package com.ibm.ws.webservices.wssecurity.token;

import com.ibm.ISecurityLocalObjectBaseL13Impl.VaultImpl;
import com.ibm.ISecurityUtilityImpl.SecurityConfiguration;
import com.ibm.events.util.CeiString;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.CacheException;
import com.ibm.ws.security.auth.SecurityCache;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.token.WSCredentialTokenMapperInterface;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.webservices.wssecurity.WSSConsumerComponent;
import com.ibm.ws.webservices.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.webservices.wssecurity.util.ConfigConstants;
import com.ibm.ws.webservices.wssecurity.util.DOMUtil;
import com.ibm.wsspi.security.auth.callback.WSCallbackHandlerFactory;
import com.ibm.wsspi.wssecurity.Constants;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl;
import com.ibm.wsspi.wssecurity.auth.token.LTPAToken;
import com.ibm.wsspi.wssecurity.auth.token.LTPATokenWrapper;
import com.ibm.wsspi.wssecurity.auth.token.Token;
import com.ibm.wsspi.wssecurity.auth.token.UsernameToken;
import com.ibm.wsspi.wssecurity.auth.token.X509BSToken;
import com.ibm.wsspi.wssecurity.config.KeyLocatorException;
import com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.lang.reflect.Method;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.eclipse.jst.j2ee.internal.web.operations.CreateServletTemplateModel;
import org.w3c.dom.Node;

/* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/webservices/wssecurity/token/LoginProcessor.class */
public class LoginProcessor implements WSSConsumerComponent {
    private static final TraceComponent tc;
    private static final String comp = "security.wssecurity";
    private static final String clsName;
    private static final String JAASCONFIG_DEFAULT = "WSLogin";
    private static final String JAASCONFIG_IDASSERTION = "system.wssecurity.IDAssertion";
    private static final String JAASCONFIG_SIGNATURE = "system.wssecurity.Signature";
    private static final String CALLBACKHANDLER_FACTORY_DEFAULT = "com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl";
    private boolean _initialized = false;
    private static final String JAAS_LOGINCONFIG = "com.ibm.wsspi.wssecurity.Caller.assertionLoginConfig";
    private static final String JAAS_PASSLOGINSUBJECT = "com.ibm.wsspi.wssecurity.Caller.passSubjectToLogin";
    private static final WebSphereRuntimePermission MAP_CREDENTIAL;
    static Class class$com$ibm$ws$webservices$wssecurity$token$LoginProcessor;
    static Class class$com$ibm$ws$webservices$wssecurity$token$AuthResult;
    static Class class$com$ibm$websphere$security$cred$WSCredential;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/webservices/wssecurity/token/LoginProcessor$_authCacheClass.class */
    public static class _authCacheClass {
        static SecurityCache _authCache;
        private static final String FACTORY_CLASS = "com.ibm.ws.security.auth.AuthCache";

        private _authCacheClass() {
        }

        private static Method getAuthCacheGetInstanceMethod() {
            Method method = null;
            Class authCacheClass = getAuthCacheClass();
            if (authCacheClass != null) {
                try {
                    method = authCacheClass.getMethod("getInstance", null);
                } catch (Exception e) {
                    Tr.processException(e, new StringBuffer().append(LoginProcessor.clsName).append(".getAuthCacheGetInstanceMethod").toString(), "1160");
                    throw new UndeclaredThrowableException(e);
                }
            }
            return method;
        }

        private static Class getAuthCacheClass() {
            try {
                ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
                return contextClassLoader != null ? contextClassLoader.loadClass(FACTORY_CLASS) : Class.forName(FACTORY_CLASS);
            } catch (Exception e) {
                Tr.processException(e, new StringBuffer().append(LoginProcessor.clsName).append(".getAuthCacheClass").toString(), "1187");
                throw new UndeclaredThrowableException(e);
            }
        }

        static {
            _authCache = null;
            try {
                Method authCacheGetInstanceMethod = getAuthCacheGetInstanceMethod();
                if (authCacheGetInstanceMethod != null) {
                    _authCache = (SecurityCache) authCacheGetInstanceMethod.invoke(null, null);
                    if (LoginProcessor.tc.isDebugEnabled()) {
                        if (_authCache == null) {
                            Tr.debug(LoginProcessor.tc, "AuthCache.getInstance method returned null.");
                        } else {
                            Tr.debug(LoginProcessor.tc, "AuthCache.getInstance method returned an AuthCache instance.");
                        }
                    }
                } else if (LoginProcessor.tc.isDebugEnabled()) {
                    Tr.debug(LoginProcessor.tc, "Unable to get AuthCache.getInstance method.");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, new StringBuffer().append(LoginProcessor.clsName).append(CreateServletTemplateModel.INIT).toString(), "1144");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/webservices/wssecurity/token/LoginProcessor$_wsCredToken.class */
    public static class _wsCredToken {
        static WSCredentialTokenMapperInterface _wsCredTokenMapper;

        private _wsCredToken() {
        }

        static {
            _wsCredTokenMapper = null;
            try {
                Object newInstance = Class.forName("com.ibm.ws.security.token.WSCredentialTokenMapper").newInstance();
                if (LoginProcessor.tc.isDebugEnabled()) {
                    Tr.debug(LoginProcessor.tc, "Got instance of WSCredTokenMapper.");
                }
                _wsCredTokenMapper = (WSCredentialTokenMapperInterface) newInstance;
            } catch (Exception e) {
                FFDCFilter.processException(e, new StringBuffer().append(LoginProcessor.clsName).append(CreateServletTemplateModel.INIT).toString(), "1120");
            }
        }
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSComponent, com.ibm.wsspi.wssecurity.Initializable
    public void init(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this._initialized) {
            this._initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSConsumerComponent
    public void invoke(Node node, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("invoke(Element target[").append(DOMUtil.getDisplayName(node)).append("], ").append("Map context)").toString());
        }
        Token checkCaller = checkCaller(((WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey")).getCallers(), map);
        login(checkCaller, map);
        map.remove(JAAS_LOGINCONFIG);
        map.remove(JAAS_PASSLOGINSUBJECT);
        TokenManager.finalizeSubject(map);
        cacheInformation(checkCaller, map);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Element target,Map context)");
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:79:0x0214, code lost:
    
        throw com.ibm.wsspi.wssecurity.SoapSecurityException.format(com.ibm.ws.webservices.wssecurity.Constants.FAILED_AUTHENTICATION, "security.wssecurity.LoginProcessor.s07");
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static com.ibm.wsspi.wssecurity.auth.token.Token checkCaller(java.util.Set r5, java.util.Map r6) throws com.ibm.wsspi.wssecurity.SoapSecurityException {
        /*
            Method dump skipped, instructions count: 766
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.checkCaller(java.util.Set, java.util.Map):com.ibm.wsspi.wssecurity.auth.token.Token");
    }

    private static boolean checkProperties(WSSConsumerConfig.CallerConfig callerConfig, Token token) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("checkProperties(CallerConfig cconfig[").append(callerConfig).append("],").append("Token token[").append(token).append("])").toString());
        }
        boolean z = true;
        Map properties = callerConfig.getProperties();
        if (properties != null) {
            Set keySet = properties.keySet();
            if (keySet != null && !keySet.isEmpty()) {
                Iterator it = keySet.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String str = (String) it.next();
                    if (!Constants.WSSECURITY_CALLER_TOKEN_NS.equals(str) && !Constants.WSSECURITY_CALLER_TOKEN_LN.equals(str) && !JAAS_LOGINCONFIG.equals(str) && !JAAS_PASSLOGINSUBJECT.equals(str)) {
                        String str2 = (String) properties.get(str);
                        String[] attributes = token.getAttributes(str);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("key [").append(str).append("], value [").append(str2).append("], values [").append(attributes).append("].").toString());
                        }
                        if (attributes == null || attributes.length == 0 || attributes.length > 1) {
                            break;
                        }
                        if (!str2.equals(attributes[0])) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, new StringBuffer().append("value [").append(str2).append("] is different from values[0] [").append(attributes[0]).append("].").toString());
                            }
                            z = false;
                        }
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "values is invalid.");
                }
                z = false;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "CallerConfig's properties has no entry.");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "properties is null.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, new StringBuffer().append("checkProperties(CallerConfig cconfig,Token token) returns boolean[").append(z).append(CeiString.END_SQUARE_BRACKET).toString());
        }
        return z;
    }

    private void login(Token token, Map map) throws SoapSecurityException {
        Class cls;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("login(Token token[").append(token).append("],").append("Map context)").toString());
        }
        Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        String str = null;
        if (contextManagerFactory == null) {
            Tr.error(tc, "security.wssecurity.ctxmgr.isnull");
        } else {
            str = contextManagerFactory.getDefaultRealm();
        }
        WSCredentialTokenMapperInterface wSCredentialTokenMapperInterface = null;
        String str2 = null;
        try {
            wSCredentialTokenMapperInterface = _wsCredToken._wsCredTokenMapper;
            if (wSCredentialTokenMapperInterface != null && subject != null) {
                str2 = wSCredentialTokenMapperInterface.createSubjectUniqueID(subject);
            }
        } catch (Exception e) {
            Tr.processException(e, new StringBuffer().append(clsName).append(".login").toString(), "425", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception while getting unique ID from subject.", new Object[]{e});
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("Unique ID from tokens in contextSubject: ").append(str2).toString());
        }
        SecurityCache securityCache = _authCacheClass._authCache;
        Subject subject2 = null;
        if (securityCache != null) {
            if (str2 == null || str2.length() == 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unique ID based on tokens is null. Look for Subject in AuthCache using token.");
                }
                subject2 = getCachedSubjectUsingToken(securityCache, token, str);
            } else {
                try {
                    subject2 = securityCache.getSubject(str2);
                } catch (CacheException e2) {
                    Tr.processException(e2, new StringBuffer().append(clsName).append(".login").toString(), "448", this);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Caught exception while looking up subject from AuthCache.", new Object[]{e2});
                    }
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Not looking Subject in cache because SecurityCache instance is null.");
        }
        if (subject2 != null) {
            Subject subject3 = subject2;
            if (class$com$ibm$websphere$security$cred$WSCredential == null) {
                cls = class$("com.ibm.websphere.security.cred.WSCredential");
                class$com$ibm$websphere$security$cred$WSCredential = cls;
            } else {
                cls = class$com$ibm$websphere$security$cred$WSCredential;
            }
            WSCredential wSCredential = (WSCredential) subject3.getPublicCredentials(cls).iterator().next();
            if (wSCredential != null) {
                boolean isDestroyed = wSCredential.isDestroyed();
                boolean z = false;
                try {
                    z = wSCredential.isForwardable();
                } catch (Exception e3) {
                    isDestroyed = true;
                }
                boolean checkCushionValidityOfAllTokens = wSCredentialTokenMapperInterface.checkCushionValidityOfAllTokens(subject2, securityCache.getCushion());
                if (tc.isDebugEnabled()) {
                    if (z) {
                        Tr.debug(tc, new StringBuffer().append("credential is forwardable, subject valid = ").append(checkCushionValidityOfAllTokens).toString());
                    } else {
                        Tr.debug(tc, "non-forwardable Subject");
                    }
                }
                if (isDestroyed || (z && !checkCushionValidityOfAllTokens)) {
                    subject2 = null;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Credential has expired or is destroyed, logging in again.");
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Cached subject is valid.");
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No WSCredential in Subject, logging in again.");
                }
                subject2 = null;
            }
        }
        if (subject2 == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Subject not found in AuthCache.");
            }
            String loginConfig = getLoginConfig(map);
            boolean z2 = !((Boolean) map.get(JAAS_PASSLOGINSUBJECT)).booleanValue();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("useOldBehavior=").append(z2).toString());
            }
            try {
                if (token instanceof UsernameToken) {
                    UsernameToken usernameToken = (UsernameToken) token;
                    String username = usernameToken.getUsername();
                    if (username == null || username.length() == 0) {
                        Tr.error(tc, "security.wssecurity.WSEC6735E", new Object[]{token.getType().toString(), "Login cancelled: username string is null or empty."});
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s11", "Login cancelled: username string is null or empty.");
                    }
                    char[] cArr = (char[]) AccessController.doPrivileged(new PrivilegedAction(this, usernameToken) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.1
                        private final UsernameToken val$untPriv;
                        private final LoginProcessor this$0;

                        {
                            this.this$0 = this;
                            this.val$untPriv = usernameToken;
                        }

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return this.val$untPriv.getPassword();
                        }
                    });
                    String str3 = null;
                    if (cArr != null) {
                        str3 = new String(cArr);
                    }
                    if (str3 == null || str3.length() == 0) {
                        username = callingMappingLoginModule(JAASCONFIG_IDASSERTION, token, subject, username);
                        subject2 = jaasLogin(map, z2, loginConfig, subject, username, str);
                    } else {
                        subject2 = jaasLogin(map, z2, loginConfig, subject, username, str, str3);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "UsernameToken found.");
                        Tr.debug(tc, new StringBuffer().append("Username [").append(username).append("], Password [").append(cArr == null ? "null" : "not null").append("].").toString());
                    }
                } else if (token instanceof X509BSToken) {
                    X509BSToken x509BSToken = (X509BSToken) token;
                    String mapCertificate = UserRegistryProcessor.mapCertificate(x509BSToken.getCert());
                    if (mapCertificate == null || mapCertificate.length() == 0) {
                        mapCertificate = token.getPrincipal();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("User security from X509BSToken.getPrincipal() [").append(mapCertificate).append(CeiString.END_SQUARE_BRACKET).toString());
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("User security from UserRegistryProcessor.mapCertificate() [").append(mapCertificate).append(CeiString.END_SQUARE_BRACKET).toString());
                    }
                    subject2 = jaasLogin(map, z2, loginConfig, subject, callingMappingLoginModule(JAASCONFIG_SIGNATURE, token, subject, mapCertificate), str);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "X509BSToken found.");
                        Tr.debug(tc, new StringBuffer().append("Username [").append(x509BSToken.getCert().getSubjectX500Principal().getName()).append("].").toString());
                    }
                } else if (token instanceof LTPATokenWrapper) {
                    LTPATokenWrapper lTPATokenWrapper = (LTPATokenWrapper) token;
                    WSCredential wSCredential2 = (WSCredential) AccessController.doPrivileged(new PrivilegedAction(this, lTPATokenWrapper) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.2
                        private final LTPATokenWrapper val$tokPriv;
                        private final LoginProcessor this$0;

                        {
                            this.this$0 = this;
                            this.val$tokPriv = lTPATokenWrapper;
                        }

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return this.val$tokPriv.getWSCredential();
                        }
                    });
                    WSPrincipal wSPrincipal = lTPATokenWrapper.getWSPrincipal();
                    if (wSCredential2 == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "No WSCredential found in LTPATokenWrapper.");
                        }
                        throw SoapSecurityException.format("security.wssecurity.WSEC0168E");
                    }
                    addToSubject(map, wSCredential2);
                    addToSubject(map, wSPrincipal);
                    addToSubject(map, token);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "LTPATokenWrapper found.");
                        Tr.debug(tc, new StringBuffer().append("WSCredential [").append(wSCredential2).append("].").toString());
                        Tr.debug(tc, new StringBuffer().append("WSPrincipal [").append(wSPrincipal).append("].").toString());
                    }
                } else if (token instanceof LTPAToken) {
                    byte[] bArr = (byte[]) AccessController.doPrivileged(new PrivilegedAction(this, (LTPAToken) token) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.3
                        private final LTPAToken val$tokenPriv;
                        private final LoginProcessor this$0;

                        {
                            this.this$0 = this;
                            this.val$tokenPriv = r5;
                        }

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return this.val$tokenPriv.getBytes();
                        }
                    });
                    if (bArr == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Null credential value found for the LTPA token to login.");
                        }
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s12", "Login cancelled by invalid token.");
                    }
                    subject2 = jaasLogin(map, z2, loginConfig, subject, bArr);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "LTPA Token found.");
                        Tr.debug(tc, new StringBuffer().append("Credential [").append(bArr).append("].").toString());
                    }
                } else {
                    String principal = token.getPrincipal();
                    if (principal == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Null principal value found for the custom token to login.");
                        }
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s13", "Login cancelled by invalid token.");
                    }
                    String trim = principal.trim();
                    if (trim.length() == 0) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Principal value is zero length value for the custom token to login.");
                        }
                        throw SoapSecurityException.format("security.wssecurity.LoginProcessor.s13", "Login cancelled by invalid token.");
                    }
                    subject2 = jaasLogin(map, z2, loginConfig, subject, callingMappingLoginModule(JAASCONFIG_IDASSERTION, token, subject, trim), str);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("Token [").append(token.getType()).append("] found.").toString());
                        Tr.debug(tc, new StringBuffer().append("Principal [").append(token.getPrincipal()).append("].").toString());
                    }
                }
                if (wSCredentialTokenMapperInterface != null && subject2 != null && securityCache != null) {
                    if (z2) {
                        addTokensToLoginSubject(map, subject2);
                    } else {
                        subject.getPrincipals().clear();
                        subject.getPublicCredentials().clear();
                        subject.getPrivateCredentials().clear();
                        syncSubject(subject2, subject, false);
                    }
                    String createSubjectUniqueID = wSCredentialTokenMapperInterface.createSubjectUniqueID(subject2);
                    if (createSubjectUniqueID == null || createSubjectUniqueID.length() == 0) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Unique ID is null. Adding Subject to AuthCache");
                        }
                        securityCache.insert(subject2);
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("Adding Subject with ID ").append(createSubjectUniqueID).append(" to AuthCache").toString());
                        }
                        securityCache.insert(subject2, new Object[]{createSubjectUniqueID});
                    }
                }
            } catch (LoginException e4) {
                Tr.processException(e4, new StringBuffer().append(clsName).append(".login").toString(), "677", this);
                Tr.error(tc, "security.wssecurity.WSEC6735E", new Object[]{token.getType().toString(), e4});
                throw SoapSecurityException.format(com.ibm.ws.webservices.wssecurity.Constants.FAILED_AUTHENTICATION, "security.wssecurity.LoginProcessor.s11", e4);
            } catch (Exception e5) {
                Tr.processException(e5, new StringBuffer().append(clsName).append(".login").toString(), "682", this);
                Tr.error(tc, "security.wssecurity.WSEC6735E", new Object[]{token.getType().toString(), e5});
                throw SoapSecurityException.format(com.ibm.ws.webservices.wssecurity.Constants.FAILED_AUTHENTICATION, "security.wssecurity.LoginProcessor.s11", e5);
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Subject found in AuthCache.");
            }
            addToSubject(map, subject2);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("Subject after authentication: ").append(subject2).toString());
        }
        token.setUsedToLogin(true);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "login(Token token, Map context)");
        }
    }

    private String callingMappingLoginModule(String str, Token token, Subject subject, String str2) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("callingMappingLoginModule(jassLoginConfig=[").append(str).append("], token=[").append(token).append("], contextSubject=[").append(subject).append("], identity=[").append(str2).append("])").toString());
        }
        String str3 = null;
        try {
            Tr.debug(tc, "Normalizing identity");
            str3 = KeyStoreKeyLocator.encodedName(str2);
            Tr.debug(tc, new StringBuffer().append("securityName=[").append(str3).append(CeiString.END_SQUARE_BRACKET).toString());
        } catch (KeyLocatorException e) {
            Tr.debug(tc, new StringBuffer().append("Error normalizing identity, securityName=[").append(str3).append(CeiString.END_SQUARE_BRACKET).toString());
            str3 = str2;
        }
        WSCallbackHandlerFactoryImpl wSCallbackHandlerFactoryImpl = new WSCallbackHandlerFactoryImpl();
        wSCallbackHandlerFactoryImpl.setXMLToken(token.getElement());
        wSCallbackHandlerFactoryImpl.setUsername(str3);
        HashMap hashMap = new HashMap();
        wSCallbackHandlerFactoryImpl.setProperties(hashMap);
        new LoginContext(str, subject, wSCallbackHandlerFactoryImpl.newCallbackHandler()).login();
        String str4 = (String) hashMap.get("LoginUsername");
        if (str4 != null) {
            String trim = str4.trim();
            if (trim.length() != 0) {
                str3 = trim;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, new StringBuffer().append("callingMappingLoginModule() returns ").append(str3).toString());
        }
        return str3;
    }

    public static void addToSubject(Map map, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubject(context, loginSubject)");
        }
        Subject subject2 = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        syncSubject(subject, subject2, true);
        map.put(Constants.WSSECURITY_SUBJECT, subject2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubject(context, loginSubject)");
        }
    }

    private void addToSubject(Map map, WSCredential wSCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubject(context, wsCred)");
        }
        Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        AccessController.doPrivileged(new PrivilegedAction(this, subject, wSCredential) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.4
            private final Subject val$subject;
            private final WSCredential val$wsCred;
            private final LoginProcessor this$0;

            {
                this.this$0 = this;
                this.val$subject = subject;
                this.val$wsCred = wSCredential;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                if (this.val$subject.getPublicCredentials().contains(this.val$wsCred)) {
                    if (!LoginProcessor.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(LoginProcessor.tc, new StringBuffer().append("WSCredential already in Subject: ").append(this.val$wsCred).toString());
                    return null;
                }
                if (LoginProcessor.tc.isDebugEnabled()) {
                    Tr.debug(LoginProcessor.tc, new StringBuffer().append("Adding WSCredential to Subject: ").append(this.val$wsCred).toString());
                }
                this.val$subject.getPublicCredentials().add(this.val$wsCred);
                return null;
            }
        });
        map.put(Constants.WSSECURITY_SUBJECT, subject);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubject(context, wsCred)");
        }
    }

    private void addToSubject(Map map, Token token) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubject(context, token)");
        }
        Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        AccessController.doPrivileged(new PrivilegedAction(this, subject, token) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.5
            private final Subject val$subject;
            private final Token val$token;
            private final LoginProcessor this$0;

            {
                this.this$0 = this;
                this.val$subject = subject;
                this.val$token = token;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                if (this.val$subject.getPrivateCredentials().contains(this.val$token)) {
                    if (!LoginProcessor.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(LoginProcessor.tc, new StringBuffer().append("Token already in Subject: ").append(this.val$token).toString());
                    return null;
                }
                if (LoginProcessor.tc.isDebugEnabled()) {
                    Tr.debug(LoginProcessor.tc, new StringBuffer().append("Adding Token to Subject: ").append(this.val$token).toString());
                }
                this.val$subject.getPrivateCredentials().add(this.val$token);
                return null;
            }
        });
        map.put(Constants.WSSECURITY_SUBJECT, subject);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubject(context, token)");
        }
    }

    private void addToSubject(Map map, WSPrincipal wSPrincipal) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubject(context, princ)");
        }
        Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        AccessController.doPrivileged(new PrivilegedAction(this, subject, wSPrincipal) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.6
            private final Subject val$subject;
            private final WSPrincipal val$princ;
            private final LoginProcessor this$0;

            {
                this.this$0 = this;
                this.val$subject = subject;
                this.val$princ = wSPrincipal;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                if (this.val$subject.getPrincipals().contains(this.val$princ)) {
                    if (!LoginProcessor.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(LoginProcessor.tc, new StringBuffer().append("WSPrincipal already in Subject: ").append(this.val$princ).toString());
                    return null;
                }
                if (LoginProcessor.tc.isDebugEnabled()) {
                    Tr.debug(LoginProcessor.tc, new StringBuffer().append("Adding WSPrincipal to Subject: ").append(this.val$princ).toString());
                }
                this.val$subject.getPrincipals().add(this.val$princ);
                return null;
            }
        });
        map.put(Constants.WSSECURITY_SUBJECT, subject);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubject(context, princ)");
        }
    }

    private void addTokensToLoginSubject(Map map, Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addTokensToLoginSubject(context, loginSubject)");
        }
        AccessController.doPrivileged(new PrivilegedAction(this, (Subject) map.get(Constants.WSSECURITY_SUBJECT), subject) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.7
            private final Subject val$subject;
            private final Subject val$loginSubject;
            private final LoginProcessor this$0;

            {
                this.this$0 = this;
                this.val$subject = r5;
                this.val$loginSubject = subject;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                for (Object obj : this.val$subject.getPrivateCredentials()) {
                    if (obj != null) {
                        if (!this.val$loginSubject.getPrivateCredentials().contains(obj)) {
                            if (LoginProcessor.tc.isDebugEnabled()) {
                                Tr.debug(LoginProcessor.tc, new StringBuffer().append("Adding private object to Subject: ").append(obj).toString());
                            }
                            this.val$loginSubject.getPrivateCredentials().add(obj);
                        } else if (LoginProcessor.tc.isDebugEnabled()) {
                            Tr.debug(LoginProcessor.tc, new StringBuffer().append("Private object already in Subject: ").append(obj).toString());
                        }
                    }
                }
                return null;
            }
        });
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addTokensToLoginSubject(context, loginSubject)");
        }
    }

    private void cacheInformation(Token token, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("cacheInformation(Token token[").append(token).append("],").append("Map context)").toString());
        }
        Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (contextManagerFactory == null) {
            Tr.error(tc, "security.wssecurity.ctxmgr.isnull");
        } else {
            contextManagerFactory.put(Constants.WSSECURITY_INITIAL_SENDER_ID, subject);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Initial Sender is set.");
            }
            if (token instanceof X509BSToken) {
                contextManagerFactory.put(Constants.WSSECURITY_INITIAL_SENDER_CERT, ((X509BSToken) token).getCert());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Initial Cert is set.");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "cacheInformation(Token token,Map context)");
        }
    }

    private Subject getCachedSubjectUsingToken(SecurityCache securityCache, Token token, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCachedSubjectUsingToken(cache, token, realm)");
        }
        Subject subject = null;
        if (securityCache != null && token != null) {
            try {
                if (token instanceof UsernameToken) {
                    UsernameToken usernameToken = (UsernameToken) token;
                    String username = usernameToken.getUsername();
                    if (username != null && username.length() > 0) {
                        char[] cArr = (char[]) AccessController.doPrivileged(new PrivilegedAction(this, usernameToken) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.8
                            private final UsernameToken val$tokenPriv;
                            private final LoginProcessor this$0;

                            {
                                this.this$0 = this;
                                this.val$tokenPriv = usernameToken;
                            }

                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                return this.val$tokenPriv.getPassword();
                            }
                        });
                        String str2 = null;
                        if (cArr != null) {
                            str2 = new String(cArr);
                        }
                        subject = (str2 == null || str2.length() == 0) ? securityCache.getSubject(str, username) : securityCache.getSubject(str, username, str2);
                    }
                } else if (token instanceof LTPATokenWrapper) {
                    subject = null;
                } else if (token instanceof LTPAToken) {
                    byte[] bArr = (byte[]) AccessController.doPrivileged(new PrivilegedAction(this, (LTPAToken) token) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.9
                        private final LTPAToken val$tokenPriv;
                        private final LoginProcessor this$0;

                        {
                            this.this$0 = this;
                            this.val$tokenPriv = r5;
                        }

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return this.val$tokenPriv.getBytes();
                        }
                    });
                    if (bArr != null) {
                        subject = securityCache.getSubject(bArr);
                    }
                } else if (token instanceof X509BSToken) {
                    String mapCertificate = UserRegistryProcessor.mapCertificate(((X509BSToken) token).getCert());
                    if (mapCertificate == null || mapCertificate.length() == 0) {
                        mapCertificate = token.getPrincipal();
                    }
                    subject = securityCache.getSubject(str, mapCertificate);
                } else if (token.getPrincipal() != null) {
                    subject = securityCache.getSubject(str, token.getPrincipal());
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("Caught exception looking up Subject from AuthCache: ").append(e).toString());
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, new StringBuffer().append("getCachedSubjectUsingToken: returning Subject = ").append(subject).toString());
        }
        return subject;
    }

    private Subject jaasLogin(Map map, boolean z, String str, Subject subject, String str2, String str3) throws LoginException, WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "jaasLogin(context, useOldBehavior, authMech, contextSubject, user, realm)");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, new StringBuffer().append("Expecting : ").append(MAP_CREDENTIAL.toString()).toString());
            }
            securityManager.checkPermission(MAP_CREDENTIAL);
        }
        if (str2 == null || str2.length() == 0) {
            throw new WSLoginFailedException("Username is null.");
        }
        LoginContext loginContext = getLoginContext(z, str, subject, WSCallbackHandlerFactory.getInstance().getCallbackHandler(str2, str3, (String) null));
        loginContext.login();
        Subject subject2 = loginContext.getSubject();
        if (subject2 == null) {
            throw new WSLoginFailedException("Subject returned from login module is null.");
        }
        if (z) {
            addToSubject(map, subject2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "jaasLogin(context, useOldBehavior, authMech, contextSubject, user, realm)");
        }
        return subject2;
    }

    private Subject jaasLogin(Map map, boolean z, String str, Subject subject, String str2, String str3, String str4) throws LoginException, WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "jaasLogin(context, useOldBehavior, authMech, contextSubject, user, realm, password)");
        }
        if (str2 == null || str2.length() == 0 || str4 == null || str4.length() == 0) {
            throw new WSLoginFailedException("Username and/or password is null.");
        }
        LoginContext loginContext = getLoginContext(z, str, subject, WSCallbackHandlerFactory.getInstance().getCallbackHandler(str2, str3, str4));
        loginContext.login();
        Subject subject2 = loginContext.getSubject();
        if (subject2 == null) {
            throw new WSLoginFailedException("Subject returned from login module is null.");
        }
        if (z) {
            addToSubject(map, subject2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "jaasLogin(context, useOldBehavior, authMech, contextSubject, user, realm, password)");
        }
        return subject2;
    }

    private Subject jaasLogin(Map map, boolean z, String str, Subject subject, byte[] bArr) throws LoginException, WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "jaasLogin(context, useOldBehavior, authMech, contextSubject, bytes)");
        }
        LoginContext loginContext = getLoginContext(z, str, subject, WSCallbackHandlerFactory.getInstance().getCallbackHandler(bArr));
        loginContext.login();
        Subject subject2 = loginContext.getSubject();
        if (subject2 == null) {
            throw new WSLoginFailedException("Subject returned from login module is null.");
        }
        if (z) {
            addToSubject(map, subject2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "jaasLogin(context, useOldBehavior, authMech, contextSubject, bytes)");
        }
        return subject2;
    }

    private static void syncSubject(Subject subject, Subject subject2, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("syncSubject(source, target, reportErrors=").append(z).append(")").toString());
        }
        AccessController.doPrivileged(new PrivilegedAction(subject, subject2, z) { // from class: com.ibm.ws.webservices.wssecurity.token.LoginProcessor.10
            private final Subject val$source;
            private final Subject val$target;
            private final boolean val$reportErrors;

            {
                this.val$source = subject;
                this.val$target = subject2;
                this.val$reportErrors = z;
            }

            @Override // java.security.PrivilegedAction
            public Object run() {
                for (Object obj : this.val$source.getPublicCredentials()) {
                    if (obj != null) {
                        if (this.val$target.getPublicCredentials().contains(obj)) {
                            if (this.val$reportErrors) {
                                Tr.error(LoginProcessor.tc, "security.wssecurity.LoginProcessor.s15");
                            }
                            if (LoginProcessor.tc.isDebugEnabled()) {
                                Tr.debug(LoginProcessor.tc, new StringBuffer().append("Public object already in Subject: ").append(obj).toString());
                            }
                        } else {
                            if (LoginProcessor.tc.isDebugEnabled()) {
                                Tr.debug(LoginProcessor.tc, new StringBuffer().append("Adding public object to Subject: ").append(obj).toString());
                            }
                            this.val$target.getPublicCredentials().add(obj);
                        }
                    }
                }
                for (Object obj2 : this.val$source.getPrivateCredentials()) {
                    if (obj2 != null) {
                        if (!this.val$target.getPrivateCredentials().contains(obj2)) {
                            if (LoginProcessor.tc.isDebugEnabled()) {
                                Tr.debug(LoginProcessor.tc, new StringBuffer().append("Adding private object to Subject: ").append(obj2).toString());
                            }
                            this.val$target.getPrivateCredentials().add(obj2);
                        } else if (this.val$reportErrors) {
                            if (!(obj2 instanceof Token)) {
                                Tr.error(LoginProcessor.tc, "security.wssecurity.LoginProcessor.s16");
                                if (LoginProcessor.tc.isDebugEnabled()) {
                                    Tr.debug(LoginProcessor.tc, new StringBuffer().append("Private object already in Subject: ").append(obj2).toString());
                                }
                            } else if (LoginProcessor.tc.isDebugEnabled()) {
                                Tr.debug(LoginProcessor.tc, new StringBuffer().append("ws-sec Token private object already in Subject: ").append(obj2).toString());
                            }
                        } else if (LoginProcessor.tc.isDebugEnabled()) {
                            Tr.debug(LoginProcessor.tc, new StringBuffer().append("Private object already in Subject: ").append(obj2).toString());
                        }
                    }
                }
                for (Principal principal : this.val$source.getPrincipals()) {
                    if (principal != null) {
                        if (this.val$target.getPrincipals().contains(principal)) {
                            if (this.val$reportErrors) {
                                Tr.error(LoginProcessor.tc, "security.wssecurity.LoginProcessor.s14");
                            }
                            if (LoginProcessor.tc.isDebugEnabled()) {
                                Tr.debug(LoginProcessor.tc, new StringBuffer().append("Principal object already in Subject: ").append(principal).toString());
                            }
                        } else {
                            if (LoginProcessor.tc.isDebugEnabled()) {
                                Tr.debug(LoginProcessor.tc, new StringBuffer().append("Adding principal object to Subject: ").append(principal).toString());
                            }
                            this.val$target.getPrincipals().add(principal);
                        }
                    }
                }
                return null;
            }
        });
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, new StringBuffer().append("syncSubject(source, target, reportErrors=").append(z).append(")").toString());
        }
    }

    private String getLoginConfig(Map map) throws SoapSecurityException {
        boolean isTrueProperty;
        SecurityConfiguration securityConfiguration = VaultImpl.getSecurityConfiguration();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLoginConfig");
        }
        String str = (String) map.get(JAAS_LOGINCONFIG);
        if (ConfigUtil.hasValue(str)) {
            isTrueProperty = true;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Setting com.ibm.wsspi.wssecurity.Caller.passSubjectToLogin to ").append(true).toString());
            }
        } else {
            if (securityConfiguration == null) {
                map.remove(JAAS_PASSLOGINSUBJECT);
                map.remove(JAAS_LOGINCONFIG);
                throw new SoapSecurityException("JAAS Login Configuration is NULL for Caller Processing");
            }
            str = securityConfiguration.getAuthMechAuthAlias();
            isTrueProperty = ConfigUtil.getIsTrueProperty(map, JAAS_PASSLOGINSUBJECT);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("authMech is ").append(str).toString());
            Tr.debug(tc, new StringBuffer().append("passLoginSubject is ").append(isTrueProperty).toString());
        }
        map.put(JAAS_LOGINCONFIG, str);
        map.put(JAAS_PASSLOGINSUBJECT, new Boolean(isTrueProperty));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getLoginConfig");
        }
        return str;
    }

    private LoginContext getLoginContext(boolean z, String str, Subject subject, CallbackHandler callbackHandler) throws LoginException {
        LoginContext loginContext;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLoginContext");
        }
        if (z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "creating LoginContext without Subject");
            }
            loginContext = new LoginContext(str, callbackHandler);
        } else {
            Subject subject2 = new Subject();
            syncSubject(subject, subject2, false);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "creating LoginContext with Subject");
            }
            loginContext = new LoginContext(str, subject2, callbackHandler);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getLoginContext");
        }
        return loginContext;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        Class cls2;
        if (class$com$ibm$ws$webservices$wssecurity$token$LoginProcessor == null) {
            cls = class$("com.ibm.ws.webservices.wssecurity.token.LoginProcessor");
            class$com$ibm$ws$webservices$wssecurity$token$LoginProcessor = cls;
        } else {
            cls = class$com$ibm$ws$webservices$wssecurity$token$LoginProcessor;
        }
        tc = Tr.register(cls, ConfigConstants.TR_GROUP, ConfigConstants.TR_NLSPROPS);
        if (class$com$ibm$ws$webservices$wssecurity$token$LoginProcessor == null) {
            cls2 = class$("com.ibm.ws.webservices.wssecurity.token.LoginProcessor");
            class$com$ibm$ws$webservices$wssecurity$token$LoginProcessor = cls2;
        } else {
            cls2 = class$com$ibm$ws$webservices$wssecurity$token$LoginProcessor;
        }
        clsName = cls2.getName();
        MAP_CREDENTIAL = new WebSphereRuntimePermission("mapCredential");
    }
}
