package com.ibm.ws.wssecurity.cxf.interceptor;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.saml2.Saml20Token;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.sso.common.SsoService;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.wssecurity.caller.CallerConstants;
import com.ibm.ws.wssecurity.caller.SAMLAuthenticator;
import com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator;
import com.ibm.ws.wssecurity.internal.WSSecurityConstants;
import com.ibm.ws.wssecurity.token.TokenUtils;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.wssecurity_1.0.13.jar:com/ibm/ws/wssecurity/cxf/interceptor/WSSecurityLibertyCallerInterceptor.class */
public class WSSecurityLibertyCallerInterceptor extends AbstractSoapInterceptor {
    protected static final String multiple_unt_exist_err = "More than one Username token is found in the message, cannot identify caller candidate.";
    protected static final String no_unt_exist_err = "There is no Username token in the message to process caller.";
    protected static final String multiple_saml_exist_err = "More than one Saml token is found in the message, cannot identify caller candidate.";
    protected static final String no_saml_exist_err = "There is no Saml token in the message to process caller.";
    protected static final String no_x509_token_exist_err = "There is no X509 token in the message to process caller.";
    protected static final String unknown_caller_token_name = "Caller token name specified is not valid.";
    protected static final String empty_results_list = "Empty results list";
    protected static final String error_authenticate = "Cannot authenticate caller token";
    protected static final String no_asymmetric_token = "There is no Asymmetric signature token exists in the message";
    protected static final String multiple_asymmetric_token_err = "Multiple Asymmetric signature tokens in the message, cannot identify caller";
    protected static final String internal_err = "Security service is not available.";
    public static final String KEY_SSO_SERVICE = "ssoService";
    static final long serialVersionUID = -3870088627994532341L;
    private static final TraceComponent tc = Tr.register(WSSecurityLibertyCallerInterceptor.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");
    protected static final ConcurrentServiceReferenceMap<String, SsoService> ssoServiceRefs = new ConcurrentServiceReferenceMap<>("ssoService");

    public WSSecurityLibertyCallerInterceptor() {
        super(Phase.PRE_PROTOCOL);
        addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(@Sensitive SoapMessage soapMessage) throws Fault {
        if (soapMessage == null) {
            return;
        }
        boolean isRequestor = MessageUtils.isRequestor(soapMessage);
        if (MessageUtils.isOutbound(soapMessage) || isRequestor) {
            return;
        }
        Map<String, Object> map = (Map) soapMessage.getContextualProperty(WSSecurityConstants.CALLER_CONFIG);
        String str = null;
        if (map != null && !map.isEmpty()) {
            str = (String) map.get("name");
        }
        if (str == null || str.isEmpty()) {
            return;
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        if ("UsernameToken".equalsIgnoreCase(str)) {
            z = true;
        } else if ("X509Token".equalsIgnoreCase(str)) {
            z2 = true;
        } else {
            if (!"SamlToken".equalsIgnoreCase(str)) {
                throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(4, "invalidTokenType", new Object[]{str}));
            }
            z3 = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " caller config found = ", new Object[]{str});
        }
        if (soapMessage.get(WSHandlerConstants.RECV_RESULTS) == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, " NO RESULTS!!!", new Object[0]);
            }
            Tr.error(tc, "no_caller_exist_err", new Object[]{str, str});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "unhandledToken", new Object[]{str}));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " results found", new Object[0]);
        }
        WSHandlerResult wSHandlerResult = (WSHandlerResult) ((List) soapMessage.get(WSHandlerConstants.RECV_RESULTS)).get(0);
        if (z) {
            handleUsernameToken(soapMessage, wSHandlerResult);
        } else if (z2) {
            handleX509Token(soapMessage, wSHandlerResult);
        } else if (z3) {
            handleSamlToken(soapMessage, wSHandlerResult, map);
        }
    }

    private void handleSamlToken(SoapMessage soapMessage, WSHandlerResult wSHandlerResult, Map<String, Object> map) {
        SoapFault createSoapFault;
        ArrayList<WSSecurityEngineResult> arrayList = new ArrayList();
        WSSecurityUtil.fetchAllActionResults(wSHandlerResult.getResults(), 16, arrayList);
        if (arrayList.isEmpty()) {
            WSSecurityUtil.fetchAllActionResults(wSHandlerResult.getResults(), 8, arrayList);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " saml caller token results = ", new Object[]{Integer.valueOf(arrayList.size())});
        }
        int i = 0;
        AssertionWrapper assertionWrapper = null;
        for (WSSecurityEngineResult wSSecurityEngineResult : arrayList) {
            assertionWrapper = (AssertionWrapper) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            if (assertionWrapper != null && tc.isDebugEnabled()) {
                Tr.debug(tc, "assertion from the results =   ", new Object[]{assertionWrapper.getId()});
            }
            Principal principal = (Principal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
            if (principal != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "principal =   ", new Object[]{principal});
                    Tr.debug(tc, "principal name =   ", new Object[]{principal.getName()});
                }
                i++;
            }
        }
        if (i > 1) {
            Tr.error(tc, "multiple_saml_exist_err", new Object[0]);
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "duplicateError"));
        }
        if (i == 0) {
            Tr.error(tc, "no_caller_exist_err", new Object[]{"SamlToken", "SamlToken"});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "unhandledToken", new Object[]{"SamlToken"}));
        }
        try {
            Saml20Token handleSamlAssertion = handleSamlAssertion(assertionWrapper);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "token is created successfully =   ", new Object[]{handleSamlAssertion.getSamlID()});
            }
            try {
                AuthenticationResult authenticate = new SAMLAuthenticator(map, handleSamlAssertion).authenticate();
                if (authenticate.getStatus() != AuthResult.SUCCESS) {
                    throw ("User".equalsIgnoreCase((String) map.get(CallerConstants.MAP_TO_UR)) ? new WSSecurityException(5, "badSamlToken", new Object[]{"invalid user ID"}) : new WSSecurityException(5, "badSamlToken", new Object[]{authenticate.getReason()}));
                }
                Subject subject = authenticate.getSubject();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication successful, authenticated subject = ", new Object[]{subject});
                    Tr.debug(tc, "Authentication successful, runAsSubject before = ", new Object[]{WSSubject.getRunAsSubject()});
                }
                WSSubject.setRunAsSubject(subject);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication successful, runAsSubject after = ", new Object[]{WSSubject.getRunAsSubject()});
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "304", this, new Object[]{soapMessage, wSHandlerResult, map});
                if (0 != 0) {
                    createSoapFault = createSoapFault(soapMessage.getVersion(), (WSSecurityException) e);
                } else {
                    Tr.error(tc, "error_authenticate", new Object[]{e.getMessage()});
                    createSoapFault = createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "badSamlToken", new Object[]{e.getLocalizedMessage()}));
                }
                throw createSoapFault;
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "254", this, new Object[]{soapMessage, wSHandlerResult, map});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "badSamlToken", new Object[]{e2.getCause() != null ? e2.getCause().getLocalizedMessage() : e2.getLocalizedMessage()}));
        }
    }

    private Saml20Token handleSamlAssertion(AssertionWrapper assertionWrapper) throws Exception {
        try {
            return TokenUtils.createSamlTokenFromAssertion(assertionWrapper.getSaml2());
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "391", this, new Object[]{assertionWrapper});
            throw e;
        }
    }

    private void handleUsernameToken(@Sensitive SoapMessage soapMessage, WSHandlerResult wSHandlerResult) throws SoapFault {
        ArrayList<WSSecurityEngineResult> arrayList = new ArrayList();
        WSSecurityUtil.fetchAllActionResults(wSHandlerResult.getResults(), 1, arrayList);
        int i = 0;
        WSUsernameTokenPrincipal wSUsernameTokenPrincipal = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " Number of UNT results = ", new Object[]{Integer.valueOf(arrayList.size())});
        }
        for (WSSecurityEngineResult wSSecurityEngineResult : arrayList) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, " UNT result = ", new Object[]{wSSecurityEngineResult});
            }
            wSUsernameTokenPrincipal = (WSUsernameTokenPrincipal) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
            if (wSUsernameTokenPrincipal != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, " principal =   ", new Object[]{wSUsernameTokenPrincipal});
                    Tr.debug(tc, " principal name =   ", new Object[]{wSUsernameTokenPrincipal.getName()});
                }
                i++;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, " user name token principal is NULL!!! ", new Object[0]);
            }
        }
        if (i > 1) {
            Tr.error(tc, "multiple_unt_exist_err", new Object[0]);
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "duplicateError"));
        }
        if (i == 0) {
            Tr.error(tc, "no_caller_exist_err", new Object[]{"UsernameToken", "UsernameToken"});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "missingUsernameToken"));
        }
        SecurityService securityService = UsernameTokenValidator.getSecurityService();
        if (securityService == null) {
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "badUsernameToken", new Object[]{"Missing Liberty Security Service"}));
        }
        AuthenticationService authenticationService = securityService.getAuthenticationService();
        Subject subject = new Subject();
        Hashtable hashtable = new Hashtable();
        if (!authenticationService.isAllowHashTableLoginWithIdOnly().booleanValue()) {
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        hashtable.put("com.ibm.wsspi.security.cred.userId", wSUsernameTokenPrincipal.getName());
        subject.getPublicCredentials().add(hashtable);
        try {
            Subject authenticate = authenticationService.authenticate("system.WEB_INBOUND", subject);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, authenticated subject = ", new Object[]{authenticate});
                Tr.debug(tc, "Authentication successful, runAsSubject before = ", new Object[]{WSSubject.getRunAsSubject()});
            }
            WSSubject.setRunAsSubject(authenticate);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, runAsSubject after = ", new Object[]{WSSubject.getRunAsSubject()});
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "494", this, new Object[]{"<sensitive org.apache.cxf.binding.soap.SoapMessage>", wSHandlerResult});
            FFDCFilter.processException(e, getClass().getName(), "handleMessage", new Object[]{wSUsernameTokenPrincipal.getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e.getMessage()});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "badUsernameToken", new Object[]{e.getMessage()}));
        } catch (com.ibm.websphere.security.WSSecurityException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "484", this, new Object[]{"<sensitive org.apache.cxf.binding.soap.SoapMessage>", wSHandlerResult});
            FFDCFilter.processException(e2, getClass().getName(), "handleMessage", new Object[]{wSUsernameTokenPrincipal.getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e2.getMessage()});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "badUsernameToken", new Object[]{e2.getLocalizedMessage()}));
        } catch (AuthenticationException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "474", this, new Object[]{"<sensitive org.apache.cxf.binding.soap.SoapMessage>", wSHandlerResult});
            FFDCFilter.processException(e3, getClass().getName(), "handleMessage", new Object[]{wSUsernameTokenPrincipal.getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e3.getMessage()});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "badUsernameToken", new Object[]{e3.getLocalizedMessage()}));
        }
    }

    private void handleX509Token(@Sensitive SoapMessage soapMessage, WSHandlerResult wSHandlerResult) throws SoapFault {
        X509Certificate[] x509CertificateArr = null;
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        boolean z4 = false;
        boolean z5 = false;
        ArrayList arrayList = new ArrayList();
        WSSecurityUtil.fetchAllActionResults(wSHandlerResult.getResults(), 2, arrayList);
        WSSecurityUtil.fetchAllActionResults(wSHandlerResult.getResults(), 64, arrayList);
        AssertionInfoMap assertionInfoMap = (AssertionInfoMap) soapMessage.get(AssertionInfoMap.class);
        Collection<AssertionInfo> collection = assertionInfoMap.get(SP12Constants.ASYMMETRIC_BINDING);
        if (collection != null && !collection.isEmpty()) {
            z = true;
        }
        Collection<AssertionInfo> collection2 = assertionInfoMap.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
        if (collection2 != null && !collection2.isEmpty()) {
            z2 = true;
        }
        Collection<AssertionInfo> collection3 = assertionInfoMap.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
        if (collection3 != null && !collection3.isEmpty()) {
            z3 = true;
        }
        Collection<AssertionInfo> collection4 = assertionInfoMap.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (collection4 != null && !collection4.isEmpty()) {
            z4 = true;
        }
        Collection<AssertionInfo> collection5 = assertionInfoMap.get(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
        if (collection5 != null && !collection5.isEmpty()) {
            z5 = true;
        }
        if (z) {
            x509CertificateArr = getClientX509(soapMessage, wSHandlerResult.getResults(), arrayList);
        } else if (z2 || z3 || z4 || z5) {
            x509CertificateArr = getEndorsingX509(soapMessage, wSHandlerResult.getResults(), arrayList);
        }
        if (x509CertificateArr == null) {
            Tr.error(tc, "no_caller_exist_err", new Object[]{"X509Token", "X509Token"});
            throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "invalidCertData", new Object[]{"0"}));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Caller DN: " + x509CertificateArr[0].getSubjectDN().getName(), new Object[0]);
        }
        bstCertAuthentication(x509CertificateArr, soapMessage.getVersion());
    }

    private X509Certificate[] getClientX509(@Sensitive SoapMessage soapMessage, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) throws SoapFault {
        String str = null;
        X509Certificate[] x509CertificateArr = null;
        for (WSSecurityEngineResult wSSecurityEngineResult : list2) {
            X509Certificate x509Certificate = (X509Certificate) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (x509Certificate != null) {
                StringBuffer stringBuffer = new StringBuffer(x509Certificate.getSerialNumber().toString());
                stringBuffer.append(x509Certificate.getIssuerDN().getName());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "issuer sn and dn = ", new Object[]{stringBuffer.toString()});
                }
                if (str == null || stringBuffer.toString().equals(str)) {
                    x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
                    str = stringBuffer.toString();
                } else if (!stringBuffer.toString().equals(str)) {
                    Tr.error(tc, "multiple_asymmetric_token_err", new Object[0]);
                    throw createSoapFault(soapMessage.getVersion(), new WSSecurityException(5, "invalidCertData", new Object[]{"2"}));
                }
            }
        }
        return x509CertificateArr;
    }

    private X509Certificate[] getEndorsingX509(@Sensitive SoapMessage soapMessage, List<WSSecurityEngineResult> list, List<WSSecurityEngineResult> list2) {
        X509Certificate[] x509CertificateArr = null;
        if (isTransportBinding(soapMessage)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "looking x509Token which endorse TS", new Object[0]);
            }
            WSSecurityEngineResult fetchActionResult = WSSecurityUtil.fetchActionResult(list, 32);
            if (fetchActionResult != null) {
                x509CertificateArr = getEndorsingX509(((Timestamp) fetchActionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP)).getElement(), list2);
            }
        } else {
            x509CertificateArr = getEndorsingX509(list2);
        }
        return x509CertificateArr;
    }

    private X509Certificate[] getEndorsingX509(List<WSSecurityEngineResult> list) {
        List cast;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
            if (x509CertificateArr != null && (cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS))) != null && cast.size() == 1) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (WSSecurityEngine.SIGNATURE.equals(((WSDataRef) it.next()).getName())) {
                        return x509CertificateArr;
                    }
                }
            }
        }
        return null;
    }

    private X509Certificate[] getEndorsingX509(Element element, List<WSSecurityEngineResult> list) {
        List cast;
        for (WSSecurityEngineResult wSSecurityEngineResult : list) {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
            if (x509CertificateArr != null && (cast = CastUtils.cast((List<?>) wSSecurityEngineResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS))) != null) {
                Iterator it = cast.iterator();
                while (it.hasNext()) {
                    if (element == ((WSDataRef) it.next()).getProtectedElement()) {
                        return x509CertificateArr;
                    }
                }
            }
        }
        return null;
    }

    private void bstCertAuthentication(X509Certificate[] x509CertificateArr, SoapVersion soapVersion) throws Fault {
        SecurityService securityService = UsernameTokenValidator.getSecurityService();
        if (securityService == null) {
            throw createSoapFault(soapVersion, new WSSecurityException(5, "invalidData", new Object[]{"Missing Liberty Security Service"}));
        }
        AuthenticationService authenticationService = securityService.getAuthenticationService();
        try {
            WSAuthenticationData wSAuthenticationData = new WSAuthenticationData();
            wSAuthenticationData.set("CERTCHAIN", x509CertificateArr);
            Subject authenticate = authenticationService.authenticate("system.WEB_INBOUND", wSAuthenticationData, (Subject) null);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, authenticated subject = ", new Object[]{authenticate});
                Tr.debug(tc, "Authentication successful, runAsSubject before = ", new Object[]{WSSubject.getRunAsSubject()});
            }
            WSSubject.setRunAsSubject(authenticate);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication successful, runAsSubject after = ", new Object[]{WSSubject.getRunAsSubject()});
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "716", this, new Object[]{x509CertificateArr, soapVersion});
            FFDCFilter.processException(e, getClass().getName(), "handleMessage", new Object[]{x509CertificateArr[0].getSubjectX500Principal().getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e.getMessage()});
            throw createSoapFault(soapVersion, new WSSecurityException(5, "invalidData", new Object[]{e.getMessage()}));
        } catch (AuthenticationException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.cxf.interceptor.WSSecurityLibertyCallerInterceptor", "705", this, new Object[]{x509CertificateArr, soapVersion});
            FFDCFilter.processException(e2, getClass().getName(), "bstCertAuthentication", new Object[]{x509CertificateArr[0].getSubjectX500Principal().getName()});
            Tr.error(tc, "error_authenticate", new Object[]{e2.getMessage()});
            throw createSoapFault(soapVersion, new WSSecurityException(5, "invalidData", new Object[]{e2.getLocalizedMessage()}));
        }
    }

    private boolean isTransportBinding(@Sensitive SoapMessage soapMessage) {
        boolean z = false;
        Collection<AssertionInfo> collection = ((AssertionInfoMap) soapMessage.get(AssertionInfoMap.class)).get(SP12Constants.TRANSPORT_BINDING);
        if (collection != null && !collection.isEmpty()) {
            z = true;
        }
        return z;
    }

    private SoapFault createSoapFault(SoapVersion soapVersion, WSSecurityException wSSecurityException) {
        SoapFault soapFault;
        QName faultCode = wSSecurityException.getFaultCode();
        if (soapVersion.getVersion() != 1.1d || faultCode == null) {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, soapVersion.getSender());
            if (soapVersion.getVersion() != 1.1d && faultCode != null) {
                soapFault.setSubCode(faultCode);
            }
        } else {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, faultCode);
        }
        return soapFault;
    }
}
