package com.ibm.ws.security.role;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.authorizer.AdminAuthorizer;
import com.ibm.websphere.management.authorizer.AdminAuthorizerFactory;
import com.ibm.websphere.security.AuthorizationTable;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.audit.AuditHandlerImpl;
import com.ibm.ws.security.audit.AuditServiceImpl;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityConfig;
import com.ibm.ws.security.util.Constants;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.audit.J2EEAuditEventFactory;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import javax.security.auth.Subject;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/security/role/RoleBasedAuthorizerImpl.class */
public class RoleBasedAuthorizerImpl implements RoleBasedAuthorizer {
    private static TraceComponent tc;
    private RoleBasedConfiguratorImpl configurator;
    private String appName;
    private String cellName;
    private String serverName;
    private PluggableAuthorizationTableProxy pluggableAuthTable;
    private boolean isSAFAuthz;
    private static boolean ignoreCase;
    private static final ContextManager contextManager;
    private boolean staticsInitialized;
    private static AuditHandlerImpl auditHandler;
    private static J2EEAuditEventFactory auditFactory;
    private static String providerName;
    private static final boolean providerSuccess = true;
    static Class class$com$ibm$ws$security$role$RoleBasedAuthorizerImpl;
    private HashMap accessContext = new HashMap(3);
    private boolean _handleAllAuthz = false;
    private boolean _alreadyAttempted = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/security/role/RoleBasedAuthorizerImpl$CredHolder.class */
    public static final class CredHolder {
        WSCredential cred;
        Subject subject;
        boolean threadMissingCredentials;

        CredHolder(Subject subject, WSCredential wSCredential, boolean z) {
            this.cred = null;
            this.subject = null;
            this.threadMissingCredentials = false;
            this.subject = subject;
            this.cred = wSCredential;
            this.threadMissingCredentials = z;
        }

        public boolean isThreadMissingCredentials() {
            return this.threadMissingCredentials;
        }

        public String toString() {
            return new StringBuffer().append(super.toString()).append(";cred=").append(this.cred).append(";subject=").append(this.subject).append(";threadMissingCredentials=").append(this.threadMissingCredentials).toString();
        }
    }

    public RoleBasedAuthorizerImpl(String str, RoleBasedConfiguratorImpl roleBasedConfiguratorImpl) {
        this.configurator = null;
        this.appName = null;
        this.cellName = null;
        this.serverName = null;
        this.pluggableAuthTable = null;
        this.isSAFAuthz = false;
        this.staticsInitialized = false;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>", new Object[]{str, roleBasedConfiguratorImpl});
        }
        this.appName = str;
        this.configurator = roleBasedConfiguratorImpl;
        this.pluggableAuthTable = PluggableAuthorizationTableProxy.getAuthorizationTableProxy();
        if (this.pluggableAuthTable != null) {
            this.cellName = (String) SecurityConfig.getConfig().getValue(SecurityConfig.CELL_NAME);
            this.serverName = (String) SecurityConfig.getConfig().getValue(SecurityConfig.SHORT_SERVER_NAME);
            this.accessContext.put(AuthorizationTable.APP_NAME, this.appName);
            this.accessContext.put("SERVER_NAME", this.serverName);
            this.accessContext.put("CELL_NAME", this.cellName);
            providerName = "AuthorizationTable";
            this.isSAFAuthz = PluggableAuthorizationTableProxy.isSAFAuthorizationEnabled();
        }
        if (!this.staticsInitialized) {
            Boolean bool = (Boolean) SecurityConfig.getConfig().getValue(CommonConstants.IGNORE_CASE);
            if (bool != null && bool.booleanValue()) {
                ignoreCase = true;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ignoreCase is set");
                }
            }
            try {
                AuditServiceImpl auditServiceImpl = (AuditServiceImpl) AuditServiceImpl.getAuditService();
                if (auditServiceImpl != null) {
                    auditHandler = (AuditHandlerImpl) auditServiceImpl.newAuditHandler("WAS.security", "WAS.security");
                    if (auditHandler != null) {
                        auditFactory = (J2EEAuditEventFactory) auditHandler.getAuditEventFactory(CommonConstants.AUDIT_J2EE_FACTORY_NAME);
                    }
                    if (auditFactory != null && !Class.forName("com.ibm.wsspi.security.audit.J2EEAuditEventFactory").isInstance(auditFactory)) {
                        auditFactory = null;
                    }
                }
                if (auditHandler != null) {
                    auditHandler.setAppName(this.appName);
                }
            } catch (Exception e) {
                Tr.error(tc, "security.wsaccessmanager.classnotfound", new Object[]{"J2EEAuditEventFactory"});
            }
            this.staticsInitialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>", this);
        }
    }

    @Override // com.ibm.ws.security.role.RoleBasedAuthorizer
    public boolean checkAccess(String str, String str2, String str3) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAccess", new Object[]{str, str2, str3});
        }
        boolean z = false;
        try {
            CredHolder credHolder = null;
            RoleBasedSubjectMap roleBasedSubjectMap = this.configurator.getRoleBasedSubjectMap(this.appName);
            RoleBasedModule roleBasedModule = this.configurator.getRoleBasedModule(this.appName, str);
            if (roleBasedModule == null && this.appName.startsWith(Constants.ADMIN_APP)) {
                roleBasedModule = this.configurator.getRoleBasedModule(Constants.ADMIN_APP, str);
            }
            HashSet requiredRoles = roleBasedModule != null ? roleBasedModule.getRequiredRoles(new StringBuffer().append(str2).append(":").append(str3).toString()) : null;
            HashSet hashSet = new HashSet();
            String[] strArr = requiredRoles != null ? (String[]) requiredRoles.toArray(new String[0]) : new String[0];
            if (this.appName.startsWith(Constants.ADMIN_APP)) {
                for (int i = 0; i < strArr.length; i++) {
                    AdminAuthorizer adminAuthorizer = AdminAuthorizerFactory.getAdminAuthorizer();
                    if (adminAuthorizer != null) {
                        List allParentRoles = adminAuthorizer.getAllParentRoles(strArr[i]);
                        hashSet.add(strArr[i]);
                        hashSet.addAll(allParentRoles);
                    } else {
                        hashSet.add(strArr[i]);
                    }
                }
            } else {
                for (String str4 : strArr) {
                    hashSet.add(str4);
                }
            }
            if (isEveryoneGranted(hashSet, roleBasedSubjectMap)) {
                z = true;
            } else {
                credHolder = getEffectiveCredentials();
                if (credHolder.isThreadMissingCredentials()) {
                    Tr.error(tc, "security.rolebauthz.nocred", new Object[]{str3, str2, str, new Exception("Invocation and received credentials are both null")});
                }
                if (this.pluggableAuthTable == null || (!handleAllAuthz() && contextManager.isInternalServerCredential(credHolder.cred))) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "calling default authz engine for authorization decision");
                    }
                    z = checkAccess(hashSet, str, str2, str3, credHolder, roleBasedSubjectMap);
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("calling ").append(this.pluggableAuthTable).append(" for authorization decision").toString());
                    }
                    z = checkAccess(hashSet, str, str2, str3, credHolder);
                }
            }
            if (!z) {
                String accessId = getAccessId(credHolder.cred);
                String securityName = getSecurityName(credHolder.cred);
                String[] strArr2 = hashSet != null ? (String[]) hashSet.toArray(new String[0]) : new String[0];
                StringBuffer stringBuffer = new StringBuffer();
                for (int i2 = 0; i2 < strArr2.length; i2++) {
                    if (i2 == 0) {
                        stringBuffer.append(strArr2[i2]);
                    } else {
                        stringBuffer.append(", ").append(strArr2[i2]);
                    }
                }
                Tr.audit(tc, "security.rolebauthz.authzfail", new Object[]{this.appName, str2, str3, securityName, accessId, stringBuffer.toString()});
            }
        } catch (RoleBasedAppException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess", "322", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to acquire role info", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkAccess", new Boolean(z));
        }
        return z;
    }

    private boolean checkAccess(Set set, String str, String str2, String str3, CredHolder credHolder) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAccess", new Object[]{set, str, str2, str3, credHolder});
        }
        boolean z = false;
        Exception exc = null;
        try {
            z = this.pluggableAuthTable.isGrantedAnyRole(this.accessContext, set == null ? new String[0] : (String[]) set.toArray(new String[0]), credHolder.subject);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess", "355", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception caught: ", e);
            }
            exc = e instanceof Exception ? e : null;
        }
        if (auditFactory != null && auditFactory.isActive(1, 0) && z) {
            auditFactory.sendAuthzAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", "", null, str2, J2EEAuditEventFactory.WAS, str3, providerName, true, credHolder.subject, "security.audit.authz.success.audit", null);
        }
        if (auditFactory != null && auditFactory.isActive(1, 4) && !z) {
            auditFactory.sendAuthzAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", "", exc, str2, J2EEAuditEventFactory.WAS, str3, providerName, true, credHolder.subject, "security.audit.authz.denied.audit", null);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkAccess", new Boolean(z));
        }
        return z;
    }

    private boolean checkAccess(Set set, String str, String str2, String str3, CredHolder credHolder, RoleBasedSubjectMap roleBasedSubjectMap) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkAccess", new Object[]{set, str, str2, str3, credHolder, roleBasedSubjectMap});
        }
        boolean z = false;
        try {
            if (roleBasedSubjectMap.isGrantedAnyRole(credHolder.cred, set)) {
                z = true;
            } else if (isGroupGrantedAnyRole(set, roleBasedSubjectMap, credHolder.cred)) {
                z = true;
            }
        } catch (Throwable th) {
            FFDCFilter.processException(th, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.checkAccess", "411", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception caught: ", th);
            }
        }
        if (auditFactory != null && auditFactory.isActive(1, 0) && z) {
            auditFactory.sendAuthzAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", "", null, str2, J2EEAuditEventFactory.WAS, str3, providerName, true, credHolder.subject, "security.audit.authz.success.audit", null);
        }
        if (auditFactory != null && auditFactory.isActive(1, 4) && !z) {
            auditFactory.sendAuthzAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", "", null, str2, J2EEAuditEventFactory.WAS, str3, providerName, true, credHolder.subject, "security.audit.authz.denied.audit", null);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkAccess", new Boolean(z));
        }
        return z;
    }

    private boolean isEveryoneGranted(Set set, RoleBasedSubjectMap roleBasedSubjectMap) {
        boolean isEveryoneGranted;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isEveryoneGranted", new Object[]{set, roleBasedSubjectMap});
        }
        if (this.pluggableAuthTable == null || set == null || set.size() == 0) {
            isEveryoneGranted = roleBasedSubjectMap.isEveryoneGranted(set);
        } else {
            isEveryoneGranted = this.pluggableAuthTable.isEveryoneGranted(this.accessContext, set == null ? new String[0] : (String[]) set.toArray(new String[0]));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isEveryoneGranted", new Boolean(isEveryoneGranted));
        }
        return isEveryoneGranted;
    }

    private boolean isGroupGrantedAnyRole(Set set, RoleBasedSubjectMap roleBasedSubjectMap, WSCredential wSCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGroupGrantedAnyRole", new Object[]{set, roleBasedSubjectMap, wSCredential});
        }
        boolean z = false;
        ArrayList arrayList = null;
        try {
            arrayList = wSCredential.getGroupIds();
        } catch (GeneralSecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.isCallerInRole", "490", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting group IDs", e);
            }
        }
        String[] strArr = arrayList == null ? new String[0] : (String[]) arrayList.toArray(new String[arrayList.size()]);
        int i = 0;
        while (true) {
            if (i >= strArr.length) {
                break;
            }
            if (ignoreCase) {
                strArr[i] = strArr[i].toLowerCase();
            }
            if (roleBasedSubjectMap.isGroupGrantedAnyRole(strArr[i], set)) {
                z = true;
                break;
            }
            i++;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGroupGrantedAnyRole", new Boolean(z));
        }
        return z;
    }

    @Override // com.ibm.ws.security.role.RoleBasedAuthorizer
    public boolean isCallerInRole(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCallerInRole", str);
        }
        boolean z = false;
        if (str == null) {
            Tr.error(tc, "security.roleref.configerror", new Object[]{str});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isCallerInRole", new Boolean(false));
            }
            return false;
        }
        CredHolder effectiveCredentials = getEffectiveCredentials();
        if (effectiveCredentials.isThreadMissingCredentials()) {
            Tr.error(tc, "security.rolebauthz.nocred2", new Object[]{str, new Exception("Invocation and received credentials are both null")});
        }
        try {
            if (this.pluggableAuthTable == null || (!handleAllAuthz() && contextManager.isInternalServerCredential(effectiveCredentials.cred))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "calling default authz engine for authorization decision");
                }
                RoleBasedSubjectMap roleBasedSubjectMap = this.configurator.getRoleBasedSubjectMap(this.appName);
                HashSet hashSet = new HashSet(1);
                hashSet.add(str);
                if (roleBasedSubjectMap.isGrantedAnyRole(effectiveCredentials.cred, hashSet)) {
                    z = true;
                } else if (isGroupGrantedAnyRole(hashSet, roleBasedSubjectMap, effectiveCredentials.cred)) {
                    z = true;
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("calling ").append(this.pluggableAuthTable).append(" for authorization decision").toString());
                }
                z = this.pluggableAuthTable.isGrantedRole(this.accessContext, str, effectiveCredentials.subject);
            }
        } catch (Throwable th) {
            FFDCFilter.processException(th, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.isCallerInRole", "574", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception caught: ", th);
            }
        }
        if (!z && tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("SECJ0321E: Role based authorization is caller in role  failed for security name: ").append(getSecurityName(effectiveCredentials.cred)).append(" accessID: ").append(getAccessId(effectiveCredentials.cred)).append(" and role name: ").append(str).toString());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCallerInRole", new Boolean(z));
        }
        return z;
    }

    private CredHolder getEffectiveCredentials() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getEffectiveCredentials");
        }
        Subject subject = null;
        WSCredential wSCredential = null;
        boolean z = false;
        WSCredential wSCredential2 = null;
        Subject subject2 = null;
        WSCredential wSCredential3 = null;
        try {
            Subject invocationSubject = contextManager.getInvocationSubject();
            wSCredential2 = SubjectHelper.getWSCredentialFromSubject(invocationSubject);
            if (wSCredential2 != null && !wSCredential2.isUnauthenticated()) {
                subject = invocationSubject;
                wSCredential = wSCredential2;
            }
            if (wSCredential == null) {
                subject2 = contextManager.getCallerSubject();
                wSCredential3 = SubjectHelper.getWSCredentialFromSubject(subject2);
                if (wSCredential3 != null) {
                    if (!wSCredential3.isUnauthenticated()) {
                        subject = subject2;
                        wSCredential = wSCredential3;
                    }
                }
            }
        } catch (WSSecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.getEffectiveCredentials", "651", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting invocation credential", e);
            }
        }
        if (wSCredential2 == null && wSCredential3 == null) {
            z = true;
        }
        if (wSCredential2 != null && wSCredential2.isUnauthenticated() && wSCredential3 != null && wSCredential3.isUnauthenticated()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Invocation and received creds are UNAUTHENTICATED!");
            }
            subject = subject2;
            wSCredential = wSCredential3;
        }
        if (wSCredential != null && !wSCredential.isUnauthenticated() && wSCredential.isBasicAuth()) {
            try {
                wSCredential = contextManager.authenticate(wSCredential);
            } catch (WSSecurityException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl", "687", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception during authentication", e2);
                }
                wSCredential = null;
            }
        }
        CredHolder credHolder = new CredHolder(subject, wSCredential, z);
        if (credHolder.cred == null) {
            try {
                credHolder.subject = contextManager.createUnauthenticatedSubject();
                credHolder.cred = contextManager.getUnauthenticatedCredential();
            } catch (WSSecurityException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl", "704", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting unauthenticated cred", e3);
                }
            }
        }
        if ((credHolder.cred.isUnauthenticated() || z) && tc.isDebugEnabled()) {
            Tr.debug(tc, "Unauthenticated or missing subject/credentials.", new Exception("Unauthenticated or missing subject/credentials."));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getEffectiveCredentials", credHolder);
        }
        return credHolder;
    }

    @Override // com.ibm.ws.security.role.RoleBasedAuthorizer
    public boolean isGrantedRole(String[] strArr, Subject subject) {
        boolean z = false;
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        Exception exc = null;
        if (wSCredentialFromSubject != null && wSCredentialFromSubject.isBasicAuth()) {
            try {
                wSCredentialFromSubject = contextManager.authenticate(wSCredentialFromSubject);
            } catch (WSSecurityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl", "740", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception during authentication", e);
                }
                wSCredentialFromSubject = null;
            }
        }
        if (wSCredentialFromSubject == null) {
            try {
                subject = contextManager.createUnauthenticatedSubject();
                wSCredentialFromSubject = contextManager.getUnauthenticatedCredential();
            } catch (WSSecurityException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl", "755", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting unauthenticated cred", e2);
                }
            }
        }
        try {
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            if (this.appName.startsWith(Constants.ADMIN_APP)) {
                for (int i = 0; i < strArr.length; i++) {
                    AdminAuthorizer adminAuthorizer = AdminAuthorizerFactory.getAdminAuthorizer();
                    if (adminAuthorizer != null) {
                        List allParentRoles = adminAuthorizer.getAllParentRoles(strArr[i]);
                        linkedHashSet.add(strArr[i]);
                        linkedHashSet.addAll(allParentRoles);
                    } else {
                        linkedHashSet.add(strArr[i]);
                    }
                }
            } else {
                for (String str : strArr) {
                    linkedHashSet.add(str);
                }
            }
            if (this.pluggableAuthTable == null || (!handleAllAuthz() && contextManager.isInternalServerCredential(wSCredentialFromSubject))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "calling default authz engine for authorization decision");
                }
                RoleBasedSubjectMap roleBasedSubjectMap = this.configurator.getRoleBasedSubjectMap(this.appName);
                if (roleBasedSubjectMap.isGrantedAnyRole(wSCredentialFromSubject, linkedHashSet)) {
                    z = true;
                } else if (isGroupGrantedAnyRole(linkedHashSet, roleBasedSubjectMap, wSCredentialFromSubject)) {
                    z = true;
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("calling ").append(this.pluggableAuthTable).append(" for authorization decision").toString());
                }
                strArr = (String[]) linkedHashSet.toArray(new String[0]);
                z = this.pluggableAuthTable.isGrantedAnyRole(this.accessContext, strArr, subject);
            }
        } catch (Throwable th) {
            FFDCFilter.processException(th, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.isGrantedRole", "804", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception caught", th);
            }
            exc = th instanceof Exception ? (Exception) th : null;
        }
        if (auditFactory != null && auditFactory.isActive(1, 0) && z) {
            auditFactory.sendAuthzAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", "", null, null, J2EEAuditEventFactory.WAS, "isGrantedRole", providerName, true, subject, "security.audit.authz.success.audit", new Object[]{strArr[0]});
        }
        if (auditFactory != null && auditFactory.isActive(1, 4) && !z) {
            auditFactory.sendAuthzAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", "", exc, null, J2EEAuditEventFactory.WAS, "isGrantedRole", providerName, true, subject, "security.audit.authz.denied.audit", new Object[]{strArr[0]});
        }
        if (!z && tc.isDebugEnabled()) {
            Tr.debug(tc, "security.rolebauthz.iscallerinrolefail", new Object[]{getSecurityName(wSCredentialFromSubject), getAccessId(wSCredentialFromSubject), strArr[strArr.length - 1]});
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, new StringBuffer().append("isGrantedRole, result:").append(z).toString());
        }
        return z;
    }

    private String getAccessId(WSCredential wSCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAccessId", wSCredential);
        }
        String str = null;
        if (wSCredential != null) {
            try {
                str = wSCredential.getAccessId();
                if (ignoreCase) {
                    str = str.toLowerCase();
                }
            } catch (GeneralSecurityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.getAccessId", "856", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unexpected exception getting accessId", e);
                }
            }
        } else {
            str = RoleBasedSubjectMap.NO_CRED;
        }
        if (str == null) {
            str = RoleBasedSubjectMap.NULL_ACCESS_ID;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAccessId", str);
        }
        return str;
    }

    private String getSecurityName(WSCredential wSCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityName", wSCredential);
        }
        String str = null;
        if (wSCredential != null) {
            try {
                str = wSCredential.getSecurityName();
            } catch (GeneralSecurityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.getAccessId", "883", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unexpected exception getting securityName", e);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSecurityName", str);
        }
        return str;
    }

    @Override // com.ibm.ws.security.role.RoleBasedAuthorizer
    public boolean isGrantedAnyRole(String[] strArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedAnyRole", strArr);
        }
        boolean z = false;
        if (strArr == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isGrantedAnyRole", new Boolean(false));
            }
            return false;
        }
        CredHolder effectiveCredentials = getEffectiveCredentials();
        if (effectiveCredentials.isThreadMissingCredentials()) {
            Tr.error(tc, "security.rolebauthz.nocred2", new Object[]{strArr[0], new Exception("Invocation and received credentials are both null")});
        }
        try {
            if (this.pluggableAuthTable == null || (!handleAllAuthz() && contextManager.isInternalServerCredential(effectiveCredentials.cred))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "calling default authz engine for authorization decision");
                }
                RoleBasedSubjectMap roleBasedSubjectMap = this.configurator.getRoleBasedSubjectMap(this.appName);
                HashSet hashSet = new HashSet();
                for (String str : strArr) {
                    hashSet.add(str);
                }
                if (roleBasedSubjectMap.isGrantedAnyRole(effectiveCredentials.cred, hashSet)) {
                    z = true;
                } else if (isGroupGrantedAnyRole(hashSet, roleBasedSubjectMap, effectiveCredentials.cred)) {
                    z = true;
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("calling ").append(this.pluggableAuthTable).append(" for authorization decision").toString());
                }
                z = this.pluggableAuthTable.isGrantedAnyRole(this.accessContext, strArr, effectiveCredentials.subject);
            }
        } catch (Throwable th) {
            FFDCFilter.processException(th, "com.ibm.ws.security.role.RoleBasedAuthorizerImpl.isCallerInRole", "531", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception caught: ", th);
            }
        }
        if (!z && tc.isDebugEnabled()) {
            String securityName = getSecurityName(effectiveCredentials.cred);
            String accessId = getAccessId(effectiveCredentials.cred);
            String str2 = strArr[0];
            for (int i = 1; i < strArr.length; i++) {
                str2 = new StringBuffer().append(str2).append(":").append(strArr[i]).toString();
            }
            Tr.debug(tc, new StringBuffer().append("SECJ0321E: Role based authorization is caller in role  failed for security name: ").append(securityName).append(" accessID: ").append(accessId).append(" and role name: ").append(str2).toString());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedAnyRole", new Boolean(z));
        }
        return z;
    }

    boolean handleAllAuthz() {
        if (this._alreadyAttempted) {
            return this._handleAllAuthz;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleAllAuthz");
        }
        if (SecurityConfig.isUseRegistryServerId()) {
            this._handleAllAuthz = true;
        } else if (this.isSAFAuthz) {
            this._handleAllAuthz = true;
        } else {
            String str = (String) ((Properties) SecurityConfig.getConfig().getValue(CommonConstants.TOPLEVEL_PROPS)).get(CommonConstants.HANDLE_ALL_AUTHZ);
            if (str != null && (str.equalsIgnoreCase("true") || str.equalsIgnoreCase("yes"))) {
                this._handleAllAuthz = true;
            }
        }
        this._alreadyAttempted = true;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "handleAllAuthz", new Boolean(this._handleAllAuthz));
        }
        return this._handleAllAuthz;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$role$RoleBasedAuthorizerImpl == null) {
            cls = class$("com.ibm.ws.security.role.RoleBasedAuthorizerImpl");
            class$com$ibm$ws$security$role$RoleBasedAuthorizerImpl = cls;
        } else {
            cls = class$com$ibm$ws$security$role$RoleBasedAuthorizerImpl;
        }
        tc = Tr.register(cls, "Security", "com.ibm.ejs.resources.security");
        ignoreCase = false;
        contextManager = ContextManagerFactory.getInstance();
        auditHandler = null;
        auditFactory = null;
        providerName = "WebSphere";
    }
}
