package com.ibm.ws.security.oauth20.web;

import com.ibm.oauth.core.api.OAuthResult;
import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.config.OAuthComponentConfigurationConstants;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20BadParameterFormatException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20DuplicateParameterException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20Exception;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidClientException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidResponseTypeException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MissingParameterException;
import com.ibm.oauth.core.api.oauth20.client.OAuth20Client;
import com.ibm.oauth.core.internal.OAuthConstants;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.oauth.core.internal.oauth20.OAuth20Util;
import com.ibm.oauth.core.internal.oauth20.OAuthResultImpl;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.ManualTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.oauth20.api.Constants;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OAuth20ProviderConfiguration;
import com.ibm.ws.security.oauth20.api.OAuth20ProviderFactory;
import com.ibm.ws.security.oauth20.error.impl.OAuth20AuthorizeRequestExceptionHandler;
import com.ibm.ws.security.oauth20.error.impl.OAuth20TokenRequestExceptionHandler;
import com.ibm.ws.security.oauth20.form.FormRenderer;
import com.ibm.ws.security.oauth20.util.Nonce;
import com.ibm.ws.security.oauth20.util.TemplateRetriever;
import com.ibm.ws.security.oauth20.web.OAuth20Request;
import com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
import org.apache.myfaces.shared_impl.renderkit.html.HTML;

@TraceOptions(traceGroups = {"OAUTH"}, traceGroup = "", messageBundle = Constants.RESOURCE_BUNDLE, traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.oauth20_1.0.4.jar:com/ibm/ws/security/oauth20/web/OAuth20EndpointServlet.class */
public class OAuth20EndpointServlet extends HttpServlet {
    private static final String ATTR_NONCE = "nonce";
    private static final String ATTR_OAUTH_CLIENT = "oauthClient";
    private static final String ATTR_OAUTH_RESULT = "oauthResult";
    private static final long serialVersionUID = 1;
    public static final String PARAM_AUTHZ_FORM_TEMPLATE = "oauth20.authorization.form.template";
    public static final String PARAM_AUTHZ_LOGIN_URL = "oauth20.authorization.loginURL";
    public static final String PARAM_AUTHZ_ERROR_TEMPLATE = "oauth20.authorization.error.template";
    public static final String DEFAULT_AUTHZ_LOGIN_URL = "login.jsp";
    public static final String COOKIE_WASREQURL = "WASReqURL";
    public static final String HEADER_ACCEPT_LANGUAGE = "Accept-Language";
    private static TraceComponent tc = Tr.register(OAuth20EndpointServlet.class);
    private static final Pattern FORWARD_TEMPLATE_PATTERN = Pattern.compile("\\{(/[\\w-/]+)\\}(/.+)");
    private static final Set<String> requiredAttributes = Collections.unmodifiableSet(new HashSet(Arrays.asList(OAuth20Constants.CLIENT_ID, OAuth20Constants.CLIENT_SECRET, "response_type", OAuth20Constants.REDIRECT_URI, "state", "scope")));

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public OAuth20EndpointServlet() {
    }

    @Override // javax.servlet.http.HttpServlet
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        doPost(httpServletRequest, httpServletResponse);
    }

    @Override // javax.servlet.http.HttpServlet
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        OAuth20Request oAuth20Request = (OAuth20Request) httpServletRequest.getAttribute("OAuth20Request");
        OAuth20Provider oAuth20Provider = null;
        if (oAuth20Request != null) {
            oAuth20Provider = OAuth20ProviderFactory.getOAuth20Provider(oAuth20Request.getProviderName());
        }
        if (oAuth20Request == null || oAuth20Provider == null) {
            httpServletResponse.sendError(404);
            return;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Configuration: " + oAuth20Provider.getConfiguration(), new Object[0]);
            Tr.debug(tc, "Component: " + oAuth20Provider.getComponent(), new Object[0]);
        }
        if (OAuth20Request.Type.authorize.equals(oAuth20Request.getType())) {
            processAuthorizationRequest(oAuth20Provider, httpServletRequest, httpServletResponse);
        } else if (OAuth20Request.Type.token.equals(oAuth20Request.getType())) {
            processTokenRequest(oAuth20Provider, httpServletRequest, httpServletResponse);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void processAuthorizationRequest(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        OAuthResult oAuthResult = null;
        boolean checkAutoauthz = checkAutoauthz(oAuth20Provider, httpServletRequest);
        String parameter = httpServletRequest.getParameter("nonce");
        if (!checkAutoauthz && parameter == null) {
            oAuthResult = validateAuthorizationRequest(oAuth20Provider, httpServletRequest, httpServletResponse);
            if (0 == oAuthResult.getStatus()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "authorization request is valid, check user login status", new Object[0]);
                }
                if (httpServletRequest.getUserPrincipal() == null) {
                    sendForLogin(oAuth20Provider, httpServletRequest, httpServletResponse);
                } else if (httpServletRequest.isUserInRole("authenticated")) {
                    String attributeValueByName = oAuthResult.getAttributeList().getAttributeValueByName(OAuth20Constants.CLIENT_ID);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "getting OAuth20 client by id = " + attributeValueByName, new Object[0]);
                    }
                    renderConsentForm(httpServletRequest, httpServletResponse, oAuth20Provider, oAuth20Provider.getClientProvider().get(attributeValueByName), setNonce(httpServletRequest), oAuthResult.getAttributeList());
                } else {
                    httpServletResponse.sendError(403);
                }
            }
        } else if (httpServletRequest.getUserPrincipal() == null) {
            sendForLogin(oAuth20Provider, httpServletRequest, httpServletResponse);
        } else if (!httpServletRequest.isUserInRole("authenticated")) {
            httpServletResponse.sendError(403);
        } else if (parameter == null || isNonceValid(httpServletRequest, parameter)) {
            String name = httpServletRequest.getUserPrincipal().getName();
            String parameter2 = httpServletRequest.getParameter(OAuth20Constants.CLIENT_ID);
            String parameter3 = httpServletRequest.getParameter(OAuth20Constants.REDIRECT_URI);
            String parameter4 = httpServletRequest.getParameter("response_type");
            String parameter5 = httpServletRequest.getParameter("state");
            String[] strArr = new String[0];
            if (httpServletRequest.getParameter("scope") != null) {
                strArr = httpServletRequest.getParameter("scope").split(" ");
            }
            if (reachedTokenLimit(oAuth20Provider, name, parameter2)) {
                httpServletResponse.sendError(500);
            } else {
                oAuthResult = oAuth20Provider.getComponent().processAuthorization(name, parameter2, parameter3, parameter4, parameter5, strArr, httpServletResponse);
            }
        } else if (isNonceExpired(httpServletRequest)) {
            httpServletResponse.sendError(408);
        } else {
            httpServletResponse.sendError(500);
        }
        if (oAuthResult == null || oAuthResult.getStatus() == 0) {
            return;
        }
        OAuthException cause = oAuthResult.getCause();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Request validation failed", Integer.valueOf(oAuthResult.getStatus()), cause.getMessage());
        }
        renderErrorPage(httpServletRequest, httpServletResponse, oAuth20Provider, oAuthResult);
    }

    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void renderErrorPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Provider oAuth20Provider, OAuthResult oAuthResult) throws ServletException, IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "renderErrorPage", oAuthResult);
        }
        String configPropertyValue = oAuth20Provider.getConfiguration().getConfigPropertyValue("oauth20.authorization.error.template");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "templateUrl from configuration is " + configPropertyValue, new Object[0]);
        }
        Matcher matcher = FORWARD_TEMPLATE_PATTERN.matcher(configPropertyValue);
        if (matcher.matches()) {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            httpServletRequest.setAttribute(ATTR_OAUTH_RESULT, oAuthResult);
            RequestDispatcher dispatcher = getDispatcher(group, group2);
            if (dispatcher != null) {
                dispatcher.forward(httpServletRequest, httpServletResponse);
            } else {
                Tr.error(tc, "security.oauth20.endpoint.template.forward.error", "oauth20.authorization.error.template", group, group2);
            }
        } else {
            String normallizeTemplateUrl = TemplateRetriever.normallizeTemplateUrl(httpServletRequest, configPropertyValue);
            AttributeList attributeList = oAuthResult.getAttributeList();
            new OAuth20AuthorizeRequestExceptionHandler(attributeList.getAttributeValueByName("response_type"), attributeList.getAttributeValueByName(OAuth20Constants.REDIRECT_URI), normallizeTemplateUrl).handleResultException(httpServletRequest, httpServletResponse, oAuthResult);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "renderErrorPage");
        }
    }

    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void processTokenRequest(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processTokenRequest", new Object[0]);
        }
        OAuthResult processTokenRequest = oAuth20Provider.getComponent().processTokenRequest(null, httpServletRequest, httpServletResponse);
        if (processTokenRequest.getStatus() != 0) {
            new OAuth20TokenRequestExceptionHandler().handleResultException(httpServletRequest, httpServletResponse, processTokenRequest);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processTokenRequest");
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean isNonceValid(HttpServletRequest httpServletRequest, String str) {
        Nonce nonce = (Nonce) httpServletRequest.getSession().getAttribute("nonce");
        if (nonce != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Nonce object from session: " + nonce, new Object[0]);
            }
            return nonce.isValid(str);
        }
        if (!tc.isDebugEnabled()) {
            return false;
        }
        Tr.debug(tc, "No Nonce object in session", new Object[0]);
        return false;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean isNonceExpired(HttpServletRequest httpServletRequest) {
        Nonce nonce = (Nonce) httpServletRequest.getSession().getAttribute("nonce");
        if (nonce != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Nonce object from session: " + nonce, new Object[0]);
            }
            return nonce.isExpired();
        }
        if (!tc.isDebugEnabled()) {
            return false;
        }
        Tr.debug(tc, "No Nonce object in session", new Object[0]);
        return false;
    }

    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Nonce setNonce(HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setNonce", new Object[0]);
        }
        Nonce nonce = Nonce.getInstance();
        httpServletRequest.getSession(true).setAttribute("nonce", nonce);
        httpServletRequest.setAttribute("nonce", nonce.getValue());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setNonce", nonce);
        }
        return nonce;
    }

    /* JADX WARN: Type inference failed for: r0v4, types: [com.ibm.oauth.core.api.error.OAuthException, com.ibm.oauth.core.api.attributes.AttributeList] */
    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private OAuthResult validateAuthorizationRequest(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String[] parameterValues;
        String[] split;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateAuthorizationRequest", new Object[0]);
        }
        OAuthResultImpl oAuthResultImpl = null;
        ?? attributeList = new AttributeList();
        try {
            Principal userPrincipal = httpServletRequest.getUserPrincipal();
            attributeList.setAttribute(OAuthConstants.USERNAME, com.ibm.oauth.core.api.OAuthConstants.ATTRTYPE_REQUEST, new String[]{userPrincipal == null ? null : userPrincipal.getName()});
            parameterValues = httpServletRequest.getParameterValues(OAuth20Constants.CLIENT_ID);
        } catch (OAuth20Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet", "511", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse});
            oAuthResultImpl = new OAuthResultImpl(1, attributeList, attributeList);
        }
        if (parameterValues == null || parameterValues.length == 0) {
            throw new OAuth20MissingParameterException(OAuth20Constants.CLIENT_ID, null);
        }
        attributeList.setAttribute(OAuth20Constants.CLIENT_ID, com.ibm.oauth.core.api.OAuthConstants.ATTRTYPE_PARAM_QUERY, parameterValues);
        if (parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException(OAuth20Constants.CLIENT_ID);
        }
        String str = parameterValues[0];
        if (str == null || str.length() == 0) {
            throw new OAuth20MissingParameterException(OAuth20Constants.CLIENT_ID, null);
        }
        OAuth20Client oAuth20Client = oAuth20Provider.getClientProvider().get(str);
        if (oAuth20Client == null) {
            throw new OAuth20InvalidClientException(str, false);
        }
        String[] parameterValues2 = httpServletRequest.getParameterValues(OAuth20Constants.REDIRECT_URI);
        if (parameterValues2 != null) {
            attributeList.setAttribute(OAuth20Constants.REDIRECT_URI, com.ibm.oauth.core.api.OAuthConstants.ATTRTYPE_PARAM_QUERY, parameterValues2);
        }
        if (parameterValues2 != null && parameterValues2.length > 1) {
            throw new OAuth20DuplicateParameterException(OAuth20Constants.REDIRECT_URI);
        }
        String str2 = parameterValues2 == null ? null : parameterValues2[0];
        String redirectUri = oAuth20Client.getRedirectUri();
        if (str2 == null || str2.length() == 0) {
            if (redirectUri == null || redirectUri.length() == 0) {
                throw new OAuth20MissingParameterException(OAuth20Constants.REDIRECT_URI, null);
            }
            if (!OAuth20Util.validateRedirectUri(redirectUri)) {
                throw new OAuth20InvalidRedirectUriException(redirectUri, null);
            }
        } else {
            if (!OAuth20Util.validateRedirectUri(str2)) {
                throw new OAuth20InvalidRedirectUriException(str2, null);
            }
            if (redirectUri != null && redirectUri.length() > 0 && !urlsMatch(redirectUri, str2)) {
                throw new OAuth20InvalidRedirectUriException(str2, null);
            }
        }
        String[] parameterValues3 = httpServletRequest.getParameterValues("response_type");
        if (parameterValues3 == null || parameterValues3.length == 0) {
            throw new OAuth20MissingParameterException("response_type", null);
        }
        attributeList.setAttribute("response_type", com.ibm.oauth.core.api.OAuthConstants.ATTRTYPE_PARAM_QUERY, parameterValues3);
        if (parameterValues3.length > 1) {
            throw new OAuth20DuplicateParameterException("response_type");
        }
        String str3 = parameterValues3[0];
        if (str3 == null || str3.length() == 0) {
            throw new OAuth20MissingParameterException("response_type", null);
        }
        HashSet hashSet = new HashSet(Arrays.asList(oAuth20Provider.getConfiguration().getConfigPropertyValues(OAuthComponentConfigurationConstants.OAUTH20_GRANT_TYPES_ALLOWED)));
        if ((!"code".equals(str3) || !hashSet.contains("authorization_code")) && (!"token".equals(str3) || !hashSet.contains("implicit"))) {
            throw new OAuth20InvalidResponseTypeException(str3);
        }
        String[] parameterValues4 = httpServletRequest.getParameterValues("state");
        if (parameterValues4 != null) {
            attributeList.setAttribute("state", com.ibm.oauth.core.api.OAuthConstants.ATTRTYPE_PARAM_QUERY, parameterValues4);
        }
        if (parameterValues4 != null && parameterValues4.length > 1) {
            throw new OAuth20DuplicateParameterException("state");
        }
        String[] parameterValues5 = httpServletRequest.getParameterValues("scope");
        if (parameterValues5 != null && parameterValues5.length > 1) {
            throw new OAuth20DuplicateParameterException("scope");
        }
        if (parameterValues5 != null && (split = parameterValues5[0].split(" ")) != null) {
            HashSet hashSet2 = new HashSet();
            for (String str4 : split) {
                String trim = str4.trim();
                if (trim != null && trim.length() > 0) {
                    if (!OAuth20Util.validateScopeString(trim)) {
                        throw new OAuth20BadParameterFormatException("scope", trim);
                    }
                    hashSet2.add(trim);
                }
            }
            attributeList.setAttribute("scope", com.ibm.oauth.core.api.OAuthConstants.ATTRTYPE_REQUEST, (String[]) hashSet2.toArray(new String[0]));
        }
        Enumeration<String> parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String nextElement = parameterNames.nextElement();
            if (!requiredAttributes.contains(nextElement)) {
                attributeList.setAttribute(nextElement, com.ibm.oauth.core.api.OAuthConstants.ATTRTYPE_REQUEST, httpServletRequest.getParameterValues(nextElement));
            }
        }
        if (oAuthResultImpl == null) {
            oAuthResultImpl = new OAuthResultImpl(0, attributeList);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateAuthorizationRequest", oAuthResultImpl);
        }
        return oAuthResultImpl;
    }

    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void renderConsentForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Provider oAuth20Provider, OAuth20Client oAuth20Client, Nonce nonce, AttributeList attributeList) throws IOException, ServletException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "renderConsentForm", nonce, oAuth20Client);
        }
        String configPropertyValue = oAuth20Provider.getConfiguration().getConfigPropertyValue("oauth20.authorization.form.template");
        if (configPropertyValue == null || "".equals(configPropertyValue)) {
            configPropertyValue = "template.html";
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "templateUrl from configuration is " + configPropertyValue, new Object[0]);
        }
        Matcher matcher = FORWARD_TEMPLATE_PATTERN.matcher(configPropertyValue);
        if (matcher.matches()) {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            httpServletRequest.setAttribute("oauthClient", oAuth20Client);
            httpServletRequest.setAttribute("nonce", nonce);
            RequestDispatcher dispatcher = getDispatcher(group, group2);
            if (dispatcher != null) {
                dispatcher.forward(httpServletRequest, httpServletResponse);
            } else {
                Tr.error(tc, "security.oauth20.endpoint.template.forward.error", "oauth20.authorization.form.template", group, group2);
            }
        } else {
            String normallizeTemplateUrl = TemplateRetriever.normallizeTemplateUrl(httpServletRequest, configPropertyValue);
            String header = httpServletRequest.getHeader("Accept-Language");
            FormRenderer formRenderer = new FormRenderer();
            String contextPath = httpServletRequest.getContextPath();
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, private, max-age=0");
            httpServletResponse.setHeader("Pragma", "no-cache");
            httpServletResponse.setDateHeader(HttpHeaders.EXPIRES, 0L);
            formRenderer.renderForm(oAuth20Client, normallizeTemplateUrl, contextPath, stringBuffer, nonce, attributeList, header, httpServletResponse);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "renderConsentForm");
        }
    }

    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void sendForLogin(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "sendForLogin", new Object[0]);
        }
        String configPropertyValue = oAuth20Provider.getConfiguration().getConfigPropertyValue("oauth20.authorization.loginURL");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "login url is set to " + configPropertyValue, new Object[0]);
        }
        if (configPropertyValue == null || "".equals(configPropertyValue.trim())) {
            configPropertyValue = DEFAULT_AUTHZ_LOGIN_URL;
        }
        if (!configPropertyValue.startsWith("/") && !configPropertyValue.startsWith("http://") && !configPropertyValue.startsWith("https://")) {
            configPropertyValue = httpServletRequest.getContextPath() + "/" + configPropertyValue;
        }
        String requestURI = httpServletRequest.getRequestURI();
        if (httpServletRequest.getQueryString() != null) {
            requestURI = requestURI + HTML.HREF_PATH_FROM_PARAM_SEPARATOR + httpServletRequest.getQueryString();
        }
        Cookie cookie = new Cookie(COOKIE_WASREQURL, requestURI);
        cookie.setPath("/");
        if (WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig() != null && WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig().getSSORequiresSSL()) {
            cookie.setSecure(true);
        }
        httpServletResponse.addCookie(cookie);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "send user to login page on " + configPropertyValue, new Object[0]);
        }
        httpServletResponse.sendRedirect(configPropertyValue);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "sendForLogin");
        }
    }

    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private RequestDispatcher getDispatcher(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDispatcher", str, str2);
        }
        RequestDispatcher requestDispatcher = null;
        ServletContext context = getServletContext().getContext(str);
        if (context != null) {
            requestDispatcher = context.getRequestDispatcher(str2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDispatcher", requestDispatcher);
        }
        return requestDispatcher;
    }

    @ManualTrace
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean checkAutoauthz(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAutoauthz", oAuth20Provider, httpServletRequest);
        }
        OAuth20ProviderConfiguration configuration = oAuth20Provider.getConfiguration();
        boolean z = false;
        String configPropertyValue = configuration.getConfigPropertyValue(Constants.AUTO_AUTHORIZE_PARAM);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "autoauthz param=" + configPropertyValue, new Object[0]);
        }
        if (configPropertyValue != null && !"".equals(configPropertyValue)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "param configured, checking if set to true", new Object[0]);
            }
            if ("true".equalsIgnoreCase(httpServletRequest.getParameter(configPropertyValue))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "param is true, loading whitelisted clients", new Object[0]);
                }
                String parameter = httpServletRequest.getParameter(OAuth20Constants.CLIENT_ID);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "client ID is: " + parameter, new Object[0]);
                }
                String[] configPropertyValues = configuration.getConfigPropertyValues(Constants.AUTO_AUTHORIZE_CLIENTS);
                if (configPropertyValues != null && configPropertyValues.length >= 1) {
                    for (String str : configPropertyValues) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "checking match with: " + str, new Object[0]);
                        }
                        if (parameter.equals(str)) {
                            z = true;
                        }
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authauthz param enabled but no whitelisted clients, strange to see an autoauthz request.", new Object[0]);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkAutoauthz", Boolean.valueOf(z));
        }
        return z;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean urlsMatch(String str, String str2) {
        if (str == null || str2 == null) {
            return false;
        }
        boolean z = false;
        if (str.equals(str2)) {
            z = true;
        }
        if (!z) {
            if (str.startsWith("https:") && str.contains(":443/")) {
                str = str.replace(":443/", "/");
            }
            if (str2.startsWith("https:") && str2.contains(":443/")) {
                str2 = str2.replace(":443/", "/");
            }
            if (str.startsWith("http:") && str.contains(":80/")) {
                str = str.replace(":80/", "/");
            }
            if (str2.startsWith("http:") && str2.contains(":80/")) {
                str2 = str2.replace(":80/", "/");
            }
            z = str.equals(str2);
        }
        return z;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean reachedTokenLimit(OAuth20Provider oAuth20Provider, String str, String str2) {
        int configPropertyIntValue;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "checking token limit for " + str + ", client " + str2, new Object[0]);
        }
        OAuth20ProviderConfiguration configuration = oAuth20Provider.getConfiguration();
        String configPropertyValue = configuration.getConfigPropertyValue(Constants.USER_CLIENT_TOKEN_LIMIT);
        if (configPropertyValue == null || configPropertyValue.length() <= 0 || oAuth20Provider.getTokenCache().getNumTokens(str, str2) < (configPropertyIntValue = configuration.getConfigPropertyIntValue(Constants.USER_CLIENT_TOKEN_LIMIT))) {
            return false;
        }
        Tr.error(tc, "security.oauth20.token.limit.error", str, str2, Integer.valueOf(configPropertyIntValue));
        if (!tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "hit the token limit for " + str + " / " + str2 + ", limit: " + configPropertyIntValue, new Object[0]);
        return true;
    }
}
