package com.sun.web.security;

import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.WebComponentDescriptor;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.AppCNonceCacheMap;
import com.sun.enterprise.security.CNonceCacheFactory;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.WebSecurityDeployerProbeProvider;
import com.sun.enterprise.security.auth.digest.api.DigestAlgorithmParameter;
import com.sun.enterprise.security.auth.digest.api.Key;
import com.sun.enterprise.security.auth.digest.impl.DigestParameterGenerator;
import com.sun.enterprise.security.auth.digest.impl.HttpAlgorithmParameterImpl;
import com.sun.enterprise.security.auth.digest.impl.NestedDigestAlgoParamImpl;
import com.sun.enterprise.security.auth.login.DigestCredentials;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.security.integration.RealmInitializer;
import com.sun.enterprise.security.jmac.config.HttpServletHelper;
import com.sun.enterprise.security.web.integration.WebPrincipal;
import com.sun.enterprise.security.web.integration.WebSecurityManager;
import com.sun.enterprise.security.web.integration.WebSecurityManagerFactory;
import com.sun.enterprise.util.Utility;
import com.sun.enterprise.util.net.NetUtils;
import com.sun.logging.LogDomains;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.inject.Provider;
import jakarta.security.auth.message.AuthException;
import jakarta.security.auth.message.AuthStatus;
import jakarta.security.auth.message.MessageInfo;
import jakarta.security.auth.message.config.ServerAuthContext;
import jakarta.security.jacc.PolicyContext;
import jakarta.servlet.ServletContext;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.ProtocolException;
import java.net.URL;
import java.net.URLEncoder;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import org.apache.catalina.Authenticator;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.HttpRequest;
import org.apache.catalina.HttpResponse;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.RealmBase;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.grizzly.config.dom.NetworkConfig;
import org.glassfish.grizzly.config.dom.NetworkListener;
import org.glassfish.grizzly.config.dom.NetworkListeners;
import org.glassfish.hk2.api.PerLookup;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.internal.api.ServerContext;
import org.glassfish.security.common.CNonceCache;
import org.glassfish.security.common.NonceInfo;
import org.jvnet.hk2.annotations.Service;

@Service
@PerLookup
/* loaded from: input_file:com/sun/web/security/RealmAdapter.class */
public class RealmAdapter extends RealmBase implements RealmInitializer, PostConstruct {
    public static final String SECURITY_CONTEXT = "SecurityContext";
    public static final String BASIC = "BASIC";
    public static final String FORM = "FORM";
    private static final String SERVER_AUTH_CONTEXT = "__jakarta.security.auth.message.ServerAuthContext";
    private static final String MESSAGE_INFO = "__jakarta.security.auth.message.MessageInfo";
    private static final String SYSTEM_HTTPSERVLET_SECURITY_PROVIDER = "system_httpservlet_security_provider";
    private WebBundleDescriptor webBundleDescriptor;
    private HashMap<String, String> runAsPrincipals;
    private String realmName;
    protected static final String name = "J2EE-RI-RealmAdapter";
    private String contextId;
    private Container virtualServer;
    protected volatile WebSecurityManager webSecurityManager;
    protected boolean isCurrentURIincluded = false;
    protected final ReadWriteLock rwLock = new ReentrantReadWriteLock();
    private boolean contextEvaluated = false;
    private String loginPage;
    private String errorPage;
    private String moduleID;
    private boolean isSystemApp;
    private HttpServletHelper helper;

    @Inject
    private ServerContext serverContext;

    @Inject
    private Provider<AppCNonceCacheMap> appCNonceCacheMapProvider;

    @Inject
    private Provider<CNonceCacheFactory> cNonceCacheFactoryProvider;

    @Inject
    @Named("default-instance-name")
    private NetworkConfig networkConfig;

    @Inject
    protected WebSecurityManagerFactory webSecurityManagerFactory;
    private CNonceCacheFactory cNonceCacheFactory;
    private CNonceCache cnonces;
    private AppCNonceCacheMap haCNonceCacheMap;
    private NetworkListeners networkListeners;
    private static final Logger _logger = LogDomains.getLogger(RealmAdapter.class, "jakarta.enterprise.system.container.web");
    private static final ResourceBundle resourceBundle = _logger.getResourceBundle();
    private static final WebSecurityDeployerProbeProvider websecurityProbeProvider = new WebSecurityDeployerProbeProvider();
    private static final SecurityConstraint[] emptyConstraints = new SecurityConstraint[0];
    private static String defaultSystemProviderID = getDefaultSystemProviderID();
    private static ThreadLocal<byte[]> reentrancyStatus = ThreadLocal.withInitial(() -> {
        return new byte[]{0};
    });
    private static String PROXY_AUTH_TYPE = "PLUGGABLE_PROVIDER";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sun/web/security/RealmAdapter$AuthenticatorProxy.class */
    public static class AuthenticatorProxy extends AuthenticatorBase {
        private AuthenticatorBase authBase;
        private Principal principal;
        private String authType;

        public boolean getCache() {
            return this.authBase.getCache();
        }

        public Container getContainer() {
            return this.authBase.getContainer();
        }

        AuthenticatorProxy(Authenticator authenticator, Principal principal, String str) throws LifecycleException {
            this.authBase = (AuthenticatorBase) authenticator;
            this.principal = principal;
            this.authType = str == null ? RealmAdapter.PROXY_AUTH_TYPE : str;
            setCache(this.authBase.getCache());
            setContainer(this.authBase.getContainer());
            start();
        }

        public boolean authenticate(HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig) throws IOException {
            if (this.cache) {
                getSession(httpRequest, true);
            }
            register(httpRequest, httpResponse, this.principal, this.authType, this.principal.getName(), null);
            return true;
        }

        public String getAuthMethod() {
            return this.authType;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sun/web/security/RealmAdapter$HttpMessageInfo.class */
    public static class HttpMessageInfo implements MessageInfo {
        private Object request;
        private Object response;
        private Map map;

        HttpMessageInfo() {
            this.request = null;
            this.response = null;
            this.map = new HashMap();
        }

        HttpMessageInfo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            this.request = null;
            this.response = null;
            this.map = new HashMap();
            this.request = httpServletRequest;
            this.response = httpServletResponse;
        }

        public Object getRequestMessage() {
            return this.request;
        }

        public Object getResponseMessage() {
            return this.response;
        }

        public void setRequestMessage(Object obj) {
            this.request = obj;
        }

        public void setResponseMessage(Object obj) {
            this.response = obj;
        }

        public Map getMap() {
            return this.map;
        }
    }

    public RealmAdapter() {
    }

    public RealmAdapter(String str, String str2) {
        this.realmName = str;
        this.moduleID = str2;
    }

    public void initializeRealm(Object obj, boolean z, String str) {
        this.isSystemApp = z;
        this.webBundleDescriptor = (WebBundleDescriptor) obj;
        this.realmName = findRealmName(str);
        this.contextId = WebSecurityManager.getContextID(this.webBundleDescriptor);
        this.moduleID = this.webBundleDescriptor.getModuleID();
        collectRunAsPrincipals();
    }

    public boolean isSecurityExtensionEnabled(ServletContext servletContext) {
        if (this.helper == null) {
            initConfigHelper(servletContext);
        }
        try {
            return this.helper.getServerAuthConfig() != null;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public SecurityConstraint[] findSecurityConstraints(HttpRequest httpRequest, Context context) {
        return findSecurityConstraints(context);
    }

    public SecurityConstraint[] findSecurityConstraints(String str, String str2, Context context) {
        return findSecurityConstraints(context);
    }

    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        return hasUserDataPermission(httpRequest, httpResponse, securityConstraintArr, null, null);
    }

    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, String str, String str2) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
        if (httpServletRequest.getServletPath() == null) {
            httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
        }
        _logger.fine(() -> {
            return "[Web-Security][ hasUserDataPermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath();
        });
        if (httpRequest.getRequest().isSecure()) {
            _logger.fine(() -> {
                return "[Web-Security] request.getRequest().isSecure(): " + httpRequest.getRequest().isSecure();
            });
            return true;
        }
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        try {
            int hasUserDataPermission = webSecurityManager.hasUserDataPermission(httpServletRequest, str, str2);
            if (hasUserDataPermission == -1) {
                _logger.fine(() -> {
                    return "[Web-Security] redirecting using SSL";
                });
                return redirect(httpRequest, httpResponse);
            }
            if (hasUserDataPermission != 0) {
                return true;
            }
            httpResponse.getResponse().sendError(403, resourceBundle.getString("realmBase.forbidden"));
            return false;
        } catch (IllegalArgumentException e) {
            _logger.log(Level.WARNING, e, () -> {
                return resourceBundle.getString("realmAdapter.badRequestWithId");
            });
            httpResponse.getResponse().sendError(400, resourceBundle.getString("realmAdapter.badRequest"));
            return false;
        }
    }

    public int preAuthenticateCheck(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, boolean z, boolean z2, boolean z3) throws IOException {
        try {
            if (!isRequestAuthenticated(httpRequest)) {
                SecurityContext.setUnauthenticatedContext();
            }
            if (isJakartaAuthenticationEnabled()) {
                return 1;
            }
            if (!invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr)) {
                if (!isRequestAuthenticated(httpRequest)) {
                    disableProxyCaching(httpRequest, httpResponse, z, z2);
                    return 1;
                }
                httpResponse.getResponse().sendError(403);
                httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
                return -1;
            }
            if (!isRequestAuthenticated(httpRequest)) {
                return 0;
            }
            disableProxyCaching(httpRequest, httpResponse, z, z2);
            if (!z3) {
                return 0;
            }
            HttpServletRequest request = httpRequest.getRequest();
            if (getWebSecurityManager(true).permitAll(request)) {
                return 0;
            }
            request.getSession(true);
            return 0;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            _logger.log(Level.SEVERE, th, () -> {
                return "web_server.excep_authenticate_realmadapter";
            });
            httpResponse.getResponse().sendError(503);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            return -1;
        }
    }

    public boolean invokeAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context, Authenticator authenticator, boolean z) throws IOException {
        LoginConfig loginConfig = context.getLoginConfig();
        if (!isJakartaAuthenticationEnabled()) {
            return ((AuthenticatorBase) authenticator).authenticate(httpRequest, httpResponse, loginConfig);
        }
        try {
            context.fireContainerEvent("beforeAuthentication", (Object) null);
            SecurityContext.getCurrent().setSessionPrincipal(httpRequest.getRequest().getRequestPrincipal());
            boolean validate = validate(httpRequest, httpResponse, loginConfig, authenticator, z);
            SecurityContext.getCurrent().setSessionPrincipal((Principal) null);
            context.fireContainerEvent("afterAuthentication", (Object) null);
            return validate;
        } catch (Throwable th) {
            SecurityContext.getCurrent().setSessionPrincipal((Principal) null);
            context.fireContainerEvent("afterAuthentication", (Object) null);
            throw th;
        }
    }

    protected String getName() {
        return name;
    }

    public String getRealmName() {
        return this.realmName;
    }

    public void setVirtualServer(Object obj) {
        this.virtualServer = (Container) obj;
    }

    public void updateWebSecurityManager() {
        if (this.webSecurityManager == null) {
            this.webSecurityManager = getWebSecurityManager(true);
        }
        if (this.webSecurityManager != null) {
            try {
                this.webSecurityManager.release();
                this.webSecurityManager.destroy();
            } catch (Exception e) {
                e.printStackTrace();
            }
            this.webSecurityManager = this.webSecurityManagerFactory.createManager(this.webBundleDescriptor, true, this.serverContext);
            _logger.fine(() -> {
                return "WebSecurityManager for " + this.contextId + " has been updated";
            });
        }
    }

    public Principal authenticate(String str, char[] cArr) {
        _logger.fine(() -> {
            return "Tomcat callback for authenticate user/password";
        });
        _logger.fine(() -> {
            return "usename = " + str;
        });
        if (authenticate(str, cArr, null, null)) {
            return new WebPrincipal(str, cArr, SecurityContext.getCurrent());
        }
        return null;
    }

    public Principal authenticate(HttpServletRequest httpServletRequest) {
        DigestCredentials generateDigestCredentials = generateDigestCredentials(httpServletRequest);
        if (generateDigestCredentials == null || !authenticate(null, null, generateDigestCredentials, null)) {
            return null;
        }
        return new WebPrincipal(generateDigestCredentials.getUserName(), (char[]) null, SecurityContext.getCurrent());
    }

    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        if (authenticate(null, null, null, x509CertificateArr)) {
            return new WebPrincipal(x509CertificateArr, SecurityContext.getCurrent());
        }
        return null;
    }

    public boolean hasResourcePermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        boolean z = false;
        try {
            z = invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr);
            if (z) {
                return z;
            }
            httpResponse.getResponse().sendError(403);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            invokePostAuthenticateDelegate(httpRequest, httpResponse, context);
            return z;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            _logger.log(Level.SEVERE, th, () -> {
                return "web_server.excep_authenticate_realmadapter";
            });
            httpResponse.getResponse().sendError(503);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            return z;
        }
    }

    public boolean invokePostAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context) throws IOException {
        MessageInfo messageInfo;
        boolean z = false;
        ServerAuthContext serverAuthContext = null;
        try {
            try {
                if (this.helper != null && (messageInfo = (MessageInfo) httpRequest.getRequest().getAttribute(MESSAGE_INFO)) != null) {
                    serverAuthContext = (ServerAuthContext) messageInfo.getMap().get(SERVER_AUTH_CONTEXT);
                    if (serverAuthContext != null) {
                        try {
                            context.fireContainerEvent("beforePostAuthentication", (Object) null);
                            z = AuthStatus.SUCCESS.equals(serverAuthContext.secureResponse(messageInfo, (Subject) null));
                            context.fireContainerEvent("afterPostAuthentication", (Object) null);
                        } catch (Throwable th) {
                            context.fireContainerEvent("afterPostAuthentication", (Object) null);
                            throw th;
                        }
                    }
                }
                if (this.helper != null && serverAuthContext != null) {
                    if (httpRequest instanceof HttpRequestWrapper) {
                        httpRequest.removeNote("__jakarta.security.auth.message.request");
                    }
                    if (httpResponse instanceof HttpResponseWrapper) {
                        httpRequest.removeNote("__jakarta.security.auth.message.response");
                    }
                }
                return z;
            } catch (AuthException e) {
                throw new IOException((Throwable) e);
            }
        } catch (Throwable th2) {
            if (this.helper != null && 0 != 0) {
                if (httpRequest instanceof HttpRequestWrapper) {
                    httpRequest.removeNote("__jakarta.security.auth.message.request");
                }
                if (httpResponse instanceof HttpResponseWrapper) {
                    httpRequest.removeNote("__jakarta.security.auth.message.response");
                }
            }
            throw th2;
        }
    }

    public boolean hasRole(HttpRequest httpRequest, HttpResponse httpResponse, Principal principal, String str) {
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        String canonicalName = getCanonicalName(httpRequest);
        boolean hasRoleRefPermission = webSecurityManager.hasRoleRefPermission(canonicalName, str, principal);
        _logger.fine(() -> {
            return "Checking if servlet " + canonicalName + " with principal " + principal + " has role " + str + " isGranted: " + hasRoleRefPermission;
        });
        return hasRoleRefPermission;
    }

    public void destroy() {
        super.destroy();
        if (this.helper != null) {
            this.helper.disable();
        }
    }

    public WebBundleDescriptor getWebDescriptor() {
        return this.webBundleDescriptor;
    }

    public WebSecurityManager getWebSecurityManager(boolean z) {
        if (this.webSecurityManager == null) {
            synchronized (this) {
                this.webSecurityManager = this.webSecurityManagerFactory.getManager(this.contextId);
            }
            if (this.webSecurityManager == null && z) {
                _logger.log(Level.WARNING, "realmAdapter.noWebSecMgr", this.contextId);
            }
        }
        return this.webSecurityManager;
    }

    public boolean hasRole(String str, Principal principal, String str2) {
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        return webSecurityManager.hasRoleRefPermission(str, str2, principal);
    }

    public void logout(HttpRequest httpRequest) {
        boolean isSecurityExtensionEnabled = isSecurityExtensionEnabled(httpRequest.getRequest().getServletContext());
        byte[] bArr = reentrancyStatus.get();
        if (!isSecurityExtensionEnabled || this.helper == null || bArr[0] != 0) {
            doLogout(httpRequest, bArr[0] == 1);
            return;
        }
        bArr[0] = 1;
        MessageInfo messageInfo = (MessageInfo) httpRequest.getRequest().getAttribute(MESSAGE_INFO);
        if (messageInfo == null) {
            messageInfo = new HttpMessageInfo(httpRequest.getRequest(), httpRequest.getResponse().getResponse());
        }
        messageInfo.getMap().put("jakarta.security.auth.message.MessagePolicy.isMandatory", Boolean.TRUE.toString());
        try {
            try {
                ServerAuthContext serverAuthContext = this.helper.getServerAuthContext(messageInfo, (Subject) null);
                if (serverAuthContext != null) {
                    SecurityContext current = SecurityContext.getCurrent();
                    Subject subject = current.didServerGenerateCredentials() ? new Subject() : current.getSubject();
                    if (subject == null) {
                        subject = new Subject();
                    }
                    if (subject.isReadOnly()) {
                        _logger.log(Level.WARNING, "Read-only subject found during logout processing");
                    }
                    try {
                        httpRequest.getContext().fireContainerEvent("beforePostAuthentication", (Object) null);
                        serverAuthContext.cleanSubject(messageInfo, subject);
                        httpRequest.getContext().fireContainerEvent("afterPostAuthentication", (Object) null);
                    } catch (Throwable th) {
                        httpRequest.getContext().fireContainerEvent("afterPostAuthentication", (Object) null);
                        throw th;
                    }
                }
            } finally {
                doLogout(httpRequest, true);
                bArr[0] = 0;
            }
        } catch (AuthException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private void doLogout(HttpRequest httpRequest, boolean z) {
        Context context = httpRequest.getContext();
        Authenticator authenticator = null;
        if (context != null) {
            authenticator = context.getAuthenticator();
        }
        if (authenticator == null) {
            throw new RuntimeException("Context or Authenticator is null");
        }
        try {
            if (z) {
                new AuthenticatorProxy(authenticator, null, null).logout(httpRequest);
            } else {
                authenticator.logout(httpRequest);
            }
            logout();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void logout() {
        setSecurityContext(null);
        AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.sun.web.security.RealmAdapter.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Void run() {
                RealmAdapter.this.resetPolicyContext();
                return null;
            }
        });
    }

    public boolean authenticate(WebPrincipal webPrincipal) {
        return webPrincipal.isUsingCertificate() ? authenticate(null, null, null, webPrincipal.getCertificates()) : authenticate(webPrincipal.getName(), webPrincipal.getPassword(), null, null);
    }

    private boolean authenticate(String str, char[] cArr, DigestCredentials digestCredentials, X509Certificate[] x509CertificateArr) {
        try {
            if (x509CertificateArr != null) {
                LoginContextDriver.doX500Login(generateX500Subject(x509CertificateArr), this.moduleID);
            } else if (digestCredentials != null) {
                LoginContextDriver.login(digestCredentials);
            } else {
                LoginContextDriver.login(str, cArr, this.realmName);
            }
            _logger.log(Level.FINE, () -> {
                return "Web login succeeded for: " + SecurityContext.getCurrent().getCallerPrincipal();
            });
            return true;
        } catch (Exception e) {
            _logger.log(Level.WARNING, "WEB9102: Web Login Failed", (Throwable) e);
            return false;
        }
    }

    public void preSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        String str;
        if (Utility.isEmpty(this.runAsPrincipals) || (servletName = getServletName(componentInvocation)) == null || (str = this.runAsPrincipals.get(servletName)) == null) {
            return;
        }
        componentInvocation.setOldSecurityContext(getSecurityContext());
        loginForRunAs(str);
        _logger.log(Level.FINE, () -> {
            return "run-as principal for " + servletName + " set to: " + str;
        });
    }

    private String getServletName(ComponentInvocation componentInvocation) {
        String instanceName = componentInvocation.getInstanceName();
        if (instanceName != null) {
            return instanceName;
        }
        Object componentInvocation2 = componentInvocation.getInstance();
        if (!(componentInvocation2 instanceof HttpServlet)) {
            return null;
        }
        HttpServlet httpServlet = (HttpServlet) componentInvocation2;
        if (httpServlet.getServletConfig() != null) {
            return httpServlet.getServletName();
        }
        return null;
    }

    public void postSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        if ((this.runAsPrincipals != null && this.runAsPrincipals.isEmpty()) || (servletName = getServletName(componentInvocation)) == null || this.runAsPrincipals.get(servletName) == null) {
            return;
        }
        setSecurityContext((SecurityContext) componentInvocation.getOldSecurityContext());
    }

    private void loginForRunAs(String str) {
        LoginContextDriver.loginPrincipal(str, this.realmName);
    }

    private SecurityContext getSecurityContext() {
        return SecurityContext.getCurrent();
    }

    private void setSecurityContext(SecurityContext securityContext) {
        SecurityContext.setCurrent(securityContext);
    }

    private boolean principalSetContainsOnlyAnonymousPrincipal(Set<Principal> set) {
        boolean z = false;
        Principal defaultCallerPrincipal = SecurityContext.getDefaultCallerPrincipal();
        if (defaultCallerPrincipal != null && set != null) {
            z = set.contains(defaultCallerPrincipal);
        }
        if (z) {
            Iterator<Principal> it = set.iterator();
            while (it.hasNext()) {
                if (!it.next().equals(defaultCallerPrincipal)) {
                    return false;
                }
            }
        }
        return z;
    }

    protected char[] getPassword(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    protected Principal getPrincipal(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    public Principal createFailOveredPrincipal(String str) {
        _logger.log(Level.FINEST, () -> {
            return "IN createFailOveredPrincipal (" + str + ")";
        });
        loginForRunAs(str);
        SecurityContext current = SecurityContext.getCurrent();
        _logger.log(Level.FINE, () -> {
            return "Security context is " + current;
        });
        WebPrincipal webPrincipal = new WebPrincipal(str, (char[]) null, current);
        _logger.log(Level.INFO, () -> {
            return "Principal created for FailOvered user " + webPrincipal;
        });
        return webPrincipal;
    }

    private boolean invokeWebSecurityManager(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        try {
            this.rwLock.readLock().lock();
            boolean z = this.contextEvaluated;
            this.rwLock.readLock().unlock();
            if (!z) {
                try {
                    this.rwLock.writeLock().lock();
                    if (!this.contextEvaluated) {
                        LoginConfig loginConfig = getContainer().getLoginConfig();
                        if (loginConfig != null && FORM.equals(loginConfig.getAuthMethod())) {
                            this.loginPage = loginConfig.getLoginPage();
                            this.errorPage = loginConfig.getErrorPage();
                        }
                        this.contextEvaluated = true;
                    }
                } finally {
                    this.rwLock.writeLock().unlock();
                }
            }
            if (this.loginPage != null || this.errorPage != null) {
                String dataChunk = httpRequest.getRequestPathMB().toString();
                _logger.log(Level.FINE, () -> {
                    return "[Web-Security]  requestURI: " + dataChunk + " loginPage: " + this.loginPage;
                });
                if (this.loginPage != null && this.loginPage.equals(dataChunk)) {
                    _logger.log(Level.FINE, () -> {
                        return " Allow access to login page " + this.loginPage;
                    });
                    return true;
                }
                if (this.errorPage != null && this.errorPage.equals(dataChunk)) {
                    _logger.log(Level.FINE, () -> {
                        return " Allow access to error page " + this.errorPage;
                    });
                    return true;
                }
                if (dataChunk.endsWith("/j_security_check")) {
                    _logger.fine(" Allow access to username/password submission");
                    return true;
                }
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
            if (httpServletRequest.getServletPath() == null) {
                httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("[Web-Security] [ hasResourcePermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
            }
            WebSecurityManager webSecurityManager = getWebSecurityManager(true);
            if (webSecurityManager == null) {
                return false;
            }
            return webSecurityManager.hasResourcePermission(httpServletRequest);
        } catch (Throwable th) {
            this.rwLock.readLock().unlock();
            throw th;
        }
    }

    private List<String> getHostAndPort(HttpRequest httpRequest) throws IOException {
        boolean z = false;
        Enumeration headerNames = httpRequest.getRequest().getHeaderNames();
        String[] strArr = null;
        boolean z2 = false;
        while (headerNames.hasMoreElements()) {
            String str = (String) headerNames.nextElement();
            if (str.equalsIgnoreCase("Host")) {
                z2 = true;
                strArr = httpRequest.getRequest().getHeader(str).split(":");
            }
        }
        if (strArr == null) {
            throw new ProtocolException(resourceBundle.getString("missing_http_header.host"));
        }
        boolean z3 = strArr.length <= 1 || strArr[1] == null || strArr[1].trim().isEmpty();
        if (!z2) {
            z = false;
        } else if (!z3) {
            boolean z4 = false;
            for (NetworkListener networkListener : this.networkListeners.getNetworkListener()) {
                String address = networkListener.getAddress();
                if (address == null || address.equals("0.0.0.0")) {
                    if (!NetUtils.getCanonicalHostName().equals(strArr[0])) {
                        InetAddress[] hostAddresses = NetUtils.getHostAddresses();
                        InetAddress byName = InetAddress.getByName(strArr[0]);
                        int length = hostAddresses.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            if (hostAddresses[i].equals(byName)) {
                                if (networkListener.getPort().equals(strArr[1])) {
                                    z = false;
                                    z4 = true;
                                    break;
                                }
                                z = true;
                            }
                            i++;
                        }
                    } else if (networkListener.getPort().equals(strArr[1])) {
                        z = false;
                        z4 = true;
                    } else {
                        z = true;
                    }
                }
                if (z4 && !z) {
                    break;
                }
            }
        } else {
            z = true;
        }
        String serverName = httpRequest.getRequest().getServerName();
        int redirectPort = httpRequest.getConnector().getRedirectPort();
        if (z) {
            serverName = strArr[0];
            redirectPort = z3 ? -1 : Integer.parseInt(strArr[1]);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(serverName);
        arrayList.add(String.valueOf(redirectPort));
        return arrayList;
    }

    private boolean redirect(HttpRequest httpRequest, HttpResponse httpResponse) throws IOException {
        HttpServletRequest request = httpRequest.getRequest();
        HttpServletResponse response = httpResponse.getResponse();
        if (httpRequest.getConnector().getRedirectPort() <= 0) {
            if (_logger.isLoggable(Level.INFO)) {
                _logger.fine("[Web-Security]  SSL redirect is disabled");
            }
            response.sendError(403, URLEncoder.encode(request.getRequestURI(), "UTF-8"));
            return false;
        }
        StringBuffer stringBuffer = new StringBuffer(request.getRequestURI());
        String requestedSessionId = request.getRequestedSessionId();
        if (requestedSessionId != null && request.isRequestedSessionIdFromURL()) {
            stringBuffer.append(";jsessionid=");
            stringBuffer.append(requestedSessionId);
        }
        String queryString = request.getQueryString();
        if (queryString != null) {
            stringBuffer.append('?');
            stringBuffer.append(queryString);
        }
        List<String> hostAndPort = getHostAndPort(httpRequest);
        try {
            response.sendRedirect(new URL("https", hostAndPort.get(0), Integer.parseInt(hostAndPort.get(1)), stringBuffer.toString()).toString());
            return false;
        } catch (MalformedURLException e) {
            response.sendError(500, URLEncoder.encode(request.getRequestURI(), "UTF-8"));
            return false;
        }
    }

    private String getCanonicalName(HttpRequest httpRequest) {
        return httpRequest.getWrapper().getServletName();
    }

    private String getResourceName(String str, String str2) {
        return str2.length() < str.length() ? str.substring(str2.length()) : "";
    }

    public void setRealmName(String str) {
    }

    private HttpServletHelper getConfigHelper(ServletContext servletContext) {
        HashMap hashMap = new HashMap();
        hashMap.put("WEB_BUNDLE", this.webBundleDescriptor);
        return new HttpServletHelper(getAppContextID(servletContext), hashMap, (CallbackHandler) null, this.realmName, this.isSystemApp, defaultSystemProviderID);
    }

    private String getAppContextID(ServletContext servletContext) {
        if (!servletContext.getVirtualServerName().equals(this.virtualServer.getName())) {
            _logger.log(Level.WARNING, "Virtual server name from ServletContext: {0} differs from name from virtual.getName(): {1}", new Object[]{servletContext.getVirtualServerName(), this.virtualServer.getName()});
        }
        if (!servletContext.getContextPath().equals(this.webBundleDescriptor.getContextRoot())) {
            _logger.log(Level.WARNING, "Context path from ServletContext: {0} differs from path from bundle: {1}", new Object[]{servletContext.getContextPath(), this.webBundleDescriptor.getContextRoot()});
        }
        return servletContext.getVirtualServerName() + " " + servletContext.getContextPath();
    }

    private boolean validate(HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig, Authenticator authenticator, boolean z) throws IOException {
        ServerAuthContext serverAuthContext;
        HttpServletRequest request = httpRequest.getRequest();
        HttpServletResponse response = httpResponse.getResponse();
        Subject subject = new Subject();
        HttpMessageInfo httpMessageInfo = new HttpMessageInfo(request, response);
        boolean z2 = false;
        boolean z3 = true;
        try {
            z3 = !getWebSecurityManager(true).permitAll(request);
            if (z3 || z) {
                httpMessageInfo.getMap().put("jakarta.security.auth.message.MessagePolicy.isMandatory", Boolean.TRUE.toString());
            }
            serverAuthContext = this.helper.getServerAuthContext(httpMessageInfo, (Subject) null);
        } catch (AuthException e) {
            _logger.log(Level.FINE, "Jakarta Authentication: http msg authentication fail", e);
            response.setStatus(500);
        } catch (RuntimeException e2) {
            _logger.log(Level.SEVERE, "Jakarta Authentication: Exception during validateRequest", (Throwable) e2);
            response.sendError(500);
        }
        if (serverAuthContext == null) {
            throw new AuthException("null ServerAuthContext");
        }
        z2 = AuthStatus.SUCCESS.equals(serverAuthContext.validateRequest(httpMessageInfo, subject, (Subject) null));
        if (z2) {
            httpMessageInfo.getMap().put(SERVER_AUTH_CONTEXT, serverAuthContext);
            request.setAttribute(MESSAGE_INFO, httpMessageInfo);
        }
        if (z2) {
            Set<Principal> principals = subject.getPrincipals();
            if (principals == null || principals.isEmpty() || principalSetContainsOnlyAnonymousPrincipal(principals)) {
                if (((HttpServletRequest) httpMessageInfo.getRequestMessage()).getUserPrincipal() != null) {
                    httpRequest.setUserPrincipal((Principal) null);
                    httpRequest.setAuthType((String) null);
                }
                if (z3) {
                    z2 = false;
                }
            } else {
                SecurityContext securityContext = new SecurityContext(subject);
                SecurityContext.setCurrent(securityContext);
                WebPrincipal webPrincipal = new WebPrincipal(securityContext.getCallerPrincipal(), securityContext);
                try {
                    String str = (String) httpMessageInfo.getMap().get("jakarta.servlet.http.authType");
                    if (str == null && loginConfig != null && loginConfig.getAuthMethod() != null) {
                        str = loginConfig.getAuthMethod();
                    }
                    if (shouldRegister(httpMessageInfo.getMap())) {
                        new AuthenticatorProxy(authenticator, webPrincipal, str).authenticate(httpRequest, httpResponse, loginConfig);
                    } else {
                        httpRequest.setAuthType(str == null ? PROXY_AUTH_TYPE : str);
                        httpRequest.setUserPrincipal(webPrincipal);
                    }
                } catch (LifecycleException e3) {
                    _logger.log(Level.SEVERE, "[Web-Security] unable to register session", e3);
                }
            }
            if (z2) {
                HttpServletRequest httpServletRequest = (HttpServletRequest) httpMessageInfo.getRequestMessage();
                if (httpServletRequest != request) {
                    httpRequest.setNote("__jakarta.security.auth.message.request", new HttpRequestWrapper(httpRequest, httpServletRequest));
                }
                HttpServletResponse httpServletResponse = (HttpServletResponse) httpMessageInfo.getResponseMessage();
                if (httpServletResponse != response) {
                    httpRequest.setNote("__jakarta.security.auth.message.response", new HttpResponseWrapper(httpResponse, httpServletResponse));
                }
            }
        }
        return z2;
    }

    private boolean shouldRegister(Map map) {
        return map.containsKey("com.sun.web.RealmAdapter.register") || mapEntryToBoolean("jakarta.servlet.http.registerSession", map);
    }

    private boolean mapEntryToBoolean(String str, Map map) {
        Object obj;
        if (map.containsKey(str) && (obj = map.get(str)) != null && (obj instanceof String)) {
            return Boolean.valueOf((String) obj).booleanValue();
        }
        return false;
    }

    private static String getDefaultSystemProviderID() {
        String property = System.getProperty(SYSTEM_HTTPSERVLET_SECURITY_PROVIDER);
        if (property != null) {
            property = property.trim();
            if (property.length() == 0) {
                property = null;
            }
        }
        return property;
    }

    private void resetPolicyContext() {
        PolicyContextHandlerImpl.getInstance().reset();
        PolicyContext.setContextID((String) null);
    }

    protected void configureSecurity(WebBundleDescriptor webBundleDescriptor, boolean z) {
        try {
            this.webSecurityManagerFactory.createManager(webBundleDescriptor, true, this.serverContext).commitPolicy();
            String contextID = WebSecurityManager.getContextID(webBundleDescriptor);
            if (z && contextID.equals("__admingui/__admingui")) {
                websecurityProbeProvider.policyCreationEvent(contextID);
            }
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "policy.configure", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    private SecurityContext getSecurityContextForPrincipal(final Principal principal) {
        if (principal == null) {
            return null;
        }
        return principal instanceof WebPrincipal ? ((WebPrincipal) principal).getSecurityContext() : (SecurityContext) AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() { // from class: com.sun.web.security.RealmAdapter.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityContext run() {
                Subject subject = new Subject();
                subject.getPrincipals().add(principal);
                return new SecurityContext(principal.getName(), subject);
            }
        });
    }

    public void setCurrentSecurityContextWithWebPrincipal(Principal principal) {
        if (principal instanceof WebPrincipal) {
            SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
        }
    }

    public void setCurrentSecurityContext(Principal principal) {
        SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
    }

    public synchronized void initConfigHelper(ServletContext servletContext) {
        if (this.helper != null) {
            return;
        }
        this.helper = getConfigHelper(servletContext);
    }

    public void postConstruct() {
        this.networkListeners = this.networkConfig.getNetworkListeners();
    }

    private String findRealmName(String str) {
        String realm = this.webBundleDescriptor.getApplication().getRealm();
        LoginConfiguration loginConfiguration = this.webBundleDescriptor.getLoginConfiguration();
        if (realm == null && loginConfiguration != null) {
            realm = loginConfiguration.getRealmName();
        }
        if (str != null && Utility.isEmpty(realm)) {
            realm = str;
        }
        return realm;
    }

    private void collectRunAsPrincipals() {
        this.runAsPrincipals = new HashMap<>();
        for (WebComponentDescriptor webComponentDescriptor : this.webBundleDescriptor.getWebComponentDescriptors()) {
            RunAsIdentityDescriptor runAsIdentity = webComponentDescriptor.getRunAsIdentity();
            if (runAsIdentity != null) {
                String principal = runAsIdentity.getPrincipal();
                String canonicalName = webComponentDescriptor.getCanonicalName();
                if (Utility.isAnyNull(new Object[]{principal, canonicalName})) {
                    _logger.warning("WEB8080: Null run-as principal or servlet, ignoring run-as element.");
                } else {
                    this.runAsPrincipals.put(canonicalName, principal);
                    _logger.fine(() -> {
                        return "Servlet " + canonicalName + " will run-as: " + principal;
                    });
                }
            }
        }
    }

    private SecurityConstraint[] findSecurityConstraints(Context context) {
        if (this.helper == null) {
            initConfigHelper(context.getServletContext());
        }
        WebSecurityManager webSecurityManager = getWebSecurityManager(false);
        if (webSecurityManager == null || !webSecurityManager.hasNoConstrainedResources() || isSecurityExtensionEnabled(context.getServletContext())) {
            return emptyConstraints;
        }
        return null;
    }

    private boolean isRequestAuthenticated(HttpRequest httpRequest) {
        return ((HttpServletRequest) httpRequest).getUserPrincipal() != null;
    }

    private boolean isJakartaAuthenticationEnabled() throws IOException {
        try {
            if (this.helper != null) {
                if (this.helper.getServerAuthConfig() != null) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    private Subject generateX500Subject(X509Certificate[] x509CertificateArr) {
        Subject subject = new Subject();
        subject.getPublicCredentials().add(x509CertificateArr[0].getSubjectX500Principal());
        subject.getPublicCredentials().add(Arrays.asList(x509CertificateArr));
        return subject;
    }

    private DigestCredentials generateDigestCredentials(HttpServletRequest httpServletRequest) {
        try {
            DigestAlgorithmParameter[] generateDigestParameters = generateDigestParameters(httpServletRequest);
            validateDigestParameters(generateDigestParameters);
            return new DigestCredentials(this.realmName, findDigestKey(generateDigestParameters).getUsername(), generateDigestParameters);
        } catch (Exception e) {
            _logger.log(Level.WARNING, "WEB9102: Web Login Failed", (Throwable) e);
            return null;
        }
    }

    private DigestAlgorithmParameter[] generateDigestParameters(HttpServletRequest httpServletRequest) throws InvalidAlgorithmParameterException {
        return DigestParameterGenerator.getInstance("HttpDigest").generateParameters(new HttpAlgorithmParameterImpl(httpServletRequest));
    }

    private void validateDigestParameters(DigestAlgorithmParameter[] digestAlgorithmParameterArr) {
        NonceInfo nonceInfo;
        if (this.cnonces == null) {
            String appName = this.webBundleDescriptor.getApplication().getAppName();
            synchronized (this) {
                if (this.haCNonceCacheMap == null) {
                    this.haCNonceCacheMap = (AppCNonceCacheMap) this.appCNonceCacheMapProvider.get();
                }
                if (this.haCNonceCacheMap != null) {
                    this.cnonces = (CNonceCache) this.haCNonceCacheMap.get(appName);
                }
                if (this.cnonces == null) {
                    if (this.cNonceCacheFactory == null) {
                        this.cNonceCacheFactory = (CNonceCacheFactory) this.cNonceCacheFactoryProvider.get();
                    }
                    this.cnonces = this.cNonceCacheFactory.createCNonceCache(this.webBundleDescriptor.getApplication().getAppName(), (String) null, (String) null, (String) null);
                }
            }
        }
        String str = null;
        String str2 = null;
        for (DigestAlgorithmParameter digestAlgorithmParameter : digestAlgorithmParameterArr) {
            if (digestAlgorithmParameter instanceof NestedDigestAlgoParamImpl) {
                for (DigestAlgorithmParameter digestAlgorithmParameter2 : ((NestedDigestAlgoParamImpl) digestAlgorithmParameter).getNestedParams()) {
                    if ("cnonce".equals(digestAlgorithmParameter2.getName())) {
                        str = new String(digestAlgorithmParameter2.getValue());
                    } else if ("nc".equals(digestAlgorithmParameter2.getName())) {
                        str2 = new String(digestAlgorithmParameter2.getValue());
                    }
                    if (str != null && str2 != null) {
                        break;
                    }
                }
                if (str != null && str2 != null) {
                    break;
                }
            }
            if ("cnonce".equals(digestAlgorithmParameter.getName())) {
                str = new String(digestAlgorithmParameter.getValue());
            } else if ("nc".equals(digestAlgorithmParameter.getName())) {
                str2 = new String(digestAlgorithmParameter.getValue());
            }
        }
        long currentTimeMillis = System.currentTimeMillis();
        long count = getCount(str2);
        synchronized (this.cnonces) {
            nonceInfo = (NonceInfo) this.cnonces.get(str);
        }
        if (nonceInfo == null) {
            nonceInfo = new NonceInfo();
        } else if (count <= nonceInfo.getCount()) {
            throw new RuntimeException("Invalid Request : Possible Replay Attack detected ?");
        }
        nonceInfo.setCount(count);
        nonceInfo.setTimestamp(currentTimeMillis);
        synchronized (this.cnonces) {
            this.cnonces.put(str, nonceInfo);
        }
    }

    private long getCount(String str) {
        try {
            return Long.parseLong(str, 16);
        } catch (NumberFormatException e) {
            throw new RuntimeException(e);
        }
    }

    private Key findDigestKey(DigestAlgorithmParameter[] digestAlgorithmParameterArr) {
        for (DigestAlgorithmParameter digestAlgorithmParameter : digestAlgorithmParameterArr) {
            if ("A1".equals(digestAlgorithmParameter.getName()) && (digestAlgorithmParameter instanceof Key)) {
                return (Key) digestAlgorithmParameter;
            }
        }
        throw new RuntimeException("No key found in parameters");
    }
}
