package com.ibm.ws.ejbcontainer.security.internal;

import com.ibm.ejs.container.BeanMetaData;
import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.audit.AuditAuthResult;
import com.ibm.websphere.security.audit.AuditAuthenticationResult;
import com.ibm.websphere.security.audit.context.AuditManager;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.container.service.metadata.ComponentMetaDataListener;
import com.ibm.ws.container.service.metadata.MetaDataEvent;
import com.ibm.ws.ejbcontainer.EJBComponentMetaData;
import com.ibm.ws.ejbcontainer.EJBMethodInterface;
import com.ibm.ws.ejbcontainer.EJBMethodMetaData;
import com.ibm.ws.ejbcontainer.EJBRequestData;
import com.ibm.ws.ejbcontainer.EJBSecurityCollaborator;
import com.ibm.ws.ejbcontainer.security.internal.jacc.EJBJaccAuthorizationHelper;
import com.ibm.ws.ejbcontainer.security.internal.jacc.JaccUtil;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.runtime.metadata.ComponentMetaData;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.audit.Audit;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.authentication.principals.WSIdentity;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.authorization.AuthorizationService;
import com.ibm.ws.security.authorization.jacc.JaccService;
import com.ibm.ws.security.collaborator.CollaboratorUtils;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.credentials.CredentialsService;
import com.ibm.ws.security.ready.SecurityReadyService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.security.AccessController;
import java.security.Identity;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Reference;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/ejbcontainer/security/internal/EJBSecurityCollaboratorImpl.class */
public class EJBSecurityCollaboratorImpl implements EJBSecurityCollaborator<SecurityCookieImpl>, EJBAuthorizationHelper, ComponentMetaDataListener {
    protected static final String KEY_SECURITY_SERVICE = "securityService";
    protected static final String KEY_CREDENTIAL_SERVICE = "credentialsService";
    protected static final String KEY_UNAUTHENTICATED_SUBJECT_SERVICE = "unauthenticatedSubjectService";
    protected static final String KEY_JACC_SERVICE = "jaccService";
    protected static final String KEY_SECURITY_READY_SERVICE = "securityReadyService";
    private SecurityReadyService securityReadyService;
    protected final AtomicServiceReference<SecurityService> securityServiceRef;
    private final AtomicServiceReference<CredentialsService> credServiceRef;
    private final AtomicServiceReference<UnauthenticatedSubjectService> unauthenticatedSubjectServiceRef;
    private final AtomicServiceReference<JaccService> jaccService;
    protected SubjectManager subjectManager;
    protected CollaboratorUtils collabUtils;
    protected AuditManager auditManager;
    protected volatile EJBSecurityConfig ejbSecConfig;
    private EJBAuthorizationHelper eah;
    private boolean waitedForSecurity;
    private static final String securityWaitTimeProperty = "io.openliberty.ejb.security.startWaitTime";
    static final long serialVersionUID = -9067604978231086760L;
    private static final TraceComponent tc = Tr.register(EJBSecurityCollaboratorImpl.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private static final int securityWaitTime = ((Integer) AccessController.doPrivileged(new PrivilegedAction<Integer>() { // from class: com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl.1
        static final long serialVersionUID = -4503072851769399037L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl$1", AnonymousClass1.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public Integer run() {
            int intValue = Integer.getInteger(EJBSecurityCollaboratorImpl.securityWaitTimeProperty, 0).intValue();
            if (TraceComponent.isAnyTracingEnabled() && EJBSecurityCollaboratorImpl.tc.isDebugEnabled()) {
                Tr.debug(EJBSecurityCollaboratorImpl.tc, "EJBSecurityCollaborator securityWaitTime set to " + intValue + " seconds", new Object[0]);
            }
            return Integer.valueOf(intValue);
        }
    })).intValue();

    public EJBSecurityCollaboratorImpl() {
        this(new SubjectManager());
        this.auditManager = new AuditManager();
    }

    public EJBSecurityCollaboratorImpl(SubjectManager subjectManager) {
        this.securityServiceRef = new AtomicServiceReference<>(KEY_SECURITY_SERVICE);
        this.credServiceRef = new AtomicServiceReference<>(KEY_CREDENTIAL_SERVICE);
        this.unauthenticatedSubjectServiceRef = new AtomicServiceReference<>(KEY_UNAUTHENTICATED_SUBJECT_SERVICE);
        this.jaccService = new AtomicServiceReference<>(KEY_JACC_SERVICE);
        this.ejbSecConfig = null;
        this.eah = this;
        this.waitedForSecurity = false;
        this.subjectManager = subjectManager;
        this.collabUtils = new CollaboratorUtils(subjectManager);
    }

    protected void setCredentialService(ServiceReference<CredentialsService> serviceReference) {
        this.credServiceRef.setReference(serviceReference);
    }

    protected void unsetCredentialService(ServiceReference<CredentialsService> serviceReference) {
        this.credServiceRef.unsetReference(serviceReference);
    }

    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    @Reference
    protected void setSecurityReadyService(SecurityReadyService securityReadyService) {
        this.securityReadyService = securityReadyService;
    }

    protected void unsetSecurityReadyService(SecurityReadyService securityReadyService) {
    }

    protected void setUnauthenticatedSubjectService(ServiceReference<UnauthenticatedSubjectService> serviceReference) {
        this.unauthenticatedSubjectServiceRef.setReference(serviceReference);
    }

    protected void unsetUnauthenticatedSubjectService(ServiceReference<UnauthenticatedSubjectService> serviceReference) {
        this.unauthenticatedSubjectServiceRef.unsetReference(serviceReference);
    }

    protected void setJaccService(ServiceReference<JaccService> serviceReference) {
        this.jaccService.setReference(serviceReference);
        this.eah = new EJBJaccAuthorizationHelper(this.jaccService);
    }

    protected void unsetJaccService(ServiceReference<JaccService> serviceReference) {
        this.jaccService.unsetReference(serviceReference);
        this.eah = this;
    }

    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.securityServiceRef.activate(componentContext);
        this.credServiceRef.activate(componentContext);
        this.unauthenticatedSubjectServiceRef.activate(componentContext);
        this.jaccService.activate(componentContext);
        this.ejbSecConfig = new EJBSecurityConfigImpl(map);
    }

    protected void modified(Map<String, Object> map) {
        EJBSecurityConfigImpl eJBSecurityConfigImpl = new EJBSecurityConfigImpl(map);
        String changedProperties = eJBSecurityConfigImpl.getChangedProperties(this.ejbSecConfig);
        this.ejbSecConfig = eJBSecurityConfigImpl;
        Tr.audit(tc, "EJB_SECURITY_CONFIGURATION_UPDATED", new Object[]{changedProperties});
    }

    protected void deactivate(ComponentContext componentContext) {
        this.securityServiceRef.deactivate(componentContext);
        this.credServiceRef.deactivate(componentContext);
        this.unauthenticatedSubjectServiceRef.deactivate(componentContext);
        this.jaccService.deactivate(componentContext);
    }

    /* renamed from: preInvoke, reason: merged with bridge method [inline-methods] */
    public SecurityCookieImpl m2preInvoke(EJBRequestData eJBRequestData) throws EJBAccessDeniedException {
        Subject invocationSubject = this.subjectManager.getInvocationSubject();
        Subject callerSubject = this.subjectManager.getCallerSubject();
        EJBMethodMetaData eJBMethodMetaData = eJBRequestData.getEJBMethodMetaData();
        if (this.ejbSecConfig.getUseUnauthenticatedForExpiredCredentials()) {
            invocationSubject = setNullSubjectWhenExpired(invocationSubject);
            callerSubject = setNullSubjectWhenExpired(callerSubject);
        }
        Subject subject = invocationSubject;
        Subject subject2 = callerSubject;
        if (setUnauthenticatedSubjectIfNeeded(invocationSubject, callerSubject)) {
            invocationSubject = this.subjectManager.getInvocationSubject();
            callerSubject = this.subjectManager.getCallerSubject();
        }
        Subject subject3 = invocationSubject == null ? callerSubject : invocationSubject;
        if (!isInternalUnprotectedMethod(eJBMethodMetaData)) {
            this.eah.authorizeEJB(eJBRequestData, subject3);
        }
        performDelegation(eJBMethodMetaData, subject3);
        this.subjectManager.setCallerSubject(subject3);
        return new SecurityCookieImpl(subject, subject2, this.subjectManager.getInvocationSubject(), subject3);
    }

    public void postInvoke(EJBRequestData eJBRequestData, SecurityCookieImpl securityCookieImpl) throws EJBAccessDeniedException {
        if (securityCookieImpl != null) {
            JaccService jaccService = (JaccService) this.jaccService.getService();
            if (jaccService != null) {
                jaccService.resetPolicyContextHandlerInfo();
            }
            Subject invocationSubject = this.subjectManager.getInvocationSubject();
            Subject callerSubject = this.subjectManager.getCallerSubject();
            if ((invocationSubject == null || invocationSubject.equals(securityCookieImpl.getAdjustedInvokedSubject())) && (callerSubject == null || callerSubject.equals(securityCookieImpl.getAdjustedReceivedSubject()))) {
                Subject invokedSubject = securityCookieImpl.getInvokedSubject();
                this.subjectManager.setCallerSubject(securityCookieImpl.getReceivedSubject());
                this.subjectManager.setInvocationSubject(invokedSubject);
                return;
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Subjects have been changed, preserving the current Subjects.", new Object[0]);
            }
        }
    }

    public void argumentsUpdated(EJBRequestData eJBRequestData, SecurityCookieImpl securityCookieImpl) throws Exception {
    }

    public Identity getCallerIdentity(EJBComponentMetaData eJBComponentMetaData, EJBRequestData eJBRequestData, SecurityCookieImpl securityCookieImpl) {
        Principal callerPrincipal = getCallerPrincipal(eJBComponentMetaData, eJBRequestData, securityCookieImpl);
        if (callerPrincipal != null) {
            return new WSIdentity(callerPrincipal.getName());
        }
        return null;
    }

    public Principal getCallerPrincipal(EJBComponentMetaData eJBComponentMetaData, EJBRequestData eJBRequestData, SecurityCookieImpl securityCookieImpl) {
        String str = null;
        if (this.ejbSecConfig.getUseRealmQualifiedUserNames()) {
            str = this.collabUtils.getUserRegistryRealm(this.securityServiceRef);
        }
        return this.collabUtils.getCallerPrincipal(this.ejbSecConfig.getUseRealmQualifiedUserNames(), str, false, false);
    }

    public boolean isCallerInRole(EJBComponentMetaData eJBComponentMetaData, EJBRequestData eJBRequestData, SecurityCookieImpl securityCookieImpl, String str, String str2) {
        CredentialsService credentialsService;
        if (eJBRequestData == null) {
            return false;
        }
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (this.ejbSecConfig.getUseUnauthenticatedForExpiredCredentials() && (credentialsService = (CredentialsService) this.credServiceRef.getService()) != null && !credentialsService.isSubjectValid(callerSubject)) {
            callerSubject = ((UnauthenticatedSubjectService) this.unauthenticatedSubjectServiceRef.getService()).getUnauthenticatedSubject();
        }
        return this.eah.isCallerInRole(eJBComponentMetaData, eJBRequestData, str, str2, callerSubject);
    }

    @Override // com.ibm.ws.ejbcontainer.security.internal.EJBAuthorizationHelper
    public boolean isCallerInRole(EJBComponentMetaData eJBComponentMetaData, EJBRequestData eJBRequestData, String str, String str2, Subject subject) {
        String str3 = str2 == null ? str : str2;
        String applicationName = getApplicationName(eJBRequestData.getEJBMethodMetaData());
        waitForSecurity();
        AuthorizationService authorizationService = ((SecurityService) this.securityServiceRef.getService()).getAuthorizationService();
        if (authorizationService == null) {
            Tr.error(tc, "EJB_AUTHZ_SERVICE_NOTFOUND", new Object[]{((WSPrincipal) subject.getPrincipals(WSPrincipal.class).iterator().next()).getName(), "isCallerInRole", applicationName});
            return false;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(str3);
        return authorizationService.isAuthorized(applicationName, arrayList, subject);
    }

    private Subject setNullSubjectWhenExpired(Subject subject) {
        CredentialsService credentialsService;
        if (subject != null && (credentialsService = (CredentialsService) this.credServiceRef.getService()) != null && !credentialsService.isSubjectValid(subject)) {
            subject = null;
        }
        return subject;
    }

    private boolean isInternalUnprotectedMethod(EJBMethodMetaData eJBMethodMetaData) {
        EJBMethodInterface eJBMethodInterface = eJBMethodMetaData.getEJBMethodInterface();
        return EJBMethodInterface.LIFECYCLE_INTERCEPTOR.value() == eJBMethodInterface.value() || EJBMethodInterface.TIMER.value() == eJBMethodInterface.value();
    }

    public void populateAuditEJBHashMap(EJBRequestData eJBRequestData, Map<String, Object> map) {
        EJBMethodMetaData eJBMethodMetaData = eJBRequestData.getEJBMethodMetaData();
        Object[] methodArguments = eJBRequestData.getMethodArguments();
        String application = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getApplication();
        String module = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getModule();
        String methodName = eJBMethodMetaData.getMethodName();
        String specName = eJBMethodMetaData.getEJBMethodInterface().specName();
        String methodSignature = eJBMethodMetaData.getMethodSignature();
        String component = eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getComponent();
        map.put("applicationName", application);
        map.put("moduleName", module);
        map.put("methodName", methodName);
        map.put("methodInterface", specName);
        map.put("methodSignature", methodSignature);
        map.put("beanName", component);
        map.put("methodParameters", methodArguments);
    }

    @Override // com.ibm.ws.ejbcontainer.security.internal.EJBAuthorizationHelper
    public void authorizeEJB(EJBRequestData eJBRequestData, Subject subject) throws EJBAccessDeniedException {
        EJBMethodMetaData eJBMethodMetaData = eJBRequestData.getEJBMethodMetaData();
        String name = ((WSPrincipal) subject.getPrincipals(WSPrincipal.class).iterator().next()).getName();
        String applicationName = getApplicationName(eJBMethodMetaData);
        String methodName = eJBMethodMetaData.getMethodName();
        Object httpServletRequest = this.auditManager != null ? this.auditManager.getHttpServletRequest() : null;
        Object webRequest = this.auditManager != null ? this.auditManager.getWebRequest() : null;
        String realm = this.auditManager != null ? this.auditManager.getRealm() : null;
        HashMap hashMap = new HashMap();
        populateAuditEJBHashMap(eJBRequestData, hashMap);
        Collection<String> requiredRoles = getRequiredRoles(eJBMethodMetaData);
        if (eJBMethodMetaData.isDenyAll()) {
            hashMap.put("reason.reasonType", "EJB Deny All");
            Tr.audit(tc, "EJB_AUTHZ_EXCLUDED", new Object[]{name, methodName, applicationName});
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_04, new Object[]{new AuditAuthenticationResult(AuditAuthResult.FAILURE, name, "BASIC", (String) null, "failure"), hashMap, httpServletRequest, webRequest, realm, subject, requiredRoles, Integer.valueOf("403")});
            throw new EJBAccessDeniedException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "EJB_AUTHZ_EXCLUDED", new Object[]{name, methodName, applicationName}, "CWWKS9402A: Authorization failed for user {0} while invoking {1} on {2} because the method is explicitly excluded."));
        }
        if (eJBMethodMetaData.isPermitAll()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Authorization granted for " + methodName + " on " + applicationName + " because permitAll is set.", new Object[0]);
            }
            hashMap.put("reason.reasonType", "EJB Permit All");
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_04, new Object[]{new AuditAuthenticationResult(AuditAuthResult.SUCCESS, name, "BASIC", (String) null, "success"), hashMap, httpServletRequest, webRequest, realm, subject, requiredRoles, Integer.valueOf("200")});
            return;
        }
        if (requiredRoles == null || requiredRoles.isEmpty()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Authorization granted for " + methodName + " on " + applicationName + " because no roles are required.", new Object[0]);
            }
            hashMap.put("reason.reasonType", "EBJ No Roles");
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_04, new Object[]{new AuditAuthenticationResult(AuditAuthResult.SUCCESS, name, "BASIC", (String) null, "success"), hashMap, httpServletRequest, webRequest, realm, subject, null, Integer.valueOf("200")});
            return;
        }
        waitForSecurity();
        AuthorizationService authorizationService = ((SecurityService) this.securityServiceRef.getService()).getAuthorizationService();
        if (authorizationService == null) {
            hashMap.put("reason.reasonType", "EJB No Authorization Service Found");
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_04, new Object[]{new AuditAuthenticationResult(AuditAuthResult.FAILURE, name, "BASIC", (String) null, "failure"), hashMap, httpServletRequest, webRequest, realm, subject, requiredRoles, Integer.valueOf("403")});
            Tr.error(tc, "EJB_AUTHZ_SERVICE_NOTFOUND", new Object[]{name, methodName, applicationName});
            throw new EJBAccessDeniedException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "EJB_AUTHZ_SERVICE_NOTFOUND", new Object[]{name, methodName, applicationName}, "CWWKS9403E: The authorization service could not be found. As a result, the user is not authorized."));
        }
        if (authorizationService.isAuthorized(applicationName, requiredRoles, subject)) {
            hashMap.put("reason.reasonType", "EJB");
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_04, new Object[]{new AuditAuthenticationResult(AuditAuthResult.SUCCESS, name, "BASIC", (String) null, "success"), hashMap, httpServletRequest, webRequest, realm, subject, requiredRoles, Integer.valueOf("200")});
        } else {
            hashMap.put("reason.reasonType", "EJB");
            Audit.audit(Audit.EventID.SECURITY_AUTHZ_04, new Object[]{new AuditAuthenticationResult(AuditAuthResult.FAILURE, name, "BASIC", (String) null, "failure"), hashMap, httpServletRequest, webRequest, realm, subject, requiredRoles, Integer.valueOf("403")});
            Tr.audit(tc, "EJB_AUTHZ_FAILED", new Object[]{name, methodName, applicationName, requiredRoles});
            throw new EJBAccessDeniedException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "EJB_AUTHZ_FAILED", new Object[]{name, methodName, applicationName, requiredRoles}, "CWWKS9400A: Authorization failed. The user is not granted access to any of the required roles."));
        }
    }

    protected Collection<String> getRequiredRoles(EJBMethodMetaData eJBMethodMetaData) {
        return eJBMethodMetaData.getRolesAllowed();
    }

    protected String getApplicationName(EJBMethodMetaData eJBMethodMetaData) {
        return eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getApplication();
    }

    protected String getModuleName(EJBMethodMetaData eJBMethodMetaData) {
        return eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getModule();
    }

    protected String getComponentName(EJBMethodMetaData eJBMethodMetaData) {
        return eJBMethodMetaData.getEJBComponentMetaData().getJ2EEName().getComponent();
    }

    private void performDelegationAudit(Subject subject, String str, Subject subject2, boolean z, AuthenticationService authenticationService) {
        int indexOf;
        String substring;
        int indexOf2;
        Iterator it;
        Object httpServletRequest = this.auditManager == null ? null : this.auditManager.getHttpServletRequest();
        String str2 = z ? "success" : "failure";
        if (httpServletRequest == null || !Audit.isAuditRequired(Audit.EventID.SECURITY_AUTHN_DELEGATION_01, str2)) {
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("HTTP_SERVLET_REQUEST", httpServletRequest);
        hashMap.put("REASON_TYPE", "EJB");
        ArrayList arrayList = new ArrayList();
        Set publicCredentials = subject == null ? null : subject.getPublicCredentials(WSCredential.class);
        if (publicCredentials != null && (it = publicCredentials.iterator()) != null && it.hasNext()) {
            WSCredential wSCredential = (WSCredential) it.next();
            try {
                hashMap.put("REALM", wSCredential.getRealmName());
            } catch (CredentialExpiredException e) {
                FFDCFilter.processException(e, "com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl", "601", this, new Object[]{subject, str, subject2, Boolean.valueOf(z), authenticationService});
            } catch (CredentialDestroyedException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl", "602", this, new Object[]{subject, str, subject2, Boolean.valueOf(z), authenticationService});
            }
            try {
                arrayList.add("user:" + wSCredential.getRealmSecurityName());
            } catch (CredentialDestroyedException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl", "608", this, new Object[]{subject, str, subject2, Boolean.valueOf(z), authenticationService});
            } catch (CredentialExpiredException e4) {
                FFDCFilter.processException(e4, "com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl", "606", this, new Object[]{subject, str, subject2, Boolean.valueOf(z), authenticationService});
            }
        }
        if (str == null) {
            arrayList.add("EJB_RUNAS_SYSTEM");
        } else {
            hashMap.put("RUN_AS_ROLE", str);
            if (subject2 != null) {
                String subject3 = subject2.toString();
                if (subject3 != null && (indexOf = subject3.indexOf("accessId")) != -1 && (indexOf2 = (substring = subject3.substring(indexOf + 9)).indexOf(",")) != -1) {
                    arrayList.add(substring.substring(0, indexOf2));
                }
            } else {
                arrayList.add(authenticationService.getInvalidDelegationUser());
            }
        }
        hashMap.put("DELEGATION_USERS_LIST", arrayList);
        Audit.EventID eventID = Audit.EventID.SECURITY_AUTHN_DELEGATION_01;
        Object[] objArr = new Object[3];
        objArr[0] = hashMap;
        objArr[1] = str2;
        objArr[2] = z ? 200 : 401;
        Audit.audit(eventID, objArr);
    }

    private void performDelegation(EJBMethodMetaData eJBMethodMetaData, Subject subject) {
        boolean z;
        String applicationName = getApplicationName(eJBMethodMetaData);
        String methodName = eJBMethodMetaData.getMethodName();
        if (eJBMethodMetaData.isUseSystemPrincipal()) {
            Tr.error(tc, "EJB_RUNAS_SYSTEM_NOT_SUPPORTED", new Object[]{methodName, applicationName});
            performDelegationAudit(subject, null, null, false, null);
            throw new EJBAccessDeniedException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "EJB_RUNAS_SYSTEM_NOT_SUPPORTED", new Object[]{methodName, applicationName}, "CWWKS9405E: Authorization failed for EJB method" + methodName + " in the application " + applicationName + ". The run-as-mode of SYSTEM_IDENTITY specified in the ibm-ejb-jar-ext.xml is not supported and must be removed or replaced."));
        }
        if (eJBMethodMetaData.isUseCallerPrincipal()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Returning without delegating because run-as-mode in ibm-ejb-jar-ext for " + methodName + " in " + applicationName + " is set to CALLER_IDENTITY.", new Object[0]);
                return;
            }
            return;
        }
        String runAsRole = getRunAsRole(eJBMethodMetaData);
        if (runAsRole != null) {
            waitForSecurity();
            AuthenticationService authenticationService = ((SecurityService) this.securityServiceRef.getService()).getAuthenticationService();
            try {
                subject = authenticationService.delegate(runAsRole, getApplicationName(eJBMethodMetaData));
                z = subject != null;
            } catch (IllegalArgumentException e) {
                FFDCFilter.processException(e, "com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl", "684", this, new Object[]{eJBMethodMetaData, subject});
                z = false;
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception performing delegation.", new Object[]{e});
                }
            }
            performDelegationAudit(subject, runAsRole, subject, z, authenticationService);
        }
        if (subject != null) {
            this.subjectManager.setInvocationSubject(subject);
        }
    }

    protected String getRunAsRole(EJBMethodMetaData eJBMethodMetaData) {
        return eJBMethodMetaData.getRunAs();
    }

    private boolean setUnauthenticatedSubjectIfNeeded(Subject subject, Subject subject2) {
        if (subject != null || subject2 != null) {
            return false;
        }
        this.subjectManager.setInvocationSubject(((UnauthenticatedSubjectService) this.unauthenticatedSubjectServiceRef.getService()).getUnauthenticatedSubject());
        return true;
    }

    public boolean areRequestMethodArgumentsRequired() {
        JaccService jaccService = (JaccService) this.jaccService.getService();
        boolean z = false;
        if (jaccService != null) {
            z = jaccService.areRequestMethodArgumentsRequired();
        }
        return z;
    }

    public void componentMetaDataCreated(MetaDataEvent<ComponentMetaData> metaDataEvent) {
        JaccService jaccService = (JaccService) this.jaccService.getService();
        if (jaccService != null) {
            BeanMetaData metaData = metaDataEvent.getMetaData();
            if (metaData instanceof BeanMetaData) {
                BeanMetaData beanMetaData = metaData;
                jaccService.propagateEJBRoles(beanMetaData.j2eeName.getApplication(), beanMetaData.j2eeName.getModule(), beanMetaData.enterpriseBeanName, beanMetaData.ivRoleLinkMap, JaccUtil.convertMethodInfoList(JaccUtil.mergeMethodInfos(beanMetaData)));
            }
        }
    }

    public void componentMetaDataDestroyed(MetaDataEvent<ComponentMetaData> metaDataEvent) {
    }

    @FFDCIgnore({InterruptedException.class})
    private void waitForSecurity() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (this.waitedForSecurity || this.securityReadyService.isSecurityReady()) {
            this.waitedForSecurity = true;
            return;
        }
        if (isAnyTracingEnabled) {
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Waiting " + securityWaitTime + " seconds for Security Service to be ready", new Object[0]);
                }
            } catch (InterruptedException e) {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Waiting for Security Service failed: " + e, new Object[0]);
                }
            }
        }
        if (!this.securityReadyService.awaitSecurityReady(securityWaitTime, TimeUnit.SECONDS) && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Security Service did not come up within " + securityWaitTime + " seconds", new Object[0]);
        }
        this.waitedForSecurity = true;
    }
}
