package com.ibm.ws.wssecurity.token;

import com.ibm.websphere.wssecurity.admin.PolicyAttributesConstants;
import com.ibm.websphere.wssecurity.wssapi.token.DerivedKeyToken;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.websphere.wssecurity.wssapi.token.X509Token;
import com.ibm.ws.wssecurity.common.Result;
import com.ibm.ws.wssecurity.common.ResultPool;
import com.ibm.ws.wssecurity.config.CallerConfig;
import com.ibm.ws.wssecurity.config.ReferencePartConfig;
import com.ibm.ws.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.wssecurity.core.WSSConsumerComponent;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.SubjectCache;
import com.ibm.ws.wssecurity.platform.auth.WSSContext;
import com.ibm.ws.wssecurity.platform.auth.WSSContextFactory;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManager;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.NamespaceUtil;
import com.ibm.ws.wssecurity.util.TokenUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.CommonCallbackHandler;
import com.ibm.ws.wssecurity.wssapi.token.impl.DKToken;
import com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenManagerImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenWrapper;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.CallbackHandlerConfig;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/token/LoginProcessor.class */
public class LoginProcessor implements WSSConsumerComponent {
    private static final String comp = "security.wssecurity";
    private boolean _initialized = false;
    public static final String isLTPAPropagationTokenCallerToken = "isLTPAPropagationTokenCallerToken";
    public static final String savedSubject = "SubjectPriorToCallerCall";
    private static final TraceComponent tc = Tr.register(LoginProcessor.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = LoginProcessor.class.getName();

    @Override // com.ibm.ws.wssecurity.core.WSSComponent, com.ibm.ws.wssecurity.core.Initializable
    public void init(Map<Object, Object> map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this._initialized) {
            this._initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    @Override // com.ibm.ws.wssecurity.core.WSSConsumerComponent
    public void invoke(OMNode oMNode, Map<Object, Object> map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("invoke(");
            stringBuffer.append("OMNode target[").append(DOMUtils.getDisplayName(oMNode)).append("], ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        printSubject(map, "before");
        SecurityToken invokeLoginModule = invokeLoginModule(((WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey")).getCallers(), map);
        ((SecurityTokenManagerImpl) map.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER)).integrateSubject();
        cacheInformation(invokeLoginModule, map);
        printSubject(map, "after");
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Element, Map)");
        }
    }

    private static SecurityToken invokeLoginModule(Collection<CallerConfig> collection, Map<Object, Object> map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("invokeLoginModule(");
            stringBuffer.append("Set cconfigs[").append(collection).append("], ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        SecurityToken securityToken = null;
        CallerConfig selectCallers = selectCallers(collection, map);
        if (selectCallers != null) {
            try {
                invokeLoginModule(selectCallers, map);
                securityToken = (SecurityToken) map.get(Constants.WSSECURITY_TOKEN_LOGININFO);
            } catch (Exception e) {
                if (!(e instanceof SoapSecurityException)) {
                    throw SoapSecurityException.format(Axis2Util.setFailedAuthFaultCodeIfNone(map), "security.wssecurity.WSEC6837E", new String[]{e.getMessage()}, e);
                }
                if (((SoapSecurityException) e).getFaultCode() == null) {
                    Axis2Util.setFailedAuthFaultCodeIfNone(map);
                }
                throw ((SoapSecurityException) e);
            }
        }
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("invokeLoginModule(Set, Map)");
            stringBuffer2.append(" returns SecurityToken [").append(securityToken).append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return securityToken;
    }

    private static CallerConfig selectCallers(Collection<CallerConfig> collection, Map<Object, Object> map) throws SoapSecurityException {
        boolean isCallerOrderEnforced = ((WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey")).isCallerOrderEnforced();
        CallerConfig callerConfig = null;
        if (collection.size() > 0) {
            checkImpliedCaller(map);
            Result[] resultArr = ResultPool.get(map, AuthResult.class);
            if (resultArr.length == 0) {
                throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s01");
            }
            if (isCallerOrderEnforced) {
                Iterator<CallerConfig> it = collection.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    CallerConfig next = it.next();
                    if (isCallerMatch(next, resultArr)) {
                        callerConfig = next;
                        break;
                    }
                }
            } else {
                for (CallerConfig callerConfig2 : collection) {
                    boolean isCallerMatch = isCallerMatch(callerConfig2, resultArr);
                    if (isCallerMatch && callerConfig == null) {
                        callerConfig = callerConfig2;
                    } else if (isCallerMatch && callerConfig != null) {
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s06");
                    }
                }
            }
            if (callerConfig == null) {
                throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s07");
            }
        }
        return callerConfig;
    }

    private static void checkImpliedCaller(Map<Object, Object> map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkImpliedCaller");
        }
        int length = ResultPool.get(map, AuthResult.class).length;
        SecurityTokenManagerImpl securityTokenManagerImpl = (SecurityTokenManagerImpl) map.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
        WSSConsumerConfig wSSConsumerConfig = (WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey");
        List<CallerConfig> callers = wSSConsumerConfig.getCallers();
        for (TokenConsumerConfig tokenConsumerConfig : wSSConsumerConfig.getTokenConsumers()) {
            if (tokenConsumerConfig.isUsedForDecryption() || tokenConsumerConfig.isUsedForVerification()) {
                Result[] resultArr = ResultPool.get(map, AuthResult.class);
                int length2 = resultArr.length;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "TokenConsumerConfig hash =" + tokenConsumerConfig.hashCode());
                }
                boolean z = false;
                if (length2 > 0) {
                    for (Result result : resultArr) {
                        AuthResult authResult = (AuthResult) result;
                        if (authResult.getTokenWrapper() != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "result.getTokenWrapper().getUsedTokenConsumerHash() =" + authResult.getTokenWrapper().getUsedTokenConsumerHash());
                            }
                            if (tokenConsumerConfig.hashCode() == authResult.getTokenWrapper().getUsedTokenConsumerHash()) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "This token config has been added as candidate already: " + authResult.getTokenWrapper().getSecurityToken().getId());
                                }
                                z = true;
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "No TokenWrapper");
                        }
                    }
                }
                if (!z) {
                    Collection<SecurityToken> tokens = securityTokenManagerImpl.getTokens(tokenConsumerConfig);
                    if (tokens.size() > 0) {
                        QName type = tokenConsumerConfig.getType();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, tokens.size() + " tokens found.");
                            Tr.debug(tc, callers.size() + " CallerConfigs found, so start to process it...");
                            Tr.debug(tc, "The value type of the token consumer configuration: " + type);
                        }
                        for (CallerConfig callerConfig : callers) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Processing a CallerConfig [" + callerConfig + "]...");
                            }
                            QName callerIdentity = callerConfig.getCallerIdentity();
                            QName trustedIdentity = callerConfig.getTrustedIdentity();
                            ReferencePartConfig requiredSigningPartReference = callerConfig.getRequiredSigningPartReference();
                            boolean z2 = callerIdentity != null && callerIdentity.equals(type) && (requiredSigningPartReference == null || trustedIdentity != null);
                            boolean z3 = trustedIdentity != null && trustedIdentity.equals(type) && requiredSigningPartReference == null;
                            if (z2 || z3) {
                                Iterator<SecurityToken> it = tokens.iterator();
                                while (it.hasNext()) {
                                    boolean z4 = false;
                                    boolean z5 = false;
                                    SecurityToken next = it.next();
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Check Token: " + next.getId());
                                    }
                                    QName valueType = next.getValueType();
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "The value type of the token: " + valueType);
                                    }
                                    if (NamespaceUtil.equals(DerivedKeyToken.ValueType, valueType)) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "This is DerivedKeyToken: " + valueType);
                                        }
                                        SecurityToken derivableSecurityToken = ((DKToken) next).getDerivableSecurityToken();
                                        if (derivableSecurityToken != null) {
                                            QName valueType2 = derivableSecurityToken.getValueType();
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "The value type of the base token: " + valueType2);
                                            }
                                            SecurityTokenWrapper tokenWrapper = securityTokenManagerImpl.getTokenWrapper(derivableSecurityToken);
                                            if (tokenWrapper == null) {
                                                final SecurityTokenWrapper securityTokenWrapper = new SecurityTokenWrapper(derivableSecurityToken);
                                                final int hashCode = tokenConsumerConfig.hashCode();
                                                final int hashCode2 = tokenConsumerConfig.getClass().getName().hashCode();
                                                AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.token.LoginProcessor.1
                                                    @Override // java.security.PrivilegedAction
                                                    public Object run() {
                                                        SecurityTokenWrapper.this.setUsedTokenConsumer(hashCode, hashCode2);
                                                        SecurityTokenWrapper.this.setProcessed(true);
                                                        return null;
                                                    }
                                                });
                                                securityTokenManagerImpl.addTokenWrapper(securityTokenWrapper);
                                                tokenWrapper = securityTokenWrapper;
                                            }
                                            Result[] resultArr2 = ResultPool.get(map, AuthResult.class);
                                            boolean z6 = false;
                                            if (resultArr2.length > 0) {
                                                for (Result result2 : resultArr2) {
                                                    AuthResult authResult2 = (AuthResult) result2;
                                                    if (authResult2.getTokenWrapper() != null) {
                                                        if (tc.isDebugEnabled()) {
                                                            Tr.debug(tc, "result.getTokenWrapper().getUsedTokenConsumerHash() =" + authResult2.getTokenWrapper().getUsedTokenConsumerHash());
                                                        }
                                                        if (tokenWrapper.getUsedTokenConsumerHash() == authResult2.getTokenWrapper().getUsedTokenConsumerHash()) {
                                                            if (tc.isDebugEnabled()) {
                                                                Tr.debug(tc, "This token has been added as candidate already: " + authResult2.getTokenWrapper().getSecurityToken().getId());
                                                            }
                                                            z6 = true;
                                                        }
                                                    } else if (tc.isDebugEnabled()) {
                                                        Tr.debug(tc, "No TokenWrapper");
                                                    }
                                                }
                                            }
                                            if (!z6) {
                                                next = derivableSecurityToken;
                                                valueType = derivableSecurityToken.getValueType();
                                            }
                                        }
                                    }
                                    if (z2) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Checking the caller identity [" + callerIdentity + "]...");
                                        }
                                        if (callerIdentity.equals(valueType)) {
                                            z4 = true;
                                        }
                                    }
                                    if (z3) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Checking the trusted identity [" + trustedIdentity + "]...");
                                        }
                                        if (trustedIdentity.equals(valueType)) {
                                            z5 = true;
                                        }
                                    }
                                    if (z4 || z5) {
                                        SecurityTokenWrapper tokenWrapper2 = securityTokenManagerImpl.getTokenWrapper(next);
                                        if (tokenWrapper2 == null) {
                                            final SecurityTokenWrapper securityTokenWrapper2 = new SecurityTokenWrapper(next);
                                            final int hashCode3 = tokenConsumerConfig.hashCode();
                                            final int hashCode4 = tokenConsumerConfig.getClass().getName().hashCode();
                                            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.token.LoginProcessor.2
                                                @Override // java.security.PrivilegedAction
                                                public Object run() {
                                                    SecurityTokenWrapper.this.setUsedTokenConsumer(hashCode3, hashCode4);
                                                    SecurityTokenWrapper.this.setProcessed(true);
                                                    return null;
                                                }
                                            });
                                            securityTokenManagerImpl.addTokenWrapper(securityTokenWrapper2);
                                            tokenWrapper2 = securityTokenWrapper2;
                                        }
                                        AuthResult authResult3 = new AuthResult(tokenWrapper2, callerConfig, z4, z5, false);
                                        ResultPool.add(map, authResult3);
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Added AuthResult[" + authResult3 + "] into the ResultPool.");
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkImpliedCaller");
        }
    }

    private static boolean isCallerMatch(CallerConfig callerConfig, Result[] resultArr) throws SoapSecurityException {
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        ArrayList arrayList4 = new ArrayList();
        if (callerConfig.getTrustedIdentity() != null) {
            z2 = true;
            if (callerConfig.getCallerIdentity().equals(callerConfig.getTrustedIdentity())) {
                z3 = true;
            }
        }
        for (Result result : resultArr) {
            AuthResult authResult = (AuthResult) result;
            if (authResult.getConfig() == callerConfig) {
                if (authResult._callerIdentityCandidate) {
                    if (authResult.isSupportingToken()) {
                        arrayList4.add(authResult);
                    } else {
                        arrayList2.add(authResult);
                    }
                }
                if (authResult._trustedIdentityCandidate) {
                    if (authResult.isSupportingToken()) {
                        arrayList3.add(authResult);
                    } else {
                        arrayList.add(authResult);
                    }
                }
            }
        }
        if (z2) {
            boolean z4 = false;
            boolean z5 = false;
            if (!z3) {
                if (!arrayList4.isEmpty()) {
                    if (arrayList4.size() != 1 && !allForOne(arrayList4)) {
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s12", callerConfig.getCallerIdentity().toString(), Integer.toString(arrayList4.size()));
                    }
                    ((AuthResult) arrayList4.get(0)).setIsCallerToken();
                    z4 = true;
                } else if (!arrayList2.isEmpty()) {
                    if (arrayList2.size() != 1 && !allForOne(arrayList2)) {
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s13", callerConfig.getCallerIdentity().toString(), Integer.toString(arrayList2.size()));
                    }
                    ((AuthResult) arrayList2.get(0)).setIsCallerToken();
                    z4 = true;
                }
                if (!arrayList3.isEmpty()) {
                    if (arrayList3.size() != 1 && !allForOne(arrayList3)) {
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s12", callerConfig.getTrustedIdentity().toString(), Integer.toString(arrayList3.size()));
                    }
                    ((AuthResult) arrayList3.get(0)).setIsCallerToken();
                    z5 = true;
                } else if (!arrayList.isEmpty()) {
                    if (arrayList.size() != 1 && !allForOne(arrayList)) {
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s13", callerConfig.getTrustedIdentity().toString(), Integer.toString(arrayList.size()));
                    }
                    ((AuthResult) arrayList.get(0)).setIsCallerToken();
                    z5 = true;
                }
            } else if (arrayList4.isEmpty()) {
                if (!arrayList2.isEmpty()) {
                    if (arrayList2.size() == 2) {
                        ((AuthResult) arrayList2.get(0)).setIsCallerToken();
                        ((AuthResult) arrayList2.get(1)).setIsCallerToken();
                        z5 = true;
                        z4 = true;
                    } else if (arrayList2.size() > 2) {
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s13", callerConfig.getCallerIdentity().toString(), Integer.toString(arrayList2.size()));
                    }
                }
            } else if (arrayList4.size() == 2) {
                ((AuthResult) arrayList4.get(0)).setIsCallerToken();
                ((AuthResult) arrayList4.get(1)).setIsCallerToken();
                z5 = true;
                z4 = true;
            } else if (arrayList4.size() == 1 && arrayList2.size() == 1) {
                ((AuthResult) arrayList4.get(0)).setIsCallerToken();
                ((AuthResult) arrayList2.get(0)).setIsCallerToken();
            } else if (arrayList4.size() > 2) {
                throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s12", callerConfig.getCallerIdentity().toString(), Integer.toString(arrayList4.size()));
            }
            if (z5 && z4) {
                z = true;
            }
        } else if (!arrayList4.isEmpty()) {
            if (arrayList4.size() != 1 && !allForOne(arrayList4)) {
                throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s12", callerConfig.getCallerIdentity().toString(), Integer.toString(arrayList4.size()));
            }
            ((AuthResult) arrayList4.get(0)).setIsCallerToken();
            z = true;
        } else if (!arrayList2.isEmpty()) {
            if (arrayList2.size() != 1 && !allForOne(arrayList2)) {
                throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s13", callerConfig.getCallerIdentity().toString(), Integer.toString(arrayList2.size()));
            }
            ((AuthResult) arrayList2.get(0)).setIsCallerToken();
            z = true;
        }
        return z;
    }

    private static boolean allForOne(ArrayList<AuthResult> arrayList) {
        Iterator<AuthResult> it = arrayList.iterator();
        SecurityToken securityToken = it.next().getTokenWrapper().getSecurityToken();
        boolean z = true;
        if (securityToken.getId() == null) {
            z = false;
            return z;
        }
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (!securityToken.getId().equalsIgnoreCase(it.next().getTokenWrapper().getSecurityToken().getId())) {
                z = false;
                break;
            }
        }
        return z;
    }

    private static void invokeLoginModule(CallerConfig callerConfig, Map<Object, Object> map) throws SoapSecurityException {
        Subject subject;
        Class<?> cls;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("invokeLoginModule(");
            stringBuffer.append("CallerConfig config[").append(callerConfig).append("], ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        map.put(isLTPAPropagationTokenCallerToken, "false");
        Object obj = map.get(Constants.WSSECURITY_SUBJECT);
        if (obj == null || !(obj instanceof Subject)) {
            subject = new Subject();
            map.put(Constants.WSSECURITY_SUBJECT, subject);
        } else {
            subject = (Subject) obj;
            TokenUtils.replaceSCT(subject, map);
            TokenUtils.removeDKT(subject, map);
        }
        SecurityTokenManagerImpl securityTokenManagerImpl = (SecurityTokenManagerImpl) map.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
        WSSContextManager wSSContextManagerFactory = WSSContextManagerFactory.getInstance();
        if (wSSContextManagerFactory == null && tc.isDebugEnabled()) {
            Tr.debug(tc, "WSSContextManager object missing");
        }
        SubjectCache subjectCache = wSSContextManagerFactory.getSubjectCache();
        String identifier = CacheableSubjectHelperFactory.getInstance().getIdentifier(subject);
        if (identifier != null && !identifier.isEmpty()) {
            Subject subjectFromAuthCacheByUniqueID = subjectCache.getSubjectFromAuthCacheByUniqueID(identifier);
            try {
                subjectCache.validateAndRenewSubject(subjectFromAuthCacheByUniqueID, true);
            } catch (Exception e) {
                subjectFromAuthCacheByUniqueID = null;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Token has expired or not refreshable = " + e.getMessage());
                }
            }
            if (subjectFromAuthCacheByUniqueID != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found subject in AuthnCache with identifier and expiration time = " + identifier);
                }
                WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
                WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
                if (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, map) && !callerConfig.useIdentityAssertion()) {
                    String name = ((Principal) subjectFromAuthCacheByUniqueID.getPrincipals().toArray()[0]).getName();
                    MessageContext messageContext = (MessageContext) map.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                    Map<String, Object> extendedAuditData = wSSAuditEventGeneratorFactory.setExtendedAuditData(map, WSSAuditEventGenerator.CACHED_USERNAME, name);
                    wSSAuditEventGeneratorFactory.addProviderData(extendedAuditData, callerConfig.getJAASConfig(), WSSAuditEventGenerator.SUCCESS);
                    wSSAuditEventGeneratorFactory.addAuthnTypeData(extendedAuditData, callerConfig.getCallerIdentity().toString());
                    wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
                    wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                }
                securityTokenManagerImpl.addToSubject(subjectFromAuthCacheByUniqueID);
                subjectCache.addSubjectToAuthCache(subjectFromAuthCacheByUniqueID, identifier);
                return;
            }
        }
        final String jAASConfig = callerConfig.getJAASConfig();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Subject not in CacheableTokenLocalCache, identifier = " + identifier);
            Tr.debug(tc, "JAAS config name is " + jAASConfig + PolicyAttributesConstants.DELIMITER);
        }
        if (jAASConfig == null) {
            throw SoapSecurityException.format("security.wssecurity.WSEC6834E", callerConfig.toString());
        }
        map.put(com.ibm.wsspi.wssecurity.core.config.CallerConfig.CONFIG_KEY, callerConfig);
        map.putAll(callerConfig.getJAASConfigProperties());
        CallbackHandlerConfig callbackHandler = callerConfig.getCallbackHandler();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CallbackHandlerConfig [" + callbackHandler + "].");
        }
        CallbackHandler callbackHandler2 = null;
        if (callbackHandler != null) {
            callbackHandler2 = callbackHandler.getInstance();
            if (callbackHandler2 == null) {
                String className = callbackHandler.getClassName();
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Instantiating the callback handler [" + className + "]...");
                    }
                    ClassLoader classLoader = (ClassLoader) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.token.LoginProcessor.3
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return Thread.currentThread().getContextClassLoader();
                        }
                    });
                    if (classLoader != null) {
                        try {
                            cls = classLoader.loadClass(className);
                        } catch (Exception e2) {
                            cls = Class.forName(className);
                        }
                    } else {
                        cls = Class.forName(className);
                    }
                    if (!CallbackHandler.class.isAssignableFrom(cls)) {
                        throw SoapSecurityException.format("security.wssecurity.ConfigUtil.s17", className, CallbackHandler.class.getName());
                    }
                    HashMap hashMap = new HashMap();
                    hashMap.put(CallbackHandlerConfig.CONFIG_KEY, callbackHandler);
                    callbackHandler2 = (CallbackHandler) cls.getConstructor(Map.class).newInstance(hashMap);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Succeeded to Instantiate the callback handler [" + className + "].");
                    }
                    callbackHandler.setInstance(callbackHandler2);
                } catch (SoapSecurityException e3) {
                    Tr.processException(e3, clsName + ".invoke", "797");
                    throw e3;
                } catch (Exception e4) {
                    Tr.processException(e4, clsName + ".invoke", "800");
                    Tr.error(tc, "security.wssecurity.X509TokenGenerator.s01", new Object[]{className});
                    throw SoapSecurityException.format("security.wssecurity.X509TokenGenerator.s01", className, e4);
                }
            }
            map.putAll(callbackHandler.getProperties());
        }
        final CommonCallbackHandler commonCallbackHandler = new CommonCallbackHandler(callbackHandler2, map);
        final Subject cloneSubject = securityTokenManagerImpl.cloneSubject(subject);
        try {
            LoginContext loginContext = (LoginContext) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.token.LoginProcessor.4
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws LoginException {
                    return new LoginContext(jAASConfig, cloneSubject, commonCallbackHandler);
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Succeed to construct the login context.");
            }
            loginContext.login();
            Subject subject2 = loginContext.getSubject();
            String str = (String) map.remove(isLTPAPropagationTokenCallerToken);
            if (str != null && str.equalsIgnoreCase("true")) {
                subject2 = (Subject) map.remove(savedSubject);
            }
            try {
                if (subjectCache.validateSubject(subject2) == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no valid WebSphere security subject returned from Caller login.");
                    }
                    throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s09");
                }
                securityTokenManagerImpl.addToSubject(subject2);
                TokenUtils.removeLtpaPropToken(subject2, map);
                subjectCache.addSubjectToAuthCache(subject2, identifier);
                if (tc.isEntryEnabled()) {
                    StringBuffer stringBuffer2 = new StringBuffer("invokeLoginModule(");
                    stringBuffer2.append("CallerConfig, Map)");
                    Tr.exit(tc, stringBuffer2.toString());
                }
            } catch (Exception e5) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There is no valid WebSphere security subject returned from Caller login.");
                }
                Tr.processException(e5, clsName + ".invokeLoginModule", "844");
                Tr.error(tc, "security.wssecurity.LoginProcessor.s09", new Object[]{e5});
                throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s09");
            }
        } catch (PrivilegedActionException e6) {
            LoginException loginException = (LoginException) e6.getCause();
            Tr.processException(loginException, clsName + ".invokeLoginModule", "873");
            Tr.error(tc, "security.wssecurity.X509TokenConsumer.s01", new Object[]{loginException});
            throw SoapSecurityException.format(com.ibm.ws.wssecurity.common.Constants.FAILED_AUTHENTICATION, "security.wssecurity.X509TokenConsumer.s01", loginException);
        } catch (LoginException e7) {
            Tr.processException(e7, clsName + ".invokeLoginModule", "879");
            Tr.error(tc, "security.wssecurity.X509TokenConsumer.s02", new Object[]{e7});
            throw SoapSecurityException.format(com.ibm.ws.wssecurity.common.Constants.FAILED_AUTHENTICATION, "security.wssecurity.X509TokenConsumer.s02", e7);
        }
    }

    private void cacheInformation(SecurityToken securityToken, Map<Object, Object> map) throws SoapSecurityException {
        X509Certificate x509Certificate;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "cacheInformation(Token token[" + securityToken + "],Map context)");
        }
        final Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        WSSContextManager wSSContextManagerFactory = WSSContextManagerFactory.getInstance();
        if (wSSContextManagerFactory == null) {
            Tr.error(tc, "security.wssecurity.ctxmgr.isnull");
        } else {
            wSSContextManagerFactory.put(Constants.WSSECURITY_INITIAL_SENDER_ID, subject);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Initial Sender is set.");
            }
            if (securityToken == null || !(securityToken instanceof X509Token)) {
                Result[] resultArr = ResultPool.get(map, AuthResult.class);
                final HashSet hashSet = new HashSet();
                for (Result result : resultArr) {
                    AuthResult authResult = (AuthResult) result;
                    if (authResult.isCallerIdentityCandidate()) {
                        hashSet.add(authResult.getTokenWrapper().getSecurityToken());
                    }
                }
                x509Certificate = (X509Certificate) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.token.LoginProcessor.5
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        for (Object obj : subject.getPrivateCredentials(SecurityToken.class)) {
                            if (obj != null && (obj instanceof X509Token) && hashSet.contains(obj)) {
                                return ((X509Token) obj).getCertificate();
                            }
                        }
                        return null;
                    }
                });
            } else {
                x509Certificate = ((X509Token) securityToken).getCertificate();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Initial Cert is set.");
                }
            }
            wSSContextManagerFactory.put(Constants.WSSECURITY_INITIAL_SENDER_CERT, x509Certificate);
            if (x509Certificate != null && tc.isDebugEnabled()) {
                Tr.debug(tc, "Initial Cert is set:" + x509Certificate.getSubjectDN().getName());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "cacheInformation(Token token,Map context)");
        }
    }

    private void printSubject(Map<Object, Object> map, String str) {
        if (tc.isDebugEnabled()) {
            Subject subject = null;
            MessageContext messageContext = (MessageContext) map.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            WSSContext wSSContextFactory = WSSContextFactory.getInstance();
            if (messageContext != null && wSSContextFactory != null) {
                try {
                    subject = wSSContextFactory.getRunAsSubject(messageContext);
                } catch (Exception e) {
                    Tr.debug(tc, "Exception caught when obtaining runAsSubject: " + e);
                }
            }
            Tr.debug(tc, "runAsSubject " + str + " login: " + (subject == null ? "[null]" : subject.toString()));
        }
    }
}
