
        }
    }

    public boolean isRoleNameDeclared(String str) {
        return SelectorUtils.DEEP_TREE_MATCH.equals(str) ? this.roleNames.contains(str) && isAnyAuthUserRoleDefinedInDD() : this.roleNames.contains(str);
    }

    private final void setRoleMapping(SecurityRoleAssignmentBean[] securityRoleAssignmentBeanArr) throws DeploymentException {
        if (securityRoleAssignmentBeanArr == null) {
            return;
        }
        for (int i = 0; i < securityRoleAssignmentBeanArr.length; i++) {
            String roleName = securityRoleAssignmentBeanArr[i].getRoleName();
            if (!this.roleNames.contains(roleName)) {
                if (!isExternalRole(roleName)) {
                    Loggable logBadSecurityRoleInSRALoggable = HTTPLogger.logBadSecurityRoleInSRALoggable(roleName);
                    logBadSecurityRoleInSRALoggable.log();
                    throw new DeploymentException(logBadSecurityRoleInSRALoggable.getMessage());
                }
            } else if (securityRoleAssignmentBeanArr[i].getExternallyDefined() != null) {
                this.roleMapping.put(roleName, new String[]{null});
            } else if (securityRoleAssignmentBeanArr[i].getPrincipalNames() != null && securityRoleAssignmentBeanArr[i].getPrincipalNames().length > 0) {
                this.roleMapping.put(roleName, securityRoleAssignmentBeanArr[i].getPrincipalNames());
            }
        }
    }

    public final String getRunAsIdentity(String str) {
        return this.runAsMapping.get(str);
    }

    public final String getFirstPrincipal(String str) {
        String[] strArr = this.roleMapping.get(str);
        if (strArr == null || strArr.length < 1) {
            return null;
        }
        return strArr[0];
    }

    private String initAuthMethod(String str) {
        return (str == null || str.equalsIgnoreCase("BASIC")) ? "BASIC" : str.equalsIgnoreCase("FORM") ? "FORM" : str.equalsIgnoreCase(LoginDescriptor.AM_CLIENT_CERT) ? "CLIENT_CERT" : str.equalsIgnoreCase("DIGEST") ? "DIGEST" : str.toUpperCase().contains(LoginDescriptor.AM_CLIENT_CERT) ? str.toUpperCase().replaceAll(LoginDescriptor.AM_CLIENT_CERT, "CLIENT_CERT") : str;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14 */
    /* JADX WARN: Type inference failed for: r0v15 */
    /* JADX WARN: Type inference failed for: r0v2 */
    /* JADX WARN: Type inference failed for: r0v3, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v5, types: [boolean] */
    public boolean checkAccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, boolean z2) throws IOException, ServletException {
        LocalHolder localHolder = LocalHolder.getInstance(_WLDF$INST_JPFLD_0, _WLDF$INST_JPFLD_JPMONS_0);
        ?? r0 = localHolder;
        if (localHolder != null) {
            if (localHolder.argsCapture) {
                localHolder.args = new Object[5];
                Object[] objArr = localHolder.args;
                objArr[0] = this;
                objArr[1] = httpServletRequest;
                objArr[2] = httpServletResponse;
                objArr[3] = InstrumentationSupport.convertToObject(z);
                objArr[4] = InstrumentationSupport.convertToObject(z2);
            }
            InstrumentationSupport.createDynamicJoinPoint(localHolder);
            InstrumentationSupport.preProcess(localHolder);
            LocalHolder localHolder2 = localHolder;
            localHolder2.resetPostBegin();
            r0 = localHolder2;
        }
        try {
            r0 = checkAccess(httpServletRequest, httpServletResponse, false, z, z2);
            if (localHolder != null) {
                localHolder.ret = InstrumentationSupport.convertToObject((boolean) r0);
                InstrumentationSupport.createDynamicJoinPoint(localHolder);
                InstrumentationSupport.postProcess(localHolder);
            }
            return r0;
        } finally {
        }
    }

    public boolean checkAccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, boolean z2, boolean z3) throws IOException, ServletException {
        RequestDispatcher invokePreAuthFilters = invokePreAuthFilters(httpServletRequest, httpServletResponse);
        try {
            ResourceConstraint constraint = z ? ResourceConstraint.Holder.ALL_CONSTRAINT : getConstraint(httpServletRequest);
            if (isFullSecurityDelegationRequired() || constraint == null || !constraint.isForbidden()) {
                boolean isAuthorized = ((this.delegateModule instanceof JaspicSecurityModule) && z3) ? createDelegateModule(z3).isAuthorized(httpServletRequest, httpServletResponse, constraint, z2) : this.delegateModule.isAuthorized(httpServletRequest, httpServletResponse, constraint, z2);
                if (invokePreAuthFilters != null) {
                    invokePostAuthFilters(httpServletRequest, httpServletResponse, invokePreAuthFilters, isAuthorized);
                }
                httpServletRequest.removeAttribute(SecurityModule.REQUEST_AUTH_RESULT);
                return isAuthorized;
            }
            if (isFormAuth()) {
                String relativeURI = getRelativeURI(httpServletRequest);
                if (relativeURI.equals(getLoginPage()) || relativeURI.equals(getErrorPage())) {
                    if (invokePreAuthFilters != null) {
                        invokePostAuthFilters(httpServletRequest, httpServletResponse, invokePreAuthFilters, true);
                    }
                    httpServletRequest.removeAttribute(SecurityModule.REQUEST_AUTH_RESULT);
                    return true;
                }
            }
            httpServletResponse.sendError(403);
            if (invokePreAuthFilters != null) {
                invokePostAuthFilters(httpServletRequest, httpServletResponse, invokePreAuthFilters, false);
            }
            httpServletRequest.removeAttribute(SecurityModule.REQUEST_AUTH_RESULT);
            return false;
        } catch (Throwable th) {
            if (invokePreAuthFilters != null) {
                invokePostAuthFilters(httpServletRequest, httpServletResponse, invokePreAuthFilters, true);
            }
            httpServletRequest.removeAttribute(SecurityModule.REQUEST_AUTH_RESULT);
            throw th;
        }
    }

    public boolean postCheckAccess(HttpServletResponse httpServletResponse) throws IOException {
        return this.delegateModule.postCheckAccess(httpServletResponse);
    }

    public boolean postInvoke(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SubjectHandle subjectHandle) throws ServletException {
        return this.delegateModule.postInvoke(httpServletRequest, httpServletResponse, subjectHandle);
    }

    public HttpServletRequest getWrappedRequest(HttpServletRequest httpServletRequest) throws ServletException {
        return this.delegateModule.getWrappedRequest(httpServletRequest);
    }

    public HttpServletResponse getWrappedResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        return this.delegateModule.getWrappedResponse(httpServletRequest, httpServletResponse);
    }

    public void setLoginConfig(LoginConfigBean loginConfigBean) {
        if (loginConfigBean.getFormLoginConfig() != null) {
            if (loginConfigBean.getFormLoginConfig().getFormLoginPage() != null) {
                this.loginPage = HttpParsing.ensureStartingSlash(loginConfigBean.getFormLoginConfig().getFormLoginPage());
            }
            if (loginConfigBean.getFormLoginConfig().getFormErrorPage() != null) {
                this.errorPage = HttpParsing.ensureStartingSlash(loginConfigBean.getFormLoginConfig().getFormErrorPage());
            }
        }
        this.authMethod = initAuthMethod(loginConfigBean.getAuthMethod());
        setCachedAuthType(this.authMethod);
        this.formAuth = this.authMethod.toUpperCase().contains("FORM");
        createDelegateModule();
    }

    public void setAuthMethod(String str) {
        this.authMethod = str;
    }

    public void setCachedAuthType(String str) {
        this.cachedAuthType = str;
    }

    public String getCachedAuthType() {
        return this.cachedAuthType;
    }

    public void createDelegateModule() {
        this.delegateModule = SecurityModule.createModule(this.securityContext, this, false);
    }

    public SecurityModule createDelegateModule(boolean z) {
        return SecurityModule.createModule(this.securityContext, this, z);
    }

    public void registerJaspicProvider(JASPICMBean jASPICMBean, JASPICProviderBean jASPICProviderBean) throws DeploymentException {
        this.jaspicEnabled = jASPICMBean.isEnabled();
        AuthConfigFactory factory = AuthConfigFactory.getFactory();
        if (jASPICProviderBean == null) {
            return;
        }
        if (factory == null) {
            this.athnLogger.debug("AuthConfigFactory.getFactory returned NULL - JASPIC is not functional");
        } else if (jASPICProviderBean.isEnabled()) {
            instantiateAndRegister(factory, jASPICMBean, jASPICProviderBean);
            this.athnLogger.debug("Registered JASPIC AuthConfigProvider for application.");
        } else {
            this.jaspicEnabled = false;
            this.athnLogger.debug("JASPIC is disabled for this application");
        }
    }

    public boolean isJaspicEnabled() {
        return this.jaspicEnabled;
    }

    public RegistrationListener getJaspicListener() {
        return this.jaspicListener;
    }

    private void instantiateAndRegister(AuthConfigFactory authConfigFactory, JASPICMBean jASPICMBean, JASPICProviderBean jASPICProviderBean) throws DeploymentException {
        String appContextId;
        AuthConfigProvider provider;
        if (!$assertionsDisabled && authConfigFactory == null) {
            throw new AssertionError();
        }
        String authConfigProviderName = jASPICProviderBean.getAuthConfigProviderName();
        if (authConfigProviderName == null || (provider = toProvider(jASPICMBean.lookupAuthConfigProvider(authConfigProviderName), (appContextId = SecurityModule.getAppContextId(this.securityContext)))) == null) {
            return;
        }
        this.registrationId = authConfigFactory.registerConfigProvider(provider, LAYER_NAME, appContextId, null);
        this.athnLogger.debug("registrationId: " + this.registrationId + " has been used to bind an ACP to application.");
    }

    private AuthConfigProvider toProvider(AuthConfigProviderMBean authConfigProviderMBean, String str) throws DeploymentException {
        AuthConfigProvider authConfigProvider = null;
        if (authConfigProviderMBean instanceof WLSAuthConfigProviderMBean) {
            authConfigProvider = createWLSAuthConfigProvider(authConfigProviderMBean, str);
        } else if (authConfigProviderMBean instanceof CustomAuthConfigProviderMBean) {
            authConfigProvider = createCustomAuthConfigProvider(authConfigProviderMBean, null);
            this.athnLogger.debug(authConfigProvider.getClass().getName() + " is being registered as a Custom AuthConfigProvider.");
        }
        return authConfigProvider;
    }

    private AuthConfigProvider createCustomAuthConfigProvider(AuthConfigProviderMBean authConfigProviderMBean, AuthConfigProvider authConfigProvider) throws DeploymentException {
        try {
            return (AuthConfigProvider) Class.forName(((CustomAuthConfigProviderMBean) authConfigProviderMBean).getClassName()).getConstructor(Map.class, AuthConfigFactory.class).newInstance(((CustomAuthConfigProviderMBean) authConfigProviderMBean).getProperties(), null);
        } catch (ClassNotFoundException e) {
            this.athnLogger.debug("Exception caught during Custom ACP creation.", e);
            throw new DeploymentException("Unable to create AuthConfigProvider", e);
        } catch (IllegalAccessException e2) {
            this.athnLogger.debug("Exception caught during Custom ACP creation.", e2);
            throw new DeploymentException("Unable to create AuthConfigProvider", e2);
        } catch (IllegalArgumentException e3) {
            this.athnLogger.debug("Exception caught during Custom ACP creation.", e3);
            throw new DeploymentException("Unable to create AuthConfigProvider", e3);
        } catch (InstantiationException e4) {
            this.athnLogger.debug("Exception caught during Custom ACP creation.", e4);
            throw new DeploymentException("Unable to create AuthConfigProvider", e4);
        } catch (NoSuchMethodException e5) {
            this.athnLogger.debug("Exception caught during Custom ACP creation.", e5);
            throw new DeploymentException("Unable to create AuthConfigProvider", e5);
        } catch (SecurityException e6) {
            this.athnLogger.debug("Exception caught during Custom ACP creation.", e6);
            throw new DeploymentException("Unable to create AuthConfigProvider", e6);
        } catch (InvocationTargetException e7) {
            this.athnLogger.debug("Exception caught during Custom ACP creation.", e7);
            throw new DeploymentException("Unable to create AuthConfigProvider", e7);
        }
    }

    private AuthConfigProvider createWLSAuthConfigProvider(AuthConfigProviderMBean authConfigProviderMBean, String str) throws DeploymentException {
        SimpleAuthConfigProvider simpleAuthConfigProvider = new SimpleAuthConfigProvider(new Properties(), null);
        this.athnLogger.debug(simpleAuthConfigProvider.getClass().getName() + " is being registered for applicationId: " + str);
        AuthModuleMBean authModule = ((WLSAuthConfigProviderMBean) authConfigProviderMBean).getAuthModule();
        if (authModule == null) {
            this.athnLogger.debug("No modules are configured for use in a registration for applicationId: " + str);
            throw new DeploymentException("Unable to create AuthConfigProvider for " + str + " - no modules specified");
        }
        simpleAuthConfigProvider.createConfiguration(LAYER_NAME, str).addServerAuthModule(authModule.getClassName(), null, null, authModule.getProperties());
        this.athnLogger.debug(authModule.getClassName() + " is configured for use in a registration for applicationId: " + str);
        return simpleAuthConfigProvider;
    }

    public void setAuthRealmName(String str) {
        this.delegateModule.setAuthRealmBanner(str);
    }

    protected boolean checkAdminMode(SubjectHandle subjectHandle) {
        if (subjectHandle == null) {
            return false;
        }
        return subjectHandle.isInAdminRoles(new String[]{"Admin", "AppTester"});
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final String getSecuredURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String serverName = httpServletRequest.getServerName();
        int frontEndHTTPSPort = getSecurityContext().getFrontEndHTTPSPort();
        if (frontEndHTTPSPort == 0) {
            ServerChannel findLocalServerChannel = ServerChannelManager.findLocalServerChannel(ProtocolHandlerHTTPS.PROTOCOL_HTTPS);
            if (findLocalServerChannel == null) {
                return null;
            }
            frontEndHTTPSPort = findLocalServerChannel.getPublicPort();
        }
        String processProxyPathHeaders = ServletResponseImpl.getOriginalResponse(httpServletResponse).processProxyPathHeaders(str);
        String queryString = httpServletRequest.getQueryString();
        StringBuffer stringBuffer = new StringBuffer();
        if (frontEndHTTPSPort == 443) {
            stringBuffer.append("https://").append(serverName).append(processProxyPathHeaders);
            if (queryString != null && queryString.length() > 1) {
                stringBuffer.append("?").append(queryString);
            }
        } else {
            stringBuffer.append("https://").append(serverName).append(":");
            stringBuffer.append(frontEndHTTPSPort).append(processProxyPathHeaders);
            if (queryString != null && queryString.length() > 1) {
                stringBuffer.append("?").append(queryString);
            }
        }
        return stringBuffer.toString();
    }

    public static final String getRelativeURI(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute(SecurityModule.WEBFLOW_RESOURCE);
        if (str != null) {
            return str;
        }
        if (httpServletRequest instanceof ServletRequestImpl) {
            return ((ServletRequestImpl) httpServletRequest).getRelativeUri();
        }
        String resolvedURI = ServletRequestImpl.getResolvedURI(httpServletRequest);
        String resolvedContextPath = ServletRequestImpl.getResolvedContextPath(httpServletRequest);
        return (resolvedContextPath == null || resolvedContextPath.length() <= 0 || !resolvedURI.startsWith(resolvedContextPath)) ? resolvedURI : resolvedURI.substring(resolvedContextPath.length());
    }

    public static String fixupURLPattern(String str) {
        return isDefaultUrlPattern(str) ? "/" : !str.startsWith("*.") ? HttpParsing.ensureStartingSlash(str) : str;
    }

    private static boolean isDefaultUrlPattern(String str) {
        if (str.length() > 2) {
            return false;
        }
        return getProvider().getEnforceStrictURLPattern() ? str.equals("/") : str.equals("*") || str.equals("/");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isExternallyDefined(String[] strArr) {
        return strArr != null && strArr.length == 1 && (strArr[0] == null || strArr[0].length() == 0);
    }

    final String getContextName() {
        return getSecurityContext().getContextName() == null ? "Default WebApplication" : getSecurityContext().getContextName();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final ServletSecurityContext getSecurityContext() {
        return this.securityContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final ServletObjectsFacade getRequestFacade() {
        return this.securityContext.getRequestFacade();
    }

    public final void registerSecurityRoleRef(ServletStubImpl servletStubImpl, SecurityRoleRefBean[] securityRoleRefBeanArr) throws DeploymentException {
        if (securityRoleRefBeanArr == null) {
            return;
        }
        for (SecurityRoleRefBean securityRoleRefBean : securityRoleRefBeanArr) {
            String roleName = securityRoleRefBean.getRoleName();
            String roleLink = securityRoleRefBean.getRoleLink();
            if (roleName != null && roleLink != null) {
                deployRoleLink(servletStubImpl, roleName, roleLink);
            }
        }
    }

    public FilterChain getAuthFilterChain() {
        return new AuthFilterChain(this.authFilters, this.securityContext);
    }

    private RequestDispatcher getAuthFilterRD() {
        return this.authFilterRD;
    }

    public final String getAuthFilter() {
        return this.authFilter;
    }

    public final void setAuthFilter(String str) {
        this.authFilter = str;
        this.authFilterRD = getSecurityContext().createAuthFilterRequestDispatcher(str);
    }

    private RequestDispatcher invokePreAuthFilters(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        RequestDispatcher authFilterRD = getAuthFilterRD();
        if (authFilterRD == null) {
            return null;
        }
        httpServletRequest.setAttribute(SecurityModule.REQUEST_AUTH_RESULT, new Integer(-1));
        Throwable th = (Throwable) getProvider().getAnonymousSubject().run(new AuthFilterAction(httpServletRequest, httpServletResponse, authFilterRD));
        if (th != null) {
            HTTPLogger.logAuthFilterInvocationFailed(getAuthFilter(), "pre-auth", httpServletRequest.getRequestURI(), th);
        }
        httpServletRequest.removeAttribute(SecurityModule.REQUEST_AUTH_RESULT);
        return authFilterRD;
    }

    private final void invokePostAuthFilters(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RequestDispatcher requestDispatcher, boolean z) throws IOException {
        SubjectHandle subjectHandle = null;
        if (httpServletRequest.getAttribute(SecurityModule.REQUEST_AUTH_RESULT) == null) {
            if (z) {
                subjectHandle = SecurityModule.getCurrentUser(getSecurityContext(), httpServletRequest);
                httpServletRequest.setAttribute(SecurityModule.REQUEST_AUTH_RESULT, new Integer(0));
            } else {
                httpServletRequest.setAttribute(SecurityModule.REQUEST_AUTH_RESULT, new Integer(1));
            }
        }
        if (subjectHandle == null) {
            subjectHandle = getProvider().getAnonymousSubject();
        }
        Throwable th = (Throwable) subjectHandle.run(new AuthFilterAction(httpServletRequest, httpServletResponse, requestDispatcher));
        if (th != null) {
            HTTPLogger.logAuthFilterInvocationFailed(getAuthFilter(), "post-auth", httpServletRequest.getRequestURI(), th);
        }
        Integer num = (Integer) httpServletRequest.getAttribute(SecurityModule.REQUEST_AUTH_RESULT);
        if (num != null && z && num.intValue() == 1) {
            this.delegateModule.sendError(httpServletRequest, httpServletResponse);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void invokeAuthFilterChain(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        if (hasAuthFilters()) {
            Throwable th = (Throwable) ((SubjectHandle) AccessController.doPrivileged(new PrivilegedAction<SubjectHandle>() { // from class: weblogic.servlet.security.internal.WebAppSecurity.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public SubjectHandle run() {
                    return WebAppSecurity.getProvider().getKernelSubject();
                }
            })).run(new ServletAuthenticationFilterAction(httpServletRequest, httpServletResponse, getAuthFilterChain()));
            if (th != null) {
                throw new ServletException(th);
            }
        }
    }

    public void login(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        try {
            if ("CLIENT_CERT".equals(getAuthMethod())) {
                throw new ServletException("client-cert can't support login type for user and password");
            }
            SubjectHandle checkAuthenticate = SecurityModule.checkAuthenticate(getSecurityContext(), httpServletRequest, httpServletResponse, str, str2);
            if (checkAuthenticate == null) {
                throw new ServletException("Failed to login");
            }
            SecurityModule securityModule = this.delegateModule;
            this.delegateModule.login(httpServletRequest, checkAuthenticate, SecurityModule.getUserSession(httpServletRequest, false));
            pushSubject(checkAuthenticate);
        } catch (LoginException e) {
            throw new ServletException(e);
        }
    }

    public void logout(HttpServletRequest httpServletRequest) {
        SecurityModule securityModule = this.delegateModule;
        SessionSecurityData userSession = SecurityModule.getUserSession(httpServletRequest, false);
        SecurityModule.logout(getSecurityContext(), userSession);
        if (userSession != null) {
            getSecurityContext().removeAuthUserFromSession(httpServletRequest, userSession.getIdWithServerInfo());
        }
        popCurrentSubject();
    }

    private void popCurrentSubject() {
        AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: weblogic.servlet.security.internal.WebAppSecurity.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Void run() {
                SubjectHandle currentSubject = WebAppSecurity.getProvider().getCurrentSubject();
                if (currentSubject == null || currentSubject.isAnonymous()) {
                    return null;
                }
                WebAppSecurity.getProvider().popSubject();
                WebAppSecurity.getProvider().pushSubject(WebAppSecurity.getProvider().getAnonymousSubject());
                return null;
            }
        });
    }

    private void pushSubject(final SubjectHandle subjectHandle) {
        AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: weblogic.servlet.security.internal.WebAppSecurity.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Void run() {
                WebAppSecurity.getProvider().pushSubject(subjectHandle);
                return null;
            }
        });
    }

    public void declareRoles(String... strArr) {
        this.roleNames.addAll(Arrays.asList(strArr));
    }

    public SecurityServices getJaspicSecurityServices() {
        return this.securityServices;
    }

    public BeanUpdateListener getBeanUpdateListener() {
        return this.beanUpdateListener;
    }

    private BeanUpdateListener createBeanUpdateListener() {
        return new WebComponentBeanUpdateListener() { // from class: weblogic.servlet.security.internal.WebAppSecurity.4
            @Override // weblogic.servlet.internal.WebComponentBeanUpdateListener
            protected void handlePropertyRemove(BeanUpdateEvent.PropertyUpdate propertyUpdate) {
            }

            @Override // weblogic.servlet.internal.WebComponentBeanUpdateListener
            protected void handlePropertyChange(BeanUpdateEvent.PropertyUpdate propertyUpdate, DescriptorBean descriptorBean) {
                uptakeJaspicChange(descriptorBean);
            }

            private void uptakeJaspicChange(DescriptorBean descriptorBean) {
                WebAppSecurity.this.unregisterJaspicProvider();
                try {
                    WebAppSecurity.this.registerJaspicProvider(WebServerRegistry.getInstance().getManagementProvider().getDomainMBean().getSecurityConfiguration().getJASPIC(), (JASPICProviderBean) descriptorBean);
                } catch (DeploymentException e) {
                    WebAppSecurity.this.athnLogger.debug("Unable to register JASPIC provider for: " + WebAppSecurity.this.registrationId);
                }
                WebAppSecurity.this.createDelegateModule();
            }

            @Override // weblogic.servlet.internal.WebComponentBeanUpdateListener
            protected void prepareBeanAdd(BeanUpdateEvent.PropertyUpdate propertyUpdate, DescriptorBean descriptorBean) throws BeanUpdateRejectedException {
            }

            @Override // weblogic.servlet.internal.WebComponentBeanUpdateListener
            protected void handleBeanAdd(BeanUpdateEvent.PropertyUpdate propertyUpdate, DescriptorBean descriptorBean) {
            }

            @Override // weblogic.servlet.internal.WebComponentBeanUpdateListener
            protected void handleBeanRemove(BeanUpdateEvent.PropertyUpdate propertyUpdate) {
            }
        };
    }

    public boolean isDenyUncoveredMethodsSet() {
        return this.isDenyUncoveredMethodsSet;
    }

    public void setDenyUncoveredMethodsSet(boolean z) {
        this.isDenyUncoveredMethodsSet = z;
    }

    public boolean isAnyAuthUserRoleDefinedInDD() {
        return this.isAnyAuthUserRoleDefinedInDD;
    }

    static {
        $assertionsDisabled = !WebAppSecurity.class.desiredAssertionStatus();
    }
}
