package com.ibm.ws.security.server.lm;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityConfigObject;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.SingleSignonConfig;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.ltpa.CrossRealmUtil;
import com.ibm.ws.security.token.WSCredentialTokenMapper;
import com.ibm.ws.security.token.WSCredentialTokenMapperInterface;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.web.ReferrerURLCookieHandler;
import com.ibm.ws.security.web.WebAttributes;
import com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket;
import com.ibm.wsspi.bootstrap.WSPreLauncher;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.security.context.ContextManager;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.AuthenticationToken;
import com.ibm.wsspi.security.token.AuthorizationToken;
import com.ibm.wsspi.security.token.PropagationToken;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.client_9.0.jar:com/ibm/ws/security/server/lm/wsMapDefaultInboundLoginModule.class */
public class wsMapDefaultInboundLoginModule implements LoginModule {
    private Subject subject;
    private CallbackHandler callbackHandler;
    private Map sharedState;
    private Map options;
    private WSPrincipal principal;
    private WSCredential credential;
    private UserRegistry registry;
    private static String userType = "user:";
    private static String serverType = "server:";
    private static final WebSphereRuntimePermission MAP_CREDENTIAL = new WebSphereRuntimePermission("mapCredential");
    private static final TraceComponent tc = Tr.register((Class<?>) wsMapDefaultInboundLoginModule.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private SecurityConfig security = null;
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    private boolean ssoEnabled = false;
    private AuthenticationToken authToken = null;
    private AuthorizationToken authzToken = null;
    private KRBAuthnToken krbAuthnToken = null;
    private SingleSignonToken ssoToken = null;
    private ArrayList customPublicObjects = new ArrayList();
    private ArrayList customPrivateObjects = new ArrayList();
    private ArrayList customPrincipalObjects = new ArrayList();
    private PropagationToken propagationToken = null;
    private Hashtable credHashTable = null;
    private HttpServletRequest req = null;
    private HttpServletResponse res = null;
    protected boolean debug = false;
    protected boolean cookie = false;
    private boolean throwExceptionForAllPropagationSerializationProblems = false;
    private WSCredentialTokenMapperInterface wsCredMapper = null;
    private boolean foundWSSubjectWrapper = false;
    private boolean refreshGroups = false;
    private boolean verifyUser = false;
    private String INITIAL_TOKEN_ATTRIBUTES = "INITIAL_TOKEN_ATTRIBUTES";
    private boolean failIfKerbOrSpnego = false;

    public wsMapDefaultInboundLoginModule() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "wsMapDefaultInboundLoginModule()");
            Tr.exit(tc, "wsMapDefaultInboundLoginModule()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(subject = \"" + subject.toString() + "\", callbackHandler = \"" + callbackHandler.toString() + "\", sharedState = \"" + map.toString() + "\", options = \"" + map2.toString() + "\")");
        }
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = map;
        this.options = map2;
        ContextManagerFactory.getInstance();
        this.wsCredMapper = WSCredentialTokenMapper.getInstance();
        this.debug = "true".equalsIgnoreCase((String) this.options.get(WSPreLauncher.FELIX_SCR_DS_LOGLEVEL_DEBUG));
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "WebInboundLoginModuleImpl initialized");
        }
        this.cookie = "true".equalsIgnoreCase((String) this.options.get("cookie"));
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "WebInboundLoginModule cookie ON: " + this.cookie);
        }
        this.security = SecurityObjectLocator.getSecurityConfig();
        SingleSignonConfig singleSignon = this.security.getActiveAuthMechanism().getSingleSignon();
        if (singleSignon != null) {
            this.ssoEnabled = singleSignon.getBoolean("enabled");
        }
        this.refreshGroups = this.security.getPropertyBool(AttributeNameConstants.REFRESH_GROUPS);
        this.verifyUser = this.security.getPropertyBool(AttributeNameConstants.VERIFY_USER);
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "refreshGroups custom prop is " + this.refreshGroups + " and verifyUser custom prop is " + this.verifyUser);
        }
        Boolean valueOf = Boolean.valueOf(this.security.getPropertyBool(SecurityConfig.FAIL_AUTH_FOR_EXPIRED_KERBEROS_TOKEN));
        if (valueOf != null && valueOf.booleanValue()) {
            this.failIfKerbOrSpnego = true;
            map.put(SecurityConfig.FAIL_AUTH_FOR_EXPIRED_KERBEROS_TOKEN, Boolean.valueOf(this.failIfKerbOrSpnego));
        }
        SecurityConfigObject object = SecurityObjectLocator.getSecurityConfigManager().getObject("security");
        if (object != null) {
            String property = object.getProperties().getProperty("com.ibm.CSI.throwExceptionForAllPropagationSerializationProblems");
            this.throwExceptionForAllPropagationSerializationProblems = property != null && (property.equalsIgnoreCase("true") || property.equalsIgnoreCase("yes"));
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "SSO is enabled for login: " + this.ssoEnabled);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options), generateCookie: " + this.cookie);
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:1226:0x0923, code lost:
    
        if (r27.length() == 0) goto L248;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean login() throws javax.security.auth.login.LoginException {
        /*
            Method dump skipped, instructions count: 9941
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.login():boolean");
    }

    String getMapUID(Hashtable hashtable, WSCredential wSCredential) {
        String str = null;
        if (hashtable != null) {
            str = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_USERID);
            if (str != null && wSCredential != null) {
                try {
                    String securityName = wSCredential.getSecurityName();
                    if (securityName != null && str.equals(securityName)) {
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "mapUid and currentSID are identical. clear mapUid");
                        }
                        str = null;
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.getMapUID", "1985", this);
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception is caught while invoking getSecurityName()" + e);
                    }
                }
            }
        }
        return str;
    }

    public boolean commit() throws LoginException {
        boolean z;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        Hashtable hashtable = (Hashtable) this.sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY);
        if (!isAnyPropagationEnabled() && hashtable == null) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "commit() disabled");
            }
            if (!this.commitSucceeded) {
                Tr.debug(tc, "Shared state contains: " + this.sharedState.keySet());
                setCookieIfEnabled();
            } else if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "It has been committed prior this call, nothing is done.");
            }
            this.commitSucceeded = true;
            return this.commitSucceeded;
        }
        if (this.succeeded) {
            if (!this.commitSucceeded) {
                Tr.debug(tc, "shared state contains: " + this.sharedState.keySet());
                try {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Start committing the changes to the Subject ...");
                    }
                    try {
                        AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.8
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws WSLoginFailedException {
                                AuthorizationToken authorizationToken = (AuthorizationToken) wsMapDefaultInboundLoginModule.this.sharedState.get(Constants.WSAUTHZTOKEN_KEY);
                                if (authorizationToken != null) {
                                    wsMapDefaultInboundLoginModule.this.authzToken = authorizationToken;
                                }
                                if (wsMapDefaultInboundLoginModule.this.authToken == null && (wsMapDefaultInboundLoginModule.this.debug || wsMapDefaultInboundLoginModule.tc.isDebugEnabled())) {
                                    Tr.debug(wsMapDefaultInboundLoginModule.tc, "wsMapDefaultInboundLoginModule: authenticationToken is null in commit (phase 2) stage");
                                }
                                if (wsMapDefaultInboundLoginModule.this.authzToken == null) {
                                    if (wsMapDefaultInboundLoginModule.this.debug || wsMapDefaultInboundLoginModule.tc.isDebugEnabled()) {
                                        Tr.debug(wsMapDefaultInboundLoginModule.tc, "wsMapDefaultInboundLoginModule: authorizationToken is null in commit (phase 2) stage");
                                    }
                                    throw new WSLoginFailedException("wsMapDefaultInboundLoginModule: authorizationToken is null in commit (phase 2) stage");
                                }
                                KerberosTicket kerberosTicket = null;
                                KRBAuthnToken kRBAuthnToken = (KRBAuthnToken) wsMapDefaultInboundLoginModule.this.sharedState.get(Constants.WSKRBAUTHNTOKEN_KEY);
                                if (kRBAuthnToken != null) {
                                    if (wsMapDefaultInboundLoginModule.this.debug || wsMapDefaultInboundLoginModule.tc.isDebugEnabled()) {
                                        Tr.debug(wsMapDefaultInboundLoginModule.tc, "wsMapDefaultInboundLoginModule: found KRBAuthnToken in sharedState");
                                    }
                                    wsMapDefaultInboundLoginModule.this.krbAuthnToken = kRBAuthnToken;
                                    if (wsMapDefaultInboundLoginModule.this.krbAuthnToken != null && (wsMapDefaultInboundLoginModule.this.krbAuthnToken instanceof KRBTicket)) {
                                        kerberosTicket = ((KRBTicket) wsMapDefaultInboundLoginModule.this.krbAuthnToken).getKerberosTicket();
                                    }
                                }
                                if (wsMapDefaultInboundLoginModule.this.ssoEnabled) {
                                    SingleSignonToken singleSignonToken = (SingleSignonToken) wsMapDefaultInboundLoginModule.this.sharedState.get(Constants.WSSSOTOKEN_KEY);
                                    if (singleSignonToken != null) {
                                        wsMapDefaultInboundLoginModule.this.ssoToken = singleSignonToken;
                                    }
                                    if (wsMapDefaultInboundLoginModule.this.ssoToken != null && !wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapDefaultInboundLoginModule.this.ssoToken)) {
                                        wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().add(wsMapDefaultInboundLoginModule.this.ssoToken);
                                    }
                                }
                                if (wsMapDefaultInboundLoginModule.this.authToken != null && !wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapDefaultInboundLoginModule.this.authToken)) {
                                    wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().add(wsMapDefaultInboundLoginModule.this.authToken);
                                }
                                if (wsMapDefaultInboundLoginModule.this.authzToken != null && !wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(wsMapDefaultInboundLoginModule.this.authzToken)) {
                                    wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().add(wsMapDefaultInboundLoginModule.this.authzToken);
                                }
                                boolean z2 = false;
                                for (Object obj : wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials()) {
                                    if (obj instanceof KRBAuthnToken) {
                                        if (wsMapDefaultInboundLoginModule.this.debug || wsMapDefaultInboundLoginModule.tc.isDebugEnabled()) {
                                            Tr.debug(wsMapDefaultInboundLoginModule.tc, "wsMapDefaultInboundLoginModule: KRBAuthnToken is already in subject in commit (phase 2) stage");
                                        }
                                        if (obj instanceof KRBTicket) {
                                            kerberosTicket = ((KRBTicket) obj).getKerberosTicket();
                                        }
                                        z2 = true;
                                        if (!wsMapDefaultInboundLoginModule.this.isTicketAddressMatchLocal((KRBAuthnToken) obj)) {
                                            ((KRBTicket) obj).setKerberosTicket(null);
                                        }
                                    }
                                }
                                if (!z2 && wsMapDefaultInboundLoginModule.this.krbAuthnToken != null) {
                                    if (wsMapDefaultInboundLoginModule.this.debug || wsMapDefaultInboundLoginModule.tc.isDebugEnabled()) {
                                        Tr.debug(wsMapDefaultInboundLoginModule.tc, "wsMapDefaultInboundLoginModule: KRBAuthnToken is added in commit (phase 2) stage" + wsMapDefaultInboundLoginModule.this.krbAuthnToken);
                                    }
                                    if (!wsMapDefaultInboundLoginModule.this.isTicketAddressMatchLocal(wsMapDefaultInboundLoginModule.this.krbAuthnToken)) {
                                        ((KRBTicket) wsMapDefaultInboundLoginModule.this.krbAuthnToken).setKerberosTicket(null);
                                    }
                                    wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().add(wsMapDefaultInboundLoginModule.this.krbAuthnToken);
                                }
                                if (wsMapDefaultInboundLoginModule.this.krbAuthnToken == null && (wsMapDefaultInboundLoginModule.this.debug || wsMapDefaultInboundLoginModule.tc.isDebugEnabled())) {
                                    Tr.debug(wsMapDefaultInboundLoginModule.tc, "wsMapDefaultInboundLoginModule: KRBAuthnToken is null in commit (phase 2) stage");
                                }
                                if (kerberosTicket != null && wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(kerberosTicket)) {
                                    wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().remove(kerberosTicket);
                                    if (wsMapDefaultInboundLoginModule.this.debug || wsMapDefaultInboundLoginModule.tc.isDebugEnabled()) {
                                        Tr.debug(wsMapDefaultInboundLoginModule.tc, "removed Kerberos ticket " + kerberosTicket);
                                    }
                                }
                                if (wsMapDefaultInboundLoginModule.this.authzToken != null || wsMapDefaultInboundLoginModule.this.krbAuthnToken != null) {
                                    String[] attributes = wsMapDefaultInboundLoginModule.this.authzToken.getAttributes(AttributeNameConstants.WSTOKEN_UNIQUEID);
                                    if (attributes == null) {
                                        String createSubjectUniqueID = wsMapDefaultInboundLoginModule.this.wsCredMapper.createSubjectUniqueID(wsMapDefaultInboundLoginModule.this.subject);
                                        if (createSubjectUniqueID != null) {
                                            if (wsMapDefaultInboundLoginModule.this.authzToken != null) {
                                                wsMapDefaultInboundLoginModule.this.authzToken.addAttribute(AttributeNameConstants.WSTOKEN_UNIQUEID, createSubjectUniqueID);
                                            }
                                            if (wsMapDefaultInboundLoginModule.this.ssoEnabled && wsMapDefaultInboundLoginModule.this.ssoToken != null && wsMapDefaultInboundLoginModule.this.ssoToken.getAttributes(AttributeNameConstants.WSTOKEN_UNIQUEID) == null) {
                                                wsMapDefaultInboundLoginModule.this.ssoToken.addAttribute(AttributeNameConstants.WSTOKEN_UNIQUEID, createSubjectUniqueID);
                                            }
                                        }
                                    } else if (wsMapDefaultInboundLoginModule.this.ssoEnabled && wsMapDefaultInboundLoginModule.this.ssoToken != null && wsMapDefaultInboundLoginModule.this.ssoToken.getAttributes(AttributeNameConstants.WSTOKEN_UNIQUEID) == null) {
                                        for (String str : attributes) {
                                            if (wsMapDefaultInboundLoginModule.tc.isDebugEnabled()) {
                                                Tr.debug(wsMapDefaultInboundLoginModule.tc, "adding hashed_uid string of " + str + " to ssoToken from authzToken");
                                            }
                                            wsMapDefaultInboundLoginModule.this.ssoToken.addAttribute(AttributeNameConstants.WSTOKEN_UNIQUEID, str);
                                        }
                                    }
                                }
                                if (wsMapDefaultInboundLoginModule.this.authToken != null) {
                                    wsMapDefaultInboundLoginModule.this.authToken.setReadOnly();
                                }
                                if (wsMapDefaultInboundLoginModule.this.authzToken != null) {
                                    wsMapDefaultInboundLoginModule.this.authzToken.setReadOnly();
                                }
                                if (wsMapDefaultInboundLoginModule.this.ssoEnabled && wsMapDefaultInboundLoginModule.this.ssoToken != null) {
                                    wsMapDefaultInboundLoginModule.this.ssoToken.setReadOnly();
                                }
                                if (wsMapDefaultInboundLoginModule.this.krbAuthnToken == null) {
                                    return null;
                                }
                                ((AuthenticationToken) wsMapDefaultInboundLoginModule.this.krbAuthnToken).setReadOnly();
                                return null;
                            }
                        });
                        setCookieIfEnabled();
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Change committed!");
                        }
                        this.commitSucceeded = true;
                    } catch (PrivilegedActionException e) {
                        WSLoginFailedException wSLoginFailedException = e.getException() instanceof WSLoginFailedException ? (WSLoginFailedException) e.getException() : new WSLoginFailedException(e.getException().getMessage(), e.getException());
                        FFDCFilter.processException(wSLoginFailedException, "com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.commit", "2251", this);
                        ContextManagerFactory.getInstance().setRootException(wSLoginFailedException);
                        throw wSLoginFailedException;
                    }
                } catch (Exception e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.commit", "2261", this);
                    Tr.error(tc, "security.jaas.LoginModuleCommitError", new Object[]{getClass().getName(), e2.toString()});
                    cleanup();
                    this.commitSucceeded = false;
                }
            } else if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "It has been committed prior this call, nothing is done.");
            }
            z = this.commitSucceeded;
        } else {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Do not commit because of authentication failed.");
            }
            z = false;
        }
        cleanupSharedState();
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "commit()");
        }
        return z;
    }

    public boolean abort() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!isAnyPropagationEnabled()) {
            if (!this.debug && !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "abort() disabled");
            return true;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes WSPrincipal and WSCredential from the Subject, reset all internal variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "abort()");
        return true;
    }

    public boolean logout() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!isAnyPropagationEnabled()) {
            if (!this.debug && !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "logout() disabled");
            return true;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes WSPrincipal and WSCredential from the Subject, reset all internal variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "logout()");
        return true;
    }

    private void cleanup() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup()");
        }
        Hashtable hashtable = (Hashtable) this.sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY);
        if (!isAnyPropagationEnabled() && hashtable == null) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "cleanup() disabled");
                return;
            }
            return;
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing AuthorizationToken and AuthenticationToken from the Subject.");
            Tr.debug(tc, "Start removing ...");
        }
        final Object[] array = this.customPublicObjects.toArray();
        final Object[] array2 = this.customPrivateObjects.toArray();
        final Object[] array3 = this.customPrincipalObjects.toArray();
        final AuthorizationToken authorizationToken = this.authzToken;
        final AuthenticationToken authenticationToken = this.authToken;
        final KRBAuthnToken kRBAuthnToken = this.krbAuthnToken;
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.9
            @Override // java.security.PrivilegedAction
            public Object run() {
                try {
                    if (authenticationToken != null && wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(authenticationToken)) {
                        wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().remove(authenticationToken);
                    }
                    if (authorizationToken != null && wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(authorizationToken)) {
                        wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().remove(authorizationToken);
                    }
                    if (kRBAuthnToken != null && wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(kRBAuthnToken)) {
                        wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().remove(kRBAuthnToken);
                    }
                    if (array != null) {
                        for (int i = 0; i < array.length; i++) {
                            if (wsMapDefaultInboundLoginModule.this.subject.getPublicCredentials().contains(array[i])) {
                                wsMapDefaultInboundLoginModule.this.subject.getPublicCredentials().remove(array[i]);
                            }
                        }
                    }
                    if (array2 != null) {
                        for (int i2 = 0; i2 < array2.length; i2++) {
                            if (wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().contains(array2[i2])) {
                                wsMapDefaultInboundLoginModule.this.subject.getPrivateCredentials().remove(array2[i2]);
                            }
                        }
                    }
                    if (array3 != null) {
                        for (int i3 = 0; i3 < array3.length; i3++) {
                            if (wsMapDefaultInboundLoginModule.this.subject.getPrincipals().contains(array3[i3])) {
                                wsMapDefaultInboundLoginModule.this.subject.getPrincipals().remove(array3[i3]);
                            }
                        }
                    }
                    return null;
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.cleanup", "2459", this);
                    Tr.error(wsMapDefaultInboundLoginModule.tc, "security.jaas.removeCredException", new Object[]{getClass().getName(), e.toString()});
                    return null;
                }
            }
        });
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        this.authToken = null;
        this.authzToken = null;
        cleanupSharedState();
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanup()");
        }
    }

    private void cleanupSharedState() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanupSharedState()");
        }
        Hashtable hashtable = (Hashtable) this.sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY);
        if (!isAnyPropagationEnabled() && hashtable == null) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "cleanupSharedState() disabled");
                return;
            }
            return;
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing AuthorizationToken, AuthenticationToken, SingleSignonToken, and KRBAuthnToken from the shared state.");
        }
        if (hashtable != null) {
            this.sharedState.remove(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY);
        }
        if (((AuthenticationToken) this.sharedState.get(Constants.WSAUTHTOKEN_KEY)) != null) {
            this.sharedState.remove(Constants.WSAUTHTOKEN_KEY);
        }
        if (((SingleSignonToken) this.sharedState.get(Constants.WSSSOTOKEN_KEY)) != null) {
            this.sharedState.remove(Constants.WSSSOTOKEN_KEY);
        }
        if (((AuthorizationToken) this.sharedState.get(Constants.WSAUTHZTOKEN_KEY)) != null) {
            this.sharedState.remove(Constants.WSAUTHZTOKEN_KEY);
        }
        if (((KRBAuthnToken) this.sharedState.get(Constants.WSKRBAUTHNTOKEN_KEY)) != null) {
            this.sharedState.remove(Constants.WSKRBAUTHNTOKEN_KEY);
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        this.authToken = null;
        this.authzToken = null;
        this.krbAuthnToken = null;
        if (this.sharedState.size() > 0 && (this.debug || tc.isDebugEnabled())) {
            Tr.debug(tc, "Shared State still contains the following: " + this.sharedState);
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanupSharedState()");
        }
    }

    private void setCookieIfEnabled() throws WSLoginFailedException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "setCookieIfEnabled(), cookie enabled: " + this.cookie + " ssoEnabled: " + this.ssoEnabled + " , httpreq exist: " + (this.req != null) + " , httpres exist: " + (this.res != null));
        }
        Boolean bool = Boolean.FALSE;
        if (this.ssoEnabled && this.cookie && this.res != null && this.req != null) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Generate cookie ...");
            }
            try {
                bool = (Boolean) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.10
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws WSLoginFailedException {
                        boolean z = false;
                        try {
                            ArrayList createCookiesStatic = WebAttributes.createCookiesStatic(wsMapDefaultInboundLoginModule.this.req, wsMapDefaultInboundLoginModule.this.subject);
                            new ReferrerURLCookieHandler().clearReferrerURLCookie(wsMapDefaultInboundLoginModule.this.req, wsMapDefaultInboundLoginModule.this.res);
                            if (createCookiesStatic != null) {
                                WebAttributes.addCookiesToResponse(createCookiesStatic, wsMapDefaultInboundLoginModule.this.res);
                                z = true;
                            }
                        } catch (Exception e) {
                            FFDCFilter.processException(e, getClass().getName() + ".commit", "2562", this);
                            wsMapDefaultInboundLoginModule.this.res.setStatus(401);
                            Tr.error(wsMapDefaultInboundLoginModule.tc, "security.jaas.LoginModuleCommitError", new Object[]{getClass().getName(), e});
                        }
                        return new Boolean(z);
                    }
                });
            } catch (PrivilegedActionException e) {
                FFDCFilter.processException(e.getException(), "com.ibm.ws.security.server.lm.wsSAPInboundLoginModule.commit", "2571", this);
                Tr.error(tc, "security.jaas.LoginModuleCommitError", new Object[]{getClass().getName(), e.getException()});
                ContextManagerFactory.getInstance().setRootException(e.getException());
                cleanup();
                if (!(e.getException() instanceof WSLoginFailedException)) {
                    throw new WSLoginFailedException(e.getException().getMessage(), e.getException());
                }
                throw ((WSLoginFailedException) e.getException());
            }
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "setCookieIfEnabled(), cookie(s) added: " + bool.booleanValue());
        }
    }

    private boolean isAnyPropagationEnabled() {
        return WSCredentialTokenMapper.isAnyPropagationEnabled();
    }

    private boolean checkForRefreshIfExpired(Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkForRefreshIfExpired");
        }
        boolean z = false;
        if (map != null && map.containsKey(ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW)) {
            if (map.get(ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW) instanceof Boolean) {
                z = ((Boolean) map.get(ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW)).booleanValue();
            } else {
                String str = (String) map.get(ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW);
                z = str != null && (str.equalsIgnoreCase("true") || str.equalsIgnoreCase("yes"));
            }
            if (map2.containsKey(ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW)) {
                String str2 = (String) map2.get(ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW);
                z = z && "true".equalsIgnoreCase(str2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, AuditConstants.LOGIN, "Is token refresh behavior enabled for asynch logins? " + str2);
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, AuditConstants.LOGIN, "Is this an asynch login? " + z);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkForRefreshIfExpired");
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Code restructure failed: missing block: B:31:0x00d4, code lost:
    
        if (com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.tc.isDebugEnabled() == false) goto L33;
     */
    /* JADX WARN: Code restructure failed: missing block: B:32:0x00d7, code lost:
    
        com.ibm.ejs.ras.Tr.debug(com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.tc, "client IP address matched local host");
     */
    /* JADX WARN: Code restructure failed: missing block: B:34:0x00e0, code lost:
    
        r7 = true;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean isTicketAddressMatchLocal(com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken r6) {
        /*
            Method dump skipped, instructions count: 306
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.isTicketAddressMatchLocal(com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken):boolean");
    }

    protected String getRealmFromUniqueId(String str) {
        String str2 = null;
        if (str != null && str.contains("/")) {
            String str3 = str;
            if (str.startsWith(userType) || str.startsWith(serverType)) {
                str3 = str.split(":", 2)[1];
            }
            str2 = str3.split("/", 2)[0];
        }
        return str2;
    }

    protected boolean mustValidateRealmTrust(String str, boolean z) {
        if (str != null) {
            if (!(z && isDefaultOrNullRealm(str)) && isRealmTrustValidationEnabled()) {
                return true;
            }
        }
        return false;
    }

    protected boolean isDefaultOrNullRealm(String str) {
        return str == null || str.startsWith("DEFAULT") || str.startsWith(CommonConstants.DEFAULT_REALM);
    }

    protected boolean isRealmTrustValidationEnabled() {
        return !this.security.getPropertyBool(SecurityConfig.DISABLE_REALM_TRUST_VALIDATION);
    }

    private void validateInboundRealmIsTrusted(String str) throws WSLoginFailedException {
        if (!CrossRealmUtil.isTrustedInboundRealm(str)) {
            throw new WSLoginFailedException("This realm is not the current realm, nor the admin realm, nor a trusted realm: " + str);
        }
    }

    protected AuthorizationToken updateAuthzTokenIfNecessary(WSCredential wSCredential, AuthorizationToken authorizationToken) throws WSLoginFailedException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "updateAuthzTokenIfNecessary", new Object[]{wSCredential, authorizationToken});
        }
        AuthorizationToken authorizationToken2 = authorizationToken;
        boolean z = true;
        ArrayList arrayList = null;
        ArrayList arrayList2 = null;
        try {
            arrayList = wSCredential.getGroupIds();
        } catch (Exception e) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception on wscred.getGroupIds " + e);
            }
            FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.updateAuthzTokenIfNecessary", "2736", this);
        }
        String[] attributes = authorizationToken.getAttributes(AttributeNameConstants.WSCREDENTIAL_GROUPS);
        if (attributes != null && attributes.length > 0) {
            arrayList2 = new ArrayList(attributes.length);
            for (int i = 0; i < attributes.length; i++) {
                if (attributes[i] != null) {
                    arrayList2.add(attributes[i]);
                }
            }
        }
        if (arrayList == null || arrayList2 == null) {
            if ((arrayList != null && arrayList.size() > 0) || (arrayList2 != null && arrayList2.size() > 0)) {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "one group array list is null and other contains elements - no match");
                }
                z = false;
            }
        } else if (arrayList.size() == arrayList2.size()) {
            int i2 = 0;
            while (true) {
                if (i2 >= arrayList2.size()) {
                    break;
                }
                if (arrayList.contains(arrayList2.get(i2))) {
                    i2++;
                } else {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "wscred does not contain this group from token: " + ((String) arrayList2.get(i2)));
                    }
                    z = false;
                }
            }
        } else {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "number of groups in cred and authz token do not match", new Object[]{Integer.valueOf(arrayList.size()), Integer.valueOf(arrayList2.size())});
            }
            z = false;
        }
        if (!z) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "groups differ - going to create new Authz token to match wscred");
            }
            authorizationToken2 = this.wsCredMapper.createAuthzTokenFromWSCredential(wSCredential);
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "updateAuthzTokenIfNecessary", new Object[]{authorizationToken2});
        }
        return authorizationToken2;
    }

    protected void setWSCredentialTokenMapper(WSCredentialTokenMapperInterface wSCredentialTokenMapperInterface) {
        this.wsCredMapper = wSCredentialTokenMapperInterface;
    }

    void addAttributesFromOriginalToken(SingleSignonToken singleSignonToken) {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "addAttributesFromOriginalToken ssoToken=" + singleSignonToken);
        }
        if (singleSignonToken == null) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "ssoToken is null. returning without any operation");
                return;
            }
            return;
        }
        HashMap hashMap = (HashMap) this.sharedState.get(this.INITIAL_TOKEN_ATTRIBUTES);
        if (hashMap == null) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "initialTokenAttributes from SharedState is null. returning without any operation.");
                return;
            }
            return;
        }
        Enumeration enumeration = Collections.enumeration(hashMap.keySet());
        while (enumeration.hasMoreElements()) {
            String str = (String) enumeration.nextElement();
            String[] strArr = (String[]) hashMap.get(str);
            String str2 = null;
            if (strArr != null) {
                str2 = strArr[0];
            }
            String[] attributes = singleSignonToken.getAttributes(str);
            String str3 = null;
            if (attributes != null) {
                str3 = attributes[0];
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Newly created token has value: " + str3 + " for key from original token: " + str);
                }
            } else if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Newly created token did not have value for key from original token: " + str);
            }
            if (str3 == null || str3.length() == 0) {
                singleSignonToken.addAttribute(str, str2);
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Following attributes are added to newly created token: key:" + str + " value:" + str2);
                }
            }
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "addAttributesFromOriginalToken");
        }
    }
}
