package com.ibm.ws.security.auth.kerberos.admintask;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.AdminCommand;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandMgr;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandResult;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.CommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractAdminCommand;
import com.ibm.websphere.management.cmdframework.provider.SimpleCommandProvider;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.websphere.management.configservice.SystemAttributes;
import com.ibm.websphere.management.exception.InvalidAttributeNameException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.admintask.securityDomain.SecConfigTaskHelper;
import com.ibm.ws.security.auth.kerberos.Krb5Utils;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.FiltersConfig;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.profiletask.MessageFormatHelper;
import com.ibm.ws.security.spnego.Constants;
import com.ibm.ws.security.spnego.HTTPHeaderFilter;
import com.ibm.ws.security.spnego.ServerConfig;
import com.ibm.ws.security.spnego.filter.HTTPHeaderFilterBase;
import com.ibm.ws.security.util.ConfigUtils;
import java.io.File;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.ResourceBundle;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.ObjectName;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.client_9.0.jar:com/ibm/ws/security/auth/kerberos/admintask/SpnegoCommandProviderImpl.class */
public class SpnegoCommandProviderImpl extends SimpleCommandProvider {
    private ConfigService configService;
    private Session session;
    private String secDomain = null;
    private Boolean enabled = null;
    private Boolean dynamicReload = null;
    private Boolean allowAppAuthMethodFallback = null;
    private String uxpKrb5Config = null;
    private String krb5Config = null;
    private String uxpKrb5Keytab = null;
    private String krb5Keytab = null;
    private String hostName = null;
    private String krb5Realm = null;
    private String filterCriteria = null;
    private String filterClass = null;
    private Boolean trimUserName = true;
    private Boolean enabledGssCredDelegate = true;
    private String spnegoNotSupportedPage = null;
    private String ntlmTokenReceivedPage = null;
    public static final String ENABLED = "enabled";
    public static final String DYNAMIC_RELOAD = "dynamicReload";
    public static final String KRB5_CONFIG = "krb5Config";
    public static final String KRB5_KEYTAB = "krb5Keytab";
    public static final String ALLOW_APP_AUTH_METHOD_FALLBACK = "allowAppAuthMethodFallback";
    private static String BUNDLE_NAME = AdminConstants.MSG_BUNDLE_NAME;
    private static ResourceBundle resBundle = ResourceBundle.getBundle(BUNDLE_NAME, Locale.getDefault());
    private static TraceComponent tc = Tr.register((Class<?>) SpnegoCommandProviderImpl.class, "SpnegoCommandProviderImpl", "com.ibm.ws.security.auth.kerberos.admintask");
    private static String FILTERS = "filters";
    private static String HOST_NAME = "hostName";
    private static String KRB5_REALM = "krb5Realm";
    private static String FILTER_CRITERIA = "filterCriteria";
    private static String FILTER_CLASS = "filterClass";
    private static String TRIM_USER_NAME = "trimUserName";
    private static String ENABLED_GSS_CRED_DELEGATE = "enabledGssCredDelegate";
    private static String SPNEGO_NOT_SUPPORTED_PAGE = FiltersConfig.SPNEGO_NOT_SUPPORTED_PAGE;
    private static String NTLM_TOKEN_RECEIVED_PAGE = FiltersConfig.NTLM_TOKEN_RECEIVED_PAGE;
    private static String DEFAULT_FILTER_CLASS = Constants.DEFAULT_FILTER_CLASS;
    private static String WAS70_FILTER_CLASS = Constants.WAS70_FILTER_CLASS;

    @Override // com.ibm.websphere.management.cmdframework.provider.SimpleCommandProvider, com.ibm.websphere.management.cmdframework.provider.CommandProvider
    public AbstractAdminCommand createCommand(CommandMetadata commandMetadata) throws CommandNotFoundException {
        return super.createCommand(commandMetadata);
    }

    @Override // com.ibm.websphere.management.cmdframework.provider.SimpleCommandProvider, com.ibm.websphere.management.cmdframework.provider.CommandProvider
    public AbstractAdminCommand loadCommand(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        return super.loadCommand(commandData);
    }

    public boolean configureSpnego(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        ObjectName securityObjectName;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "configureSpnego");
        }
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            this.secDomain = (String) abstractAdminCommand.getParameter("securityDomainName");
            this.enabled = (Boolean) abstractAdminCommand.getParameter("enabled");
            this.dynamicReload = (Boolean) abstractAdminCommand.getParameter(DYNAMIC_RELOAD);
            this.allowAppAuthMethodFallback = (Boolean) abstractAdminCommand.getParameter(ALLOW_APP_AUTH_METHOD_FALLBACK);
            this.uxpKrb5Config = (String) abstractAdminCommand.getParameter("krb5Config");
            this.krb5Config = ConfigUtils.expandKrbFile(this.uxpKrb5Config);
            this.uxpKrb5Keytab = (String) abstractAdminCommand.getParameter("krb5Keytab");
            this.krb5Keytab = ConfigUtils.expandKrbFile(this.uxpKrb5Keytab);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "securityDomainName name is " + this.secDomain);
                Tr.debug(tc, "enabled: " + this.enabled);
                Tr.debug(tc, "dynamicReload: " + this.dynamicReload);
                Tr.debug(tc, "allowAppAuthMethodFallback: " + this.allowAppAuthMethodFallback);
                Tr.debug(tc, "unexpand krb5Config: " + this.uxpKrb5Config);
                Tr.debug(tc, "krb5Config: " + this.krb5Config);
                Tr.debug(tc, "unexpand krb5Keytab: " + this.uxpKrb5Keytab);
                Tr.debug(tc, "krb5Keytab: " + this.krb5Keytab);
            }
            if (this.secDomain != null) {
                securityObjectName = SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain);
                if (securityObjectName != null) {
                    getAuthMechFromGlobalIfNeeded(this.session, this.configService, securityObjectName);
                }
            } else {
                securityObjectName = SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
            }
            if (securityObjectName == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
            }
            ObjectName authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, securityObjectName, AuthMechanismConfig.TYPE_SPNEGO);
            if (authMechObj == null) {
                authMechObj = createDefaultSpnegoAuthMechObj(this.session, this.configService, securityObjectName);
            }
            ArrayList arrayList = (ArrayList) this.configService.getAttribute(this.session, authMechObj, FILTERS);
            if (this.enabled.booleanValue() && (arrayList == null || arrayList.size() == 0)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Cannot enable SPNEGO Web authentication without defining any SPNEGO Web authentication filters.");
                }
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.spnego.noFilter.SECJ7781E", null));
            }
            CommandMgr commandMgr = CommandMgr.getCommandMgr();
            if (this.enabled.booleanValue()) {
                AdminCommand createCommand = commandMgr.createCommand("validateSpnegoConfig");
                createCommand.setParameter("securityDomainName", this.secDomain);
                createCommand.setParameter("krb5Config", this.krb5Config);
                createCommand.setParameter("krb5Keytab", this.krb5Keytab);
                createCommand.setConfigSession(this.session);
                createCommand.execute();
                CommandResult commandResult = createCommand.getCommandResult();
                if (!commandResult.isSuccessful()) {
                    Throwable exception = commandResult.getException();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Validate SPNEGO Web configuration failed", new Object[]{exception});
                    }
                    throw new CommandValidationException(exception.getMessage());
                }
            }
            boolean z = false;
            if (isKrb5AuthConfig(this.session, this.configService, securityObjectName)) {
                z = krb5ConfigEquals(this.session, this.configService, securityObjectName, this.krb5Config, this.krb5Keytab);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "krb5ConfigMatch? " + z);
                }
                if (!z) {
                    AdminCommand createCommand2 = commandMgr.createCommand("validateKrbConfig");
                    createCommand2.setParameter("securityDomainName", this.secDomain);
                    createCommand2.setParameter("checkConfigOnly", false);
                    createCommand2.setParameter("validateKrbRealm", false);
                    createCommand2.setParameter("useGlobalSecurityConfig", true);
                    createCommand2.setParameter("krb5Config", this.krb5Config);
                    createCommand2.setParameter("krb5Keytab", this.krb5Keytab);
                    createCommand2.setConfigSession(this.session);
                    createCommand2.execute();
                    CommandResult commandResult2 = createCommand2.getCommandResult();
                    if (!commandResult2.isSuccessful()) {
                        Throwable exception2 = commandResult2.getException();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Validating Kerberos configuration failed", new Object[]{exception2});
                        }
                        throw new CommandValidationException(exception2.getMessage());
                    }
                }
            }
            AttributeList attributeList = new AttributeList();
            attributeList.add(new Attribute("enabled", this.enabled));
            attributeList.add(new Attribute(ALLOW_APP_AUTH_METHOD_FALLBACK, this.allowAppAuthMethodFallback));
            this.configService.setAttributes(this.session, authMechObj, attributeList);
            attributeList.clear();
            if (this.dynamicReload.booleanValue()) {
                ArrayList arrayList2 = new ArrayList();
                arrayList2.add(authMechObj);
                attributeList.add(new Attribute("authMechanisms", arrayList2));
            } else {
                attributeList.add(new Attribute("authMechanisms", (ObjectName) null));
            }
            AttributeList attributeList2 = (AttributeList) this.configService.getAttribute(this.session, securityObjectName, DYNAMIC_RELOAD);
            if (attributeList2 == null || attributeList2.size() == 0) {
                this.configService.createConfigData(this.session, securityObjectName, DYNAMIC_RELOAD, null, attributeList);
            } else {
                ObjectName[] queryConfigObjects = this.configService.queryConfigObjects(this.session, null, ConfigServiceHelper.createObjectName(attributeList2), null);
                if (queryConfigObjects != null) {
                    this.configService.setAttributes(this.session, queryConfigObjects[0], attributeList);
                }
            }
            if (!z) {
                attributeList.clear();
                attributeList.add(new Attribute("krb5Config", this.uxpKrb5Config));
                attributeList.add(new Attribute("krb5Keytab", this.uxpKrb5Keytab));
                ObjectName authMechObj2 = Krb5Utils.getAuthMechObj(this.session, this.configService, securityObjectName, AuthMechanismConfig.TYPE_KERBEROS);
                if (authMechObj2 == null) {
                    this.configService.createConfigData(this.session, securityObjectName, "authMechanisms", AuthMechanismConfig.TYPE_KERBEROS, attributeList);
                } else {
                    this.configService.setAttributes(this.session, authMechObj2, attributeList);
                }
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "configureSpnego");
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.configureSpnego", "274");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "configureSpnego caught an unexpected exception.", new Object[]{e});
            }
            throw new CommandException(e, e.getMessage());
        }
    }

    public boolean unconfigureSpnego(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        ObjectName authMechObj;
        ObjectName[] queryConfigObjects;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "unconfigureSpnego");
        }
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            this.secDomain = (String) abstractAdminCommand.getParameter("securityDomainName");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "securityDomainName name is " + this.secDomain);
            }
            ObjectName secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
            if (secDomain == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
            }
            AttributeList attributeList = (AttributeList) this.configService.getAttribute(this.session, secDomain, DYNAMIC_RELOAD);
            if (attributeList != null && attributeList.size() != 0 && (queryConfigObjects = this.configService.queryConfigObjects(this.session, null, ConfigServiceHelper.createObjectName(attributeList), null)) != null) {
                AttributeList attributeList2 = new AttributeList();
                attributeList2.add(new Attribute("authMechanisms", (ObjectName) null));
                this.configService.setAttributes(this.session, queryConfigObjects[0], attributeList2);
            }
            ObjectName authMechObj2 = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_SPNEGO);
            if (authMechObj2 != null) {
                this.configService.deleteConfigData(this.session, authMechObj2);
            }
            if (!isKrb5AuthConfig(this.session, this.configService, secDomain) && (authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_KERBEROS)) != null) {
                this.configService.deleteConfigData(this.session, authMechObj);
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "unconfigureSpnego");
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.unconfigureSpnego", "342");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "unconfigureSpnego caught an unexpected exception.", new Object[]{e});
            }
            throw new CommandException(e, e.getMessage());
        }
    }

    public List showSpnego(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        ObjectName[] queryConfigObjects;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "showSpnego");
        }
        ArrayList arrayList = new ArrayList();
        AttributeList attributeList = new AttributeList();
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            this.secDomain = (String) abstractAdminCommand.getParameter("securityDomainName");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "securityDomainName name is " + this.secDomain);
            }
            ObjectName secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
            if (secDomain == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
            }
            ObjectName authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_SPNEGO);
            if (authMechObj != null) {
                attributeList = this.configService.getAttributes(this.session, authMechObj, null, false);
            }
            ObjectName authMechObj2 = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_KERBEROS);
            if (authMechObj2 != null) {
                String str = (String) this.configService.getAttribute(this.session, authMechObj2, "krb5Config", false);
                if (str != null) {
                    attributeList.add(new Attribute("krb5Config", str));
                }
                String str2 = (String) this.configService.getAttribute(this.session, authMechObj2, "krb5Keytab", false);
                if (str2 == null || str2.length() == 0) {
                    str2 = Krb5Utils.getDefaultKeytab(str);
                }
                if (str2 != null) {
                    attributeList.add(new Attribute("krb5Keytab", str2));
                }
            }
            AttributeList attributeList2 = (AttributeList) this.configService.getAttribute(this.session, secDomain, DYNAMIC_RELOAD);
            Boolean bool = Boolean.FALSE;
            if (attributeList2 != null && attributeList2.size() != 0 && (queryConfigObjects = this.configService.queryConfigObjects(this.session, null, ConfigServiceHelper.createObjectName(attributeList2), null)) != null) {
                ObjectName objectName = queryConfigObjects[0];
                Boolean bool2 = (Boolean) this.configService.getAttribute(this.session, objectName, "allAuthMechanisms", false);
                if (bool2 == null || !bool2.booleanValue()) {
                    ArrayList arrayList2 = (ArrayList) this.configService.getAttribute(this.session, objectName, "authMechanisms", false);
                    if (arrayList2 != null && arrayList2.size() > 0) {
                        for (int i = 0; i < arrayList2.size(); i++) {
                            if (((String) ConfigServiceHelper.getAttributeValue(this.configService.getAttributes(this.session, (ObjectName) arrayList2.get(i), null, true), SystemAttributes._WEBSPHERE_CONFIG_DATA_TYPE)).equals(AuthMechanismConfig.TYPE_SPNEGO)) {
                                bool = Boolean.TRUE;
                            }
                        }
                    }
                } else {
                    bool = Boolean.TRUE;
                }
            }
            if (!attributeList.isEmpty()) {
                attributeList.add(new Attribute(DYNAMIC_RELOAD, Boolean.valueOf(bool.booleanValue())));
            }
            arrayList.add(attributeList);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "showSpnego ");
            }
            return arrayList;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.showSpnego", "433");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "showSpnego caught an unexpected exception.", new Object[]{e});
            }
            throw new CommandException(e, e.getMessage());
        }
    }

    public boolean validateSpnegoConfig(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSpnegoConfig");
        }
        boolean z = false;
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            this.secDomain = (String) abstractAdminCommand.getParameter("securityDomainName");
            this.krb5Config = ConfigUtils.expandKrbFile((String) abstractAdminCommand.getParameter("krb5Config"));
            this.krb5Keytab = ConfigUtils.expandKrbFile((String) abstractAdminCommand.getParameter("krb5Keytab"));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "securityDomainName name is " + this.secDomain);
                Tr.debug(tc, "krb5Config: " + this.krb5Config);
                Tr.debug(tc, "krb5Keytab: " + this.krb5Keytab);
            }
            ObjectName secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
            if (secDomain == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
            }
            if (this.krb5Config == null || this.krb5Config.length() == 0) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Auth.SECJ7771E", new Object[]{"krb5Config"}));
            }
            if (!new File(this.krb5Config).exists()) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.fileNotExist", new Object[]{this.krb5Config}));
            }
            if (this.krb5Keytab == null || this.krb5Keytab.length() == 0) {
                String defaultKeytab = Krb5Utils.getDefaultKeytab(this.krb5Config);
                if (defaultKeytab == null || defaultKeytab.length() == 0) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5ConfigAndSecurity", new Object[]{"krb5Keytab", this.krb5Config}));
                }
                if (!new File(defaultKeytab).exists()) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.fileNotExist", new Object[]{defaultKeytab}));
                }
            } else if (!new File(this.krb5Keytab).exists()) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.fileNotExist", new Object[]{this.krb5Keytab}));
            }
            ObjectName authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_SPNEGO);
            if (authMechObj == null) {
                if (!tc.isDebugEnabled()) {
                    return true;
                }
                Tr.debug(tc, "SPNEGO Web authentication object is null, nothing to validate");
                return true;
            }
            ArrayList arrayList = (ArrayList) this.configService.getAttribute(this.session, authMechObj, FILTERS);
            if (arrayList == null) {
                if (!tc.isDebugEnabled()) {
                    return true;
                }
                Tr.debug(tc, "SPNEGO Web authentication Filter is null, do not validate");
                return true;
            }
            String defaultRealm = Krb5Utils.getDefaultRealm(this.krb5Config);
            if (defaultRealm == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Config.SECJ7772E", new Object[]{"default_realm in libdefaults section", this.krb5Config}));
            }
            for (int i = 0; i < arrayList.size(); i++) {
                AttributeList attributeList = (AttributeList) arrayList.get(i);
                String str = (String) ConfigServiceHelper.getAttributeValue(attributeList, HOST_NAME);
                String str2 = (String) ConfigServiceHelper.getAttributeValue(attributeList, KRB5_REALM);
                if (str != null && str.length() != 0) {
                    String str3 = "HTTP/" + str;
                    z = validateKrb5Spn((str2 == null || str2.length() == 0) ? str3 + "@" + defaultRealm : str3 + "@" + str2, this.krb5Keytab);
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validateSpnegoConfig " + z);
            }
            return z;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.validateSpnegoConfig", "564");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateSpnegoConfig caught an unexpected exception.", new Object[]{e});
            }
            throw new CommandException(e, e.getMessage());
        }
    }

    public boolean addSpnegoFilter(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addSpnegoFilter");
        }
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            getParameters(abstractAdminCommand);
            ObjectName secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
            if (secDomain == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
            }
            ObjectName authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_SPNEGO);
            if (authMechObj == null) {
                authMechObj = createDefaultSpnegoAuthMechObj(this.session, this.configService, secDomain);
            } else if (((Boolean) this.configService.getAttribute(this.session, authMechObj, "enabled", false)).booleanValue()) {
                ObjectName authMechObj2 = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_KERBEROS);
                if ((this.krb5Config == null || this.krb5Config.length() == 0) && authMechObj2 != null) {
                    this.krb5Config = (String) this.configService.getAttribute(this.session, authMechObj2, "krb5Config", false);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Reloaded Krb5Config : " + this.krb5Config);
                    }
                }
                if ((this.krb5Keytab == null || this.krb5Keytab.length() == 0) && authMechObj2 != null) {
                    this.krb5Keytab = (String) this.configService.getAttribute(this.session, authMechObj2, "krb5Keytab", false);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Reloaded Krb5Keytab : " + this.krb5Keytab);
                    }
                }
                if ((this.krb5Keytab == null || this.krb5Keytab.length() == 0) && this.krb5Config != null && this.krb5Config.length() > 0) {
                    this.krb5Keytab = Krb5Utils.getDefaultKeytab(this.krb5Config);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Reloaded default keytab : " + this.krb5Keytab);
                    }
                }
                if (this.krb5Config != null && this.krb5Config.length() > 0) {
                    Krb5Utils.setKrbConfigProp(this.krb5Config);
                }
                String str = null;
                if (this.krb5Realm != null && this.krb5Realm.length() != 0) {
                    str = this.krb5Realm;
                } else if (this.krb5Config != null && this.krb5Config.length() > 0) {
                    str = Krb5Utils.getDefaultRealm(this.krb5Config);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Reloaded default realm : " + str);
                    }
                }
                String str2 = "HTTP/" + this.hostName;
                if (str != null && str.length() != 0) {
                    str2 = str2 + "@" + str;
                }
                validateKrb5Spn(str2, this.krb5Keytab);
            }
            AttributeList attributeList = new AttributeList();
            attributeList.add(new Attribute(HOST_NAME, this.hostName));
            attributeList.add(new Attribute(KRB5_REALM, this.krb5Realm));
            attributeList.add(new Attribute(FILTER_CRITERIA, this.filterCriteria));
            attributeList.add(new Attribute(FILTER_CLASS, this.filterClass));
            attributeList.add(new Attribute(TRIM_USER_NAME, this.trimUserName));
            attributeList.add(new Attribute(ENABLED_GSS_CRED_DELEGATE, this.enabledGssCredDelegate));
            attributeList.add(new Attribute(SPNEGO_NOT_SUPPORTED_PAGE, this.spnegoNotSupportedPage));
            attributeList.add(new Attribute(NTLM_TOKEN_RECEIVED_PAGE, this.ntlmTokenReceivedPage));
            if (isFilterHostExist(this.session, this.configService, authMechObj, this.hostName)) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.SPNEGOFilterExists", new Object[]{this.hostName}));
            }
            this.configService.createConfigData(this.session, authMechObj, FILTERS, null, attributeList);
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "addSpnegoFilter");
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.addSpnegoFilter", "631");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "addSpnegoFilter caught an unexpected exception.", new Object[]{e});
            }
            throw new CommandException(e, e.getMessage());
        }
    }

    public boolean deleteSpnegoFilter(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "deleteSpnegoFilter");
        }
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            this.secDomain = (String) abstractAdminCommand.getParameter("securityDomainName");
            this.hostName = (String) abstractAdminCommand.getParameter(HOST_NAME);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "securityDomainName name is " + this.secDomain);
                Tr.debug(tc, "hostName:  " + this.hostName);
            }
            try {
                if (this.hostName != null) {
                    isHostNameValid(this.hostName);
                }
                ObjectName secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
                if (secDomain == null) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
                }
                ObjectName authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_SPNEGO);
                if (authMechObj != null) {
                    boolean booleanValue = ((Boolean) this.configService.getAttribute(this.session, authMechObj, "enabled", false)).booleanValue();
                    ArrayList arrayList = (ArrayList) this.configService.getAttribute(this.session, authMechObj, FILTERS);
                    if (arrayList != null && arrayList.size() != 0) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "spnegoEnabled: " + booleanValue);
                            Tr.debug(tc, "filters.size(): " + arrayList.size());
                        }
                        for (int i = 0; i < arrayList.size(); i++) {
                            AttributeList attributeList = (AttributeList) arrayList.get(i);
                            ObjectName[] queryConfigObjects = this.configService.queryConfigObjects(this.session, null, ConfigServiceHelper.createObjectName(attributeList), null);
                            if (queryConfigObjects[0] != null) {
                                if (this.hostName == null || this.hostName.length() == 0) {
                                    if (booleanValue) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Can not delete all SPNEGO filters because SPNEGO Web authentication is enabled.");
                                        }
                                        throw new CommandValidationException(getMsg(resBundle, "security.admintask.spnego.errorDeleteAllFiters.SECJ7799E", null));
                                    }
                                    this.configService.deleteConfigData(this.session, queryConfigObjects[0]);
                                } else {
                                    String str = (String) ConfigServiceHelper.getAttributeValue(attributeList, HOST_NAME);
                                    if (str != null && str.length() != 0 && str.equals(this.hostName)) {
                                        if (!booleanValue || arrayList.size() != 1) {
                                            this.configService.deleteConfigData(this.session, queryConfigObjects[0]);
                                            return true;
                                        }
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Can not delete the last SPNEGO filter because SPNEGO Web authentication is enabled.");
                                        }
                                        throw new CommandValidationException(getMsg(resBundle, "security.admintask.spnego.errorDeleteLastFilter.SECJ7798E", null));
                                    }
                                }
                            }
                        }
                    }
                }
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "deleteSpnegoFilter");
                return true;
            } catch (Exception e) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.unknown.hostname.SECJ7819E", new Object[]{this.hostName}));
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.admintask.deleteSpnegoFilter", "720");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "deleteSpnegoFilter caught an unexpected exception.", new Object[]{e2});
            }
            throw new CommandException(e2, e2.getMessage());
        }
    }

    public boolean modifySpnegoFilter(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "modifySpnegoFilter");
        }
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            getParameters(abstractAdminCommand);
            ObjectName secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
            if (secDomain == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
            }
            ObjectName authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_SPNEGO);
            if (authMechObj == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.object.does.not.exist.SECJ7821E", new Object[]{AuthMechanismConfig.TYPE_SPNEGO}));
            }
            if (((Boolean) this.configService.getAttribute(this.session, authMechObj, "enabled", false)).booleanValue()) {
                String str = "HTTP/" + this.hostName;
                if (this.krb5Realm != null && this.krb5Realm.length() != 0) {
                    str = str + "@" + this.krb5Realm;
                }
                validateKrb5Spn(str, this.krb5Keytab);
            }
            AttributeList attributeList = new AttributeList();
            if (this.hostName != null) {
                attributeList.add(new Attribute(HOST_NAME, this.hostName));
            }
            if (this.krb5Realm != null) {
                attributeList.add(new Attribute(KRB5_REALM, this.krb5Realm));
            }
            if (this.filterCriteria != null) {
                attributeList.add(new Attribute(FILTER_CRITERIA, this.filterCriteria));
            }
            if (this.filterClass != null) {
                attributeList.add(new Attribute(FILTER_CLASS, this.filterClass));
            }
            if (this.trimUserName != null) {
                attributeList.add(new Attribute(TRIM_USER_NAME, this.trimUserName));
            }
            if (this.enabledGssCredDelegate != null) {
                attributeList.add(new Attribute(ENABLED_GSS_CRED_DELEGATE, this.enabledGssCredDelegate));
            }
            if (this.spnegoNotSupportedPage != null) {
                attributeList.add(new Attribute(SPNEGO_NOT_SUPPORTED_PAGE, this.spnegoNotSupportedPage));
            }
            if (this.ntlmTokenReceivedPage != null) {
                attributeList.add(new Attribute(NTLM_TOKEN_RECEIVED_PAGE, this.ntlmTokenReceivedPage));
            }
            ObjectName filterObj = getFilterObj(this.session, this.configService, authMechObj, this.hostName);
            if (filterObj == null) {
                throw new CommandValidationException("Filter does not exist for host " + this.hostName);
            }
            this.configService.setAttributes(this.session, filterObj, attributeList);
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "modifySpnegoFilter");
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.modifySpnegoFilter", "791");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "modifySpnegoFilter caught an unexpected exception.", new Object[]{e});
            }
            throw new CommandException(e, e.getMessage());
        }
    }

    public List showSpnegoFilter(AbstractAdminCommand abstractAdminCommand) throws CommandException {
        ArrayList arrayList;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "showSpnegoFilter");
        }
        ArrayList arrayList2 = new ArrayList();
        try {
            this.configService = getCommandProviderHelper().getConfigService();
            this.session = abstractAdminCommand.getConfigSession();
            this.secDomain = (String) abstractAdminCommand.getParameter("securityDomainName");
            this.hostName = (String) abstractAdminCommand.getParameter(HOST_NAME);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "securityDomainName name is " + this.secDomain);
                Tr.debug(tc, "hostName:  " + this.hostName);
            }
            ObjectName secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(this.session, this.configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(this.session, this.configService);
            if (secDomain == null) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
            }
            ObjectName authMechObj = Krb5Utils.getAuthMechObj(this.session, this.configService, secDomain, AuthMechanismConfig.TYPE_SPNEGO);
            if (authMechObj != null && (arrayList = (ArrayList) this.configService.getAttribute(this.session, authMechObj, FILTERS)) != null) {
                int i = 0;
                while (true) {
                    if (i >= arrayList.size()) {
                        break;
                    }
                    AttributeList attributeList = (AttributeList) arrayList.get(i);
                    if (this.configService.queryConfigObjects(this.session, null, ConfigServiceHelper.createObjectName(attributeList), null)[0] != null) {
                        if (this.hostName != null && this.hostName.length() != 0) {
                            String str = (String) ConfigServiceHelper.getAttributeValue(attributeList, HOST_NAME);
                            if (str != null && str.length() != 0 && str.equals(this.hostName)) {
                                arrayList2.add(attributeList);
                                break;
                            }
                        } else {
                            arrayList2.add(attributeList);
                        }
                    }
                    i++;
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "showSpnegoFilter");
            }
            return arrayList2;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.showSpnegoFilter", "864");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "showSpnegoFilter caught an unexpected exception.", new Object[]{e});
            }
            throw new CommandException(e, e.getMessage());
        }
    }

    public static ObjectName createDefaultSpnegoAuthMechObj(Session session, ConfigService configService, ObjectName objectName) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createDefaultSpnegoAuthMechObj");
        }
        ObjectName objectName2 = null;
        try {
            AttributeList attributeList = new AttributeList();
            attributeList.add(new Attribute(AuthMechanismConfig.OID, "oid:1.3.6.1.5.5.2"));
            attributeList.add(new Attribute(AuthMechanismConfig.AUTH_CONTEXT_IMPL_CLASS, "com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl"));
            attributeList.add(new Attribute("enabled", false));
            attributeList.add(new Attribute(ALLOW_APP_AUTH_METHOD_FALLBACK, (Object) null));
            objectName2 = configService.createConfigData(session, objectName, "authMechanisms", AuthMechanismConfig.TYPE_SPNEGO, attributeList);
        } catch (InvalidAttributeNameException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "createDefaultSpnegoAuthMechObj caught an unexpected exception.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createDefaultSpnegoAuthMechObj " + objectName2);
        }
        return objectName2;
    }

    public boolean krb5ConfigEquals(Session session, ConfigService configService, ObjectName objectName, String str, String str2) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "krb5ConfigEquals");
        }
        boolean z = false;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "krb5Config: " + str);
            Tr.debug(tc, "krb5Keytab: " + str2);
        }
        ObjectName authMechObj = Krb5Utils.getAuthMechObj(session, configService, objectName, AuthMechanismConfig.TYPE_KERBEROS);
        if (authMechObj != null) {
            String expandKrbFile = ConfigUtils.expandKrbFile((String) configService.getAttribute(session, authMechObj, "krb5Config", false));
            String expandKrbFile2 = ConfigUtils.expandKrbFile((String) configService.getAttribute(session, authMechObj, "krb5Keytab", false));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "existed krb5Config: " + expandKrbFile);
                Tr.debug(tc, "existed krb5Keytab: " + expandKrbFile2);
            }
            if (expandKrbFile != null && expandKrbFile.length() != 0 && expandKrbFile.equalsIgnoreCase(str)) {
                if ((expandKrbFile2 == null || expandKrbFile2.length() == 0) && (str2 == null || str2.length() == 0)) {
                    z = true;
                } else if (expandKrbFile2 != null && str2 != null && expandKrbFile2.equalsIgnoreCase(str2)) {
                    z = true;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "krb5ConfigEquals " + z);
        }
        return z;
    }

    public boolean isKrb5AuthConfig(Session session, ConfigService configService, ObjectName objectName) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKrb5AuthConfig");
        }
        boolean z = false;
        ObjectName authMechObj = Krb5Utils.getAuthMechObj(session, configService, objectName, AuthMechanismConfig.TYPE_KERBEROS);
        if (authMechObj != null) {
            String str = (String) configService.getAttribute(session, authMechObj, "krb5Config", false);
            String str2 = (String) configService.getAttribute(session, authMechObj, AuthMechanismConfig.AUTH_CONTEXT_IMPL_CLASS, false);
            boolean booleanValue = ((Boolean) configService.getAttribute(session, authMechObj, "configured", false)).booleanValue();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "existed_krb5Config: " + str);
            }
            if (str != null && str.length() != 0 && str2 != null && str2.length() != 0 && booleanValue) {
                z = true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isKrb5AuthConfig " + z);
        }
        return z;
    }

    public static ObjectName getFilterObj(Session session, ConfigService configService, ObjectName objectName, String str) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getFilters" + str);
        }
        ObjectName objectName2 = null;
        try {
            ArrayList arrayList = (ArrayList) configService.getAttribute(session, objectName, FILTERS);
            if (arrayList != null) {
                for (int i = 0; i < arrayList.size(); i++) {
                    AttributeList attributeList = (AttributeList) arrayList.get(i);
                    String str2 = (String) ConfigServiceHelper.getAttributeValue(attributeList, HOST_NAME);
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "Filter host name:  " + str2);
                    }
                    if (str2.equals(str)) {
                        ObjectName[] queryConfigObjects = configService.queryConfigObjects(session, null, ConfigServiceHelper.createObjectName(attributeList), null);
                        if (queryConfigObjects[0] != null) {
                            objectName2 = queryConfigObjects[0];
                        }
                    }
                }
            }
        } catch (InvalidAttributeNameException e) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getFilters");
        }
        return objectName2;
    }

    public static boolean isFilterHostExist(Session session, ConfigService configService, ObjectName objectName, String str) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isFilterHostExist " + str);
        }
        boolean z = false;
        if (getFilterObj(session, configService, objectName, str) != null) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isFilterHostExist " + z);
        }
        return z;
    }

    private void getParameters(AbstractAdminCommand abstractAdminCommand) throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getParameters");
        }
        initializeParameters();
        this.secDomain = (String) abstractAdminCommand.getParameter("securityDomainName");
        this.hostName = (String) abstractAdminCommand.getParameter(HOST_NAME);
        this.krb5Realm = (String) abstractAdminCommand.getParameter(KRB5_REALM);
        this.filterCriteria = (String) abstractAdminCommand.getParameter(FILTER_CRITERIA);
        this.filterClass = (String) abstractAdminCommand.getParameter(FILTER_CLASS);
        this.trimUserName = (Boolean) abstractAdminCommand.getParameter(TRIM_USER_NAME);
        this.enabledGssCredDelegate = (Boolean) abstractAdminCommand.getParameter(ENABLED_GSS_CRED_DELEGATE);
        this.spnegoNotSupportedPage = (String) abstractAdminCommand.getParameter(SPNEGO_NOT_SUPPORTED_PAGE);
        this.ntlmTokenReceivedPage = (String) abstractAdminCommand.getParameter(NTLM_TOKEN_RECEIVED_PAGE);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "securityDomainName name is " + this.secDomain);
            Tr.debug(tc, "hostName:  " + this.hostName);
            Tr.debug(tc, "krb5Realm:  " + this.krb5Realm);
            Tr.debug(tc, "filterCriteria:  " + this.filterCriteria);
            Tr.debug(tc, "filterClass:  " + this.filterClass);
            Tr.debug(tc, "trimUserName:  " + this.trimUserName);
            Tr.debug(tc, "enabledGssCredDelegate:  " + this.enabledGssCredDelegate);
            Tr.debug(tc, "spnegoNotSupportedPage:  " + this.spnegoNotSupportedPage);
            Tr.debug(tc, "ntlmTokenReceivedPage:  " + this.ntlmTokenReceivedPage);
        }
        try {
            if (this.hostName != null) {
                isHostNameValid(this.hostName);
            }
            if (!isFilterValid(this.filterCriteria, this.filterClass)) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.SPNEGOFilterInvalid", new Object[]{this.filterCriteria}));
            }
            try {
                if (this.filterClass != null && this.filterClass.length() != 0) {
                    new ServerConfig().setFilterClass(this.filterClass);
                }
                if (this.spnegoNotSupportedPage != null && this.spnegoNotSupportedPage.length() != 0 && !isValidURL(this.spnegoNotSupportedPage)) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.SPNEGOFilterInvalidURL", new Object[]{this.spnegoNotSupportedPage}));
                }
                if (this.ntlmTokenReceivedPage != null && this.ntlmTokenReceivedPage.length() != 0 && !isValidURL(this.ntlmTokenReceivedPage)) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.SPNEGOFilterInvalidURL", new Object[]{this.ntlmTokenReceivedPage}));
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getParameters");
                }
            } catch (Exception e) {
                throw new CommandValidationException(e.getMessage());
            }
        } catch (Exception e2) {
            throw new CommandValidationException(getMsg(resBundle, "security.admintask.unknown.hostname.SECJ7819E", new Object[]{this.hostName}));
        }
    }

    private boolean isFilterValid(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isFilterValid");
        }
        boolean z = true;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "filterCriteria" + str);
            Tr.debug(tc, "filterClass" + str2);
        }
        if (str != null && str.length() != 0 && (str2 == null || str2.length() == 0 || DEFAULT_FILTER_CLASS.equals(str2) || WAS70_FILTER_CLASS.equals(str2))) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "isFilterValidfilter=\"" + str + "\"");
            }
            if (DEFAULT_FILTER_CLASS.equals(str2)) {
                z = HTTPHeaderFilter.isValid(str);
            } else if (WAS70_FILTER_CLASS.equals(str2)) {
                z = new HTTPHeaderFilterBase().init(str);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isFilterValid ", Boolean.toString(z));
        }
        return z;
    }

    private boolean isValidURL(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isValidURL");
        }
        boolean z = true;
        try {
            new URL(str);
        } catch (MalformedURLException e) {
            z = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isValidURL ", Boolean.toString(z));
        }
        return z;
    }

    private boolean isHostNameValid(String str) throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isHostNameValid");
        }
        try {
            InetAddress.getByName(str);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isHostNameValid ", Boolean.toString(true));
            }
            return true;
        } catch (Exception e) {
            throw new CommandValidationException(e.getMessage());
        }
    }

    private void initializeParameters() {
        this.hostName = null;
        this.krb5Realm = null;
        this.filterCriteria = null;
        this.filterClass = null;
        this.trimUserName = null;
        this.enabledGssCredDelegate = null;
        this.spnegoNotSupportedPage = null;
        this.ntlmTokenReceivedPage = null;
    }

    private String getMsg(ResourceBundle resourceBundle, String str, Object[] objArr) {
        return MessageFormatHelper.getFormattedMessage(resourceBundle, str, objArr);
    }

    public boolean validateKrb5Spn(String str, String str2) throws GSSException, Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateKrb5Spn " + str + " krb5Keytab:" + str2);
        }
        boolean z = false;
        Oid krb5MechOid = Krb5Utils.getKrb5MechOid();
        Oid spnegoMechOid = Krb5Utils.getSpnegoMechOid();
        try {
            Krb5Utils.setKrbKeytabProp(str2);
            Krb5Utils.setUseSubjectCredsOnly(false);
            GSSManager gSSManager = GSSManager.getInstance();
            GSSName createName = gSSManager.createName(str, GSSName.NT_USER_NAME, krb5MechOid);
            GSSCredential createCredential = gSSManager.createCredential(createName.canonicalize(Krb5Utils.getKrb5MechOid()), Integer.MAX_VALUE, krb5MechOid, 2);
            createCredential.add(createName.canonicalize(Krb5Utils.getSpnegoMechOid()), Integer.MAX_VALUE, Integer.MAX_VALUE, spnegoMechOid, 2);
            Krb5Utils.setUseSubjectCredsOnly(true);
            if (createCredential != null) {
                z = true;
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validateKrb5Spn " + z);
            }
            return z;
        } catch (GSSException e) {
            FFDCFilter.processException((Throwable) e, "com.ibm.ws.security.auth.kerberos.admintask.validateKrb5Spn", "1190", (Object) this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, e.getMessage(), new Object[]{e});
            }
            throw e;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.admintask.validateKrb5Spn", "1194", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, e2.getMessage(), new Object[]{e2});
            }
            throw e2;
        }
    }

    public void getAuthMechFromGlobalIfNeeded(Session session, ConfigService configService, ObjectName objectName) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAuthMechFromGlobalIfNeeded");
        }
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        try {
            Iterator it = ((ArrayList) configService.getAttribute(session, objectName, "authMechanisms")).iterator();
            while (it.hasNext()) {
                AttributeList attributeList = (AttributeList) it.next();
                String str = (String) ConfigServiceHelper.getAttributeValue(attributeList, SystemAttributes._WEBSPHERE_CONFIG_DATA_TYPE);
                if (str.equals("LTPA")) {
                    z = true;
                }
                if (str.equals(AuthMechanismConfig.TYPE_SPNEGO)) {
                    z2 = true;
                }
                if (str.equals(AuthMechanismConfig.TYPE_KERBEROS)) {
                    z3 = true;
                }
                arrayList.add(attributeList);
            }
            if (z && z2 && z3) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getAuthMechFromGlobalIfNeeded - Objects already exist.");
                    return;
                }
                return;
            }
            Iterator it2 = ((ArrayList) ConfigServiceHelper.getAttributeValue(configService.getAttributes(session, SecConfigTaskHelper.getSecurityObjectName(session, configService), new String[]{"authMechanisms"}, true), "authMechanisms")).iterator();
            while (it2.hasNext()) {
                AttributeList attributeList2 = (AttributeList) it2.next();
                String str2 = (String) ConfigServiceHelper.getAttributeValue(attributeList2, SystemAttributes._WEBSPHERE_CONFIG_DATA_TYPE);
                if (str2.equals("LTPA") && !z) {
                    Iterator it3 = attributeList2.iterator();
                    while (it3.hasNext()) {
                        String name = ((Attribute) it3.next()).getName();
                        if (name.equals("trustAssociation")) {
                            it3.remove();
                        }
                        if (name.equals("singleSignon")) {
                            it3.remove();
                        }
                        if (name.equals(AuthMechanismConfig.KEY_SET_GROUP)) {
                            it3.remove();
                        }
                    }
                    arrayList.add(attributeList2);
                } else if (str2.equals(AuthMechanismConfig.TYPE_KERBEROS) && !z3) {
                    Iterator it4 = attributeList2.iterator();
                    while (it4.hasNext()) {
                        String name2 = ((Attribute) it4.next()).getName();
                        if (name2.equals(AuthMechanismConfig.OID) || name2.equals(AuthMechanismConfig.AUTH_CONTEXT_IMPL_CLASS) || name2.equals(AuthMechanismConfig.AUTH_CONFIG) || name2.equals(AuthMechanismConfig.SIMPLE_AUTH_CONFIG) || name2.equals(AuthMechanismConfig.AUTH_VALIDATION_CONFIG) || name2.equals(AuthMechanismConfig.FORWARDABLE_CRED)) {
                            it4.remove();
                        }
                    }
                    arrayList.add(attributeList2);
                } else if (!str2.equals(AuthMechanismConfig.TYPE_SPNEGO) || z2) {
                    it2.remove();
                } else {
                    arrayList.add(attributeList2);
                }
            }
            AttributeList attributeList3 = new AttributeList();
            attributeList3.add(new Attribute("authMechanisms", arrayList));
            configService.setAttributes(session, objectName, attributeList3);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getAuthMechFromGlobalIfNeeded - Objects created in domain");
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.validateKrb5Spn", "1419", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, e.getMessage(), new Object[]{e});
            }
            throw e;
        }
    }
}
