package org.apache.geronimo.tomcat.realm;

import java.io.IOException;
import java.security.AccessControlException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.core.Constants;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.JAASRealm;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.geronimo.security.ContextManager;
import org.apache.geronimo.security.jacc.PolicyContextHandlerContainerSubject;
import org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler;
import org.apache.geronimo.security.realm.providers.PasswordCallbackHandler;
import org.apache.geronimo.tomcat.JAASTomcatPrincipal;

/* loaded from: input_file:zips/geronimo-tomcat-j2ee-1.0.zip:geronimo-1.0/repository/geronimo/jars/geronimo-tomcat-1.0.jar:org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.class */
public class TomcatGeronimoRealm extends JAASRealm {
    private static final Log log;
    private static ThreadLocal currentRequest;
    protected static final String info = "org.apache.geronimo.tomcat.TomcatGeronimoRealm/1.0";
    protected static final String name = "TomcatGeronimoRealm";
    static Class class$org$apache$geronimo$tomcat$realm$TomcatGeronimoRealm;

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] securityConstraintArr) throws IOException {
        Subject subject = null;
        try {
            subject = (Subject) PolicyContext.getContext(PolicyContextHandlerContainerSubject.HANDLER_KEY);
        } catch (PolicyContextException e) {
            log.error(e);
        }
        if (subject == null) {
            return super.hasUserDataPermission(request, response, securityConstraintArr);
        }
        ContextManager.setCurrentCaller(subject);
        try {
            ContextManager.getCurrentContext().checkPermission(new WebUserDataPermission(request.getServletPath(), new String[]{request.getMethod()}, request.isSecure() ? "CONFIDENTIAL" : "NONE"));
            return true;
        } catch (AccessControlException e2) {
            response.sendError(403);
            return false;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        currentRequest.set(request);
        LoginConfig loginConfig = context.getLoginConfig();
        if (loginConfig != null && "FORM".equals(loginConfig.getAuthMethod())) {
            String decodedRequestURI = request.getDecodedRequestURI();
            String stringBuffer = new StringBuffer().append(context.getPath()).append(loginConfig.getLoginPage()).toString();
            if (stringBuffer.equals(decodedRequestURI)) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug(new StringBuffer().append(" Allow access to login page ").append(stringBuffer).toString());
                return true;
            }
            String stringBuffer2 = new StringBuffer().append(context.getPath()).append(loginConfig.getErrorPage()).toString();
            if (stringBuffer2.equals(decodedRequestURI)) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug(new StringBuffer().append(" Allow access to error page ").append(stringBuffer2).toString());
                return true;
            }
            if (decodedRequestURI.endsWith("/j_security_check")) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug(" Allow access to username/password submission");
                return true;
            }
        }
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal == null) {
            return request.isSecure();
        }
        ContextManager.setCurrentCaller(((JAASTomcatPrincipal) userPrincipal).getSubject());
        try {
            ContextManager.getCurrentContext().checkPermission(new WebResourcePermission(request));
            return true;
        } catch (AccessControlException e) {
            response.sendError(403);
            return false;
        }
    }

    private String getServletName(Request request) {
        int lastIndexOf;
        String substring;
        int lastIndexOf2;
        int lastIndexOf3;
        String substring2 = request.getDecodedRequestURI().substring(request.getRequest().getContextPath().length());
        String str = null;
        Context context = request.getContext();
        if (!substring2.equals("/")) {
            str = context.findServletMapping(substring2);
        }
        if (str == null) {
            String str2 = substring2;
            while (true) {
                String str3 = str2;
                str = context.findServletMapping(new StringBuffer().append(str3).append("/*").toString());
                if (str != null || (lastIndexOf3 = str3.lastIndexOf(47)) < 0) {
                    break;
                }
                str2 = str3.substring(0, lastIndexOf3);
            }
        }
        if (str == null && (lastIndexOf = substring2.lastIndexOf(47)) >= 0 && (lastIndexOf2 = (substring = substring2.substring(lastIndexOf)).lastIndexOf(46)) >= 0) {
            str = context.findServletMapping(new StringBuffer().append("*").append(substring.substring(lastIndexOf2)).toString());
        }
        if (str == null) {
            str = context.findServletMapping("/");
        }
        if (str.equals(Constants.JSP_SERVLET_NAME)) {
            str = "";
        }
        return str == null ? "" : str;
    }

    @Override // org.apache.catalina.realm.JAASRealm, org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasRole(Principal principal, String str) {
        if (principal == null || str == null || !(principal instanceof JAASTomcatPrincipal)) {
            return false;
        }
        Request request = (Request) currentRequest.get();
        if (request == null) {
            log.error("No currentRequest found.");
            return false;
        }
        String servletName = getServletName(request);
        ContextManager.setCurrentCaller(((JAASTomcatPrincipal) principal).getSubject());
        try {
            ContextManager.getCurrentContext().checkPermission(new WebRoleRefPermission(servletName, str));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }

    @Override // org.apache.catalina.realm.JAASRealm, org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, String str2) {
        return authenticate(new PasswordCallbackHandler(str, str2 == null ? null : str2.toCharArray()), str);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            return null;
        }
        return authenticate(new CertificateChainCallbackHandler(x509CertificateArr), x509CertificateArr[0].getSubjectX500Principal().getName());
    }

    public Principal authenticate(CallbackHandler callbackHandler, String str) {
        if (str != null) {
            try {
                if (!str.equals("")) {
                    if (this.appName == null) {
                        this.appName = "Tomcat";
                    }
                    if (log.isDebugEnabled()) {
                        log.debug(sm.getString("jaasRealm.beginLogin", str, this.appName));
                    }
                    ClassLoader classLoader = null;
                    if (isUseContextClassLoader()) {
                        classLoader = Thread.currentThread().getContextClassLoader();
                        Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
                    }
                    try {
                        try {
                            LoginContext loginContext = new LoginContext(this.appName, callbackHandler);
                            if (isUseContextClassLoader()) {
                                Thread.currentThread().setContextClassLoader(classLoader);
                            }
                            if (log.isDebugEnabled()) {
                                log.debug(new StringBuffer().append("Login context created ").append(str).toString());
                            }
                            try {
                                try {
                                    try {
                                        try {
                                            loginContext.login();
                                            Subject subject = loginContext.getSubject();
                                            if (subject == null) {
                                                if (!log.isDebugEnabled()) {
                                                    return null;
                                                }
                                                log.debug(sm.getString("jaasRealm.failedLogin", str));
                                                return null;
                                            }
                                            Subject serverSideSubject = ContextManager.getServerSideSubject(subject);
                                            if (serverSideSubject == null) {
                                                if (!log.isDebugEnabled()) {
                                                    return null;
                                                }
                                                log.debug(sm.getString("jaasRealm.failedLogin", str));
                                                return null;
                                            }
                                            ContextManager.setCurrentCaller(serverSideSubject);
                                            if (log.isDebugEnabled()) {
                                                log.debug(sm.getString("jaasRealm.loginContextCreated", str));
                                            }
                                            JAASTomcatPrincipal jAASTomcatPrincipal = new JAASTomcatPrincipal(str);
                                            jAASTomcatPrincipal.setSubject(serverSideSubject);
                                            return jAASTomcatPrincipal;
                                        } catch (LoginException e) {
                                            log.warn(sm.getString("jaasRealm.loginException", str), e);
                                            return null;
                                        }
                                    } catch (Throwable th) {
                                        log.error(sm.getString("jaasRealm.unexpectedError"), th);
                                        return null;
                                    }
                                } catch (AccountExpiredException e2) {
                                    if (!log.isDebugEnabled()) {
                                        return null;
                                    }
                                    log.debug(sm.getString("jaasRealm.accountExpired", str));
                                    return null;
                                }
                            } catch (FailedLoginException e3) {
                                if (!log.isDebugEnabled()) {
                                    return null;
                                }
                                log.debug(sm.getString("jaasRealm.failedLogin", str));
                                return null;
                            } catch (CredentialExpiredException e4) {
                                if (!log.isDebugEnabled()) {
                                    return null;
                                }
                                log.debug(sm.getString("jaasRealm.credentialExpired", str));
                                return null;
                            }
                        } catch (Throwable th2) {
                            log.error(sm.getString("jaasRealm.unexpectedError"), th2);
                            if (isUseContextClassLoader()) {
                                Thread.currentThread().setContextClassLoader(classLoader);
                            }
                            return null;
                        }
                    } catch (Throwable th3) {
                        if (isUseContextClassLoader()) {
                            Thread.currentThread().setContextClassLoader(classLoader);
                        }
                        throw th3;
                    }
                }
            } catch (Throwable th4) {
                log.error("error ", th4);
                return null;
            }
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("Login Failed - null userID");
        return null;
    }

    @Override // org.apache.catalina.realm.JAASRealm, org.apache.catalina.realm.RealmBase, org.apache.catalina.Lifecycle
    public void start() throws LifecycleException {
        super.start();
    }

    @Override // org.apache.catalina.realm.JAASRealm, org.apache.catalina.realm.RealmBase, org.apache.catalina.Lifecycle
    public void stop() throws LifecycleException {
        super.stop();
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$apache$geronimo$tomcat$realm$TomcatGeronimoRealm == null) {
            cls = class$("org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm");
            class$org$apache$geronimo$tomcat$realm$TomcatGeronimoRealm = cls;
        } else {
            cls = class$org$apache$geronimo$tomcat$realm$TomcatGeronimoRealm;
        }
        log = LogFactory.getLog(cls);
        currentRequest = new ThreadLocal();
    }
}
