package com.sun.web.security;

import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.WebComponentDescriptor;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.AppCNonceCacheMap;
import com.sun.enterprise.security.CNonceCacheFactory;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.WebSecurityDeployerProbeProvider;
import com.sun.enterprise.security.auth.digest.api.Constants;
import com.sun.enterprise.security.auth.digest.api.DigestAlgorithmParameter;
import com.sun.enterprise.security.auth.digest.api.Key;
import com.sun.enterprise.security.auth.login.DigestCredentials;
import com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.common.AppservAccessController;
import com.sun.enterprise.security.ee.authentication.glassfish.digest.impl.DigestParameterGenerator;
import com.sun.enterprise.security.ee.authentication.glassfish.digest.impl.HttpAlgorithmParameterImpl;
import com.sun.enterprise.security.ee.authentication.glassfish.digest.impl.NestedDigestAlgoParamImpl;
import com.sun.enterprise.security.ee.jmac.AuthMessagePolicy;
import com.sun.enterprise.security.ee.jmac.ConfigDomainParser;
import com.sun.enterprise.security.ee.jmac.callback.ServerContainerCallbackHandler;
import com.sun.enterprise.security.ee.web.integration.WebPrincipal;
import com.sun.enterprise.security.ee.web.integration.WebSecurityManager;
import com.sun.enterprise.security.ee.web.integration.WebSecurityManagerFactory;
import com.sun.enterprise.security.integration.RealmInitializer;
import com.sun.enterprise.util.Utility;
import com.sun.enterprise.util.net.NetUtils;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.inject.Provider;
import jakarta.security.auth.message.AuthException;
import jakarta.security.auth.message.AuthStatus;
import jakarta.security.auth.message.MessageInfo;
import jakarta.security.auth.message.config.ServerAuthContext;
import jakarta.servlet.ServletContext;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.ProtocolException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.catalina.Authenticator;
import org.apache.catalina.Container;
import org.apache.catalina.ContainerEvent;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.HttpRequest;
import org.apache.catalina.HttpResponse;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.RealmBase;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.epicyro.config.helper.Caller;
import org.glassfish.epicyro.config.helper.CallerPrincipal;
import org.glassfish.epicyro.config.helper.HttpServletConstants;
import org.glassfish.epicyro.config.helper.PriviledgedAccessController;
import org.glassfish.epicyro.services.BaseAuthenticationService;
import org.glassfish.epicyro.services.DefaultAuthenticationService;
import org.glassfish.grizzly.config.dom.NetworkConfig;
import org.glassfish.grizzly.config.dom.NetworkListener;
import org.glassfish.grizzly.config.dom.NetworkListeners;
import org.glassfish.hk2.api.PerLookup;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.internal.api.ServerContext;
import org.glassfish.security.common.CNonceCache;
import org.glassfish.security.common.Group;
import org.glassfish.security.common.NonceInfo;
import org.glassfish.security.common.UserNameAndPassword;
import org.jvnet.hk2.annotations.Service;

@Service
@PerLookup
/* loaded from: input_file:com/sun/web/security/RealmAdapter.class */
public final class RealmAdapter extends RealmBase implements RealmInitializer, PostConstruct {
    public static final String SECURITY_CONTEXT = "SecurityContext";
    public static final String BASIC = "BASIC";
    public static final String FORM = "FORM";

    @Deprecated
    private static final String REGISTER_WITH_AUTHENTICATOR = "com.sun.web.RealmAdapter.register";
    private static final String SERVER_AUTH_CONTEXT = "__jakarta.security.auth.message.ServerAuthContext";
    private static final String MESSAGE_INFO = "__jakarta.security.auth.message.MessageInfo";
    private static final String SYSTEM_HTTPSERVLET_SECURITY_PROVIDER = "system_httpservlet_security_provider";
    private WebBundleDescriptor webBundleDescriptor;
    private HashMap<String, String> runAsPrincipals;
    private String realmName;
    protected static final String name = "J2EE-RI-RealmAdapter";
    private String contextId;
    private Container virtualServer;
    protected volatile WebSecurityManager webSecurityManager;
    protected boolean isCurrentURIincluded = false;
    protected final ReadWriteLock rwLock = new ReentrantReadWriteLock();
    private boolean contextEvaluated = false;
    private String loginPage;
    private String errorPage;
    private String moduleID;
    private boolean isSystemApp;
    private BaseAuthenticationService authenticationService;

    @Inject
    private ServerContext serverContext;

    @Inject
    private Provider<AppCNonceCacheMap> appCNonceCacheMapProvider;

    @Inject
    private Provider<CNonceCacheFactory> cNonceCacheFactoryProvider;

    @Inject
    @Named(ServerEnvironment.DEFAULT_INSTANCE_NAME)
    private NetworkConfig networkConfig;

    @Inject
    protected WebSecurityManagerFactory webSecurityManagerFactory;
    private CNonceCacheFactory cNonceCacheFactory;
    private CNonceCache cnonces;
    private AppCNonceCacheMap haCNonceCacheMap;
    private NetworkListeners networkListeners;
    private static final String PROXY_AUTH_TYPE = "PLUGGABLE_PROVIDER";
    private static final Logger LOG = Logger.getLogger(RealmAdapter.class.getName(), "org.glassfish.main.web.security.LogMessages");
    private static final ResourceBundle resourceBundle = LOG.getResourceBundle();
    private static final WebSecurityDeployerProbeProvider websecurityProbeProvider = new WebSecurityDeployerProbeProvider();
    private static final SecurityConstraint[] emptyConstraints = new SecurityConstraint[0];
    private static String defaultSystemProviderID = getDefaultSystemProviderID();
    private static ThreadLocal<byte[]> reentrancyStatus = ThreadLocal.withInitial(() -> {
        return new byte[]{0};
    });

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/sun/web/security/RealmAdapter$AuthenticatorProxy.class */
    public static class AuthenticatorProxy extends AuthenticatorBase {
        private final AuthenticatorBase authBase;
        private final Principal principal;
        private final String authType;

        @Override // org.apache.catalina.authenticator.AuthenticatorBase
        public boolean getCache() {
            return this.authBase.getCache();
        }

        @Override // org.apache.catalina.authenticator.AuthenticatorBase, org.apache.catalina.valves.ValveBase, org.apache.catalina.Contained
        public Container getContainer() {
            return this.authBase.getContainer();
        }

        AuthenticatorProxy(Authenticator authenticator, Principal principal, String str) throws LifecycleException {
            this.authBase = (AuthenticatorBase) authenticator;
            this.principal = principal;
            this.authType = str == null ? RealmAdapter.PROXY_AUTH_TYPE : str;
            setCache(this.authBase.getCache());
            setContainer(this.authBase.getContainer());
            start();
        }

        @Override // org.apache.catalina.authenticator.AuthenticatorBase
        public boolean authenticate(HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig) throws IOException {
            if (this.cache) {
                getSession(httpRequest, true);
            }
            register(httpRequest, httpResponse, this.principal, this.authType, this.principal.getName(), null);
            return true;
        }

        @Override // org.apache.catalina.authenticator.AuthenticatorBase
        public String getAuthMethod() {
            return this.authType;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sun/web/security/RealmAdapter$HttpMessageInfo.class */
    public static class HttpMessageInfo implements MessageInfo {
        private Object request;
        private Object response;
        private final Map map;

        HttpMessageInfo() {
            this.request = null;
            this.response = null;
            this.map = new HashMap();
        }

        HttpMessageInfo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            this.request = null;
            this.response = null;
            this.map = new HashMap();
            this.request = httpServletRequest;
            this.response = httpServletResponse;
        }

        @Override // jakarta.security.auth.message.MessageInfo
        public Object getRequestMessage() {
            return this.request;
        }

        @Override // jakarta.security.auth.message.MessageInfo
        public Object getResponseMessage() {
            return this.response;
        }

        @Override // jakarta.security.auth.message.MessageInfo
        public void setRequestMessage(Object obj) {
            this.request = obj;
        }

        @Override // jakarta.security.auth.message.MessageInfo
        public void setResponseMessage(Object obj) {
            this.response = obj;
        }

        @Override // jakarta.security.auth.message.MessageInfo
        public Map getMap() {
            return this.map;
        }
    }

    public RealmAdapter() {
    }

    public RealmAdapter(String str, String str2) {
        this.realmName = str;
        this.moduleID = str2;
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void initializeRealm(Object obj, boolean z, String str) {
        this.isSystemApp = z;
        this.webBundleDescriptor = (WebBundleDescriptor) obj;
        this.realmName = findRealmName(str);
        this.contextId = WebSecurityManager.getContextID(this.webBundleDescriptor);
        this.moduleID = this.webBundleDescriptor.getModuleID();
        collectRunAsPrincipals();
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean isSecurityExtensionEnabled(ServletContext servletContext) {
        if (this.authenticationService == null) {
            initAuthenticationService(servletContext);
        }
        try {
            return this.authenticationService.getServerAuthConfig() != null;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public SecurityConstraint[] findSecurityConstraints(HttpRequest httpRequest, Context context) {
        return findSecurityConstraints(context);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public SecurityConstraint[] findSecurityConstraints(String str, String str2, Context context) {
        return findSecurityConstraints(context);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        return hasUserDataPermission(httpRequest, httpResponse, securityConstraintArr, null, null);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, String str, String str2) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
        if (httpServletRequest.getServletPath() == null) {
            httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
        }
        LOG.log(Level.FINE, "hasUserDataPermission called for principal {0} and context path {1}", new Object[]{httpServletRequest.getUserPrincipal(), httpServletRequest.getContextPath()});
        if (httpRequest.getRequest().isSecure()) {
            LOG.log(Level.FINE, "request.getRequest().isSecure(): {0}", Boolean.valueOf(httpRequest.getRequest().isSecure()));
            return true;
        }
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        try {
            int hasUserDataPermission = webSecurityManager.hasUserDataPermission(httpServletRequest, str, str2);
            if (hasUserDataPermission == -1) {
                LOG.log(Level.FINE, "Redirecting using SSL");
                return redirect(httpRequest, httpResponse);
            }
            if (hasUserDataPermission != 0) {
                return true;
            }
            ((HttpServletResponse) httpResponse.getResponse()).sendError(403, resourceBundle.getString("realmBase.forbidden"));
            return false;
        } catch (IllegalArgumentException e) {
            LOG.log(Level.WARNING, "realmAdapter.badRequestWithId", (Throwable) e);
            ((HttpServletResponse) httpResponse.getResponse()).sendError(400, resourceBundle.getString("realmAdapter.badRequestWithId"));
            return false;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public int preAuthenticateCheck(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, boolean z, boolean z2, boolean z3) throws IOException {
        try {
            if (!isRequestAuthenticated(httpRequest)) {
                SecurityContext.setUnauthenticatedContext();
            }
            if (isJakartaAuthenticationEnabled()) {
                return 1;
            }
            if (!invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr)) {
                if (!isRequestAuthenticated(httpRequest)) {
                    disableProxyCaching(httpRequest, httpResponse, z, z2);
                    return 1;
                }
                ((HttpServletResponse) httpResponse.getResponse()).sendError(403);
                httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
                return -1;
            }
            if (!isRequestAuthenticated(httpRequest)) {
                return 0;
            }
            disableProxyCaching(httpRequest, httpResponse, z, z2);
            if (!z3) {
                return 0;
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
            if (getWebSecurityManager(true).permitAll(httpServletRequest)) {
                return 0;
            }
            httpServletRequest.getSession(true);
            return 0;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            LOG.log(Level.SEVERE, "Authentication passed, but authorization failed.", th);
            ((HttpServletResponse) httpResponse.getResponse()).sendError(503);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            return -1;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean invokeAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context, Authenticator authenticator, boolean z) throws IOException {
        LoginConfig loginConfig = context.getLoginConfig();
        if (!isJakartaAuthenticationEnabled()) {
            return ((AuthenticatorBase) authenticator).authenticate(httpRequest, httpResponse, loginConfig);
        }
        try {
            context.fireContainerEvent(ContainerEvent.BEFORE_AUTHENTICATION, null);
            SecurityContext.getCurrent().setSessionPrincipal(((RequestFacade) httpRequest.getRequest()).getRequestPrincipal());
            boolean validate = validate(httpRequest, httpResponse, loginConfig, authenticator, z);
            SecurityContext.getCurrent().setSessionPrincipal(null);
            context.fireContainerEvent(ContainerEvent.AFTER_AUTHENTICATION, null);
            return validate;
        } catch (Throwable th) {
            SecurityContext.getCurrent().setSessionPrincipal(null);
            context.fireContainerEvent(ContainerEvent.AFTER_AUTHENTICATION, null);
            throw th;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getName() {
        return name;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public String getRealmName() {
        return this.realmName;
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void setVirtualServer(Object obj) {
        this.virtualServer = (Container) obj;
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void updateWebSecurityManager() {
        if (this.webSecurityManager == null) {
            this.webSecurityManager = getWebSecurityManager(true);
        }
        if (this.webSecurityManager != null) {
            try {
                this.webSecurityManager.release();
                this.webSecurityManager.destroy();
            } catch (Exception e) {
                e.printStackTrace();
            }
            this.webSecurityManager = this.webSecurityManagerFactory.createManager(this.webBundleDescriptor, true, this.serverContext);
            LOG.log(Level.FINE, "WebSecurityManager for {0} has been updated", this.contextId);
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(HttpRequest httpRequest, String str, char[] cArr) {
        LOG.log(Level.FINE, "Tomcat callback for authenticate user/password. Username: {0}", str);
        if (authenticate((HttpServletRequest) httpRequest, str, cArr, null, null)) {
            return new WebPrincipal(str, cArr, SecurityContext.getCurrent());
        }
        return null;
    }

    @Override // org.apache.catalina.Realm
    public Principal authenticate(HttpServletRequest httpServletRequest) {
        DigestCredentials generateDigestCredentials = generateDigestCredentials(httpServletRequest);
        if (generateDigestCredentials == null || !authenticate(httpServletRequest, null, null, generateDigestCredentials, null)) {
            return null;
        }
        return new WebPrincipal(generateDigestCredentials.getUserName(), (char[]) null, SecurityContext.getCurrent());
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(HttpRequest httpRequest, X509Certificate[] x509CertificateArr) {
        if (authenticate((HttpServletRequest) httpRequest, null, null, null, x509CertificateArr)) {
            return new WebPrincipal(x509CertificateArr, SecurityContext.getCurrent());
        }
        return null;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasResourcePermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        boolean z = false;
        try {
            z = invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr);
            if (z) {
                return z;
            }
            ((HttpServletResponse) httpResponse.getResponse()).sendError(403);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            invokePostAuthenticateDelegate(httpRequest, httpResponse, context);
            return z;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            LOG.log(Level.SEVERE, "Authentication passed, but authorization failed.", th);
            ((HttpServletResponse) httpResponse.getResponse()).sendError(503);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            return z;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean invokePostAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context) throws IOException {
        MessageInfo messageInfo;
        boolean z = false;
        ServerAuthContext serverAuthContext = null;
        try {
            try {
                if (this.authenticationService != null && (messageInfo = (MessageInfo) ((HttpServletRequest) httpRequest.getRequest()).getAttribute(MESSAGE_INFO)) != null) {
                    serverAuthContext = (ServerAuthContext) messageInfo.getMap().get(SERVER_AUTH_CONTEXT);
                    if (serverAuthContext != null) {
                        try {
                            context.fireContainerEvent("beforePostAuthentication", null);
                            z = AuthStatus.SEND_SUCCESS.equals(serverAuthContext.secureResponse(messageInfo, null));
                            context.fireContainerEvent("afterPostAuthentication", null);
                        } catch (Throwable th) {
                            context.fireContainerEvent("afterPostAuthentication", null);
                            throw th;
                        }
                    }
                }
                if (this.authenticationService != null && serverAuthContext != null) {
                    if (httpRequest instanceof HttpRequestWrapper) {
                        httpRequest.removeNote(Globals.WRAPPED_REQUEST);
                    }
                    if (httpResponse instanceof HttpResponseWrapper) {
                        httpRequest.removeNote(Globals.WRAPPED_RESPONSE);
                    }
                }
                return z;
            } catch (AuthException e) {
                throw new IOException(e);
            }
        } catch (Throwable th2) {
            if (this.authenticationService != null && 0 != 0) {
                if (httpRequest instanceof HttpRequestWrapper) {
                    httpRequest.removeNote(Globals.WRAPPED_REQUEST);
                }
                if (httpResponse instanceof HttpResponseWrapper) {
                    httpRequest.removeNote(Globals.WRAPPED_RESPONSE);
                }
            }
            throw th2;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasRole(HttpRequest httpRequest, HttpResponse httpResponse, Principal principal, String str) {
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        String canonicalName = getCanonicalName(httpRequest);
        boolean hasRoleRefPermission = webSecurityManager.hasRoleRefPermission(canonicalName, str, principal);
        LOG.log(Level.FINE, "Checking if servlet {0} with principal {1} has role {2} isGranted: {3}", new Object[]{canonicalName, principal, str, Boolean.valueOf(hasRoleRefPermission)});
        return hasRoleRefPermission;
    }

    @Override // org.apache.catalina.realm.RealmBase
    public void destroy() {
        super.destroy();
        if (this.authenticationService != null) {
            this.authenticationService.disable();
        }
    }

    public WebBundleDescriptor getWebDescriptor() {
        return this.webBundleDescriptor;
    }

    public WebSecurityManager getWebSecurityManager(boolean z) {
        if (this.webSecurityManager == null && this.webSecurityManagerFactory != null) {
            synchronized (this) {
                this.webSecurityManager = this.webSecurityManagerFactory.getManager(this.contextId);
            }
            if (this.webSecurityManager == null && z) {
                LOG.log(Level.WARNING, "realmAdapter.noWebSecMgr", this.contextId);
            }
        }
        return this.webSecurityManager;
    }

    public boolean hasRole(String str, Principal principal, String str2) {
        WebSecurityManager webSecurityManager = getWebSecurityManager(true);
        if (webSecurityManager == null) {
            return false;
        }
        return webSecurityManager.hasRoleRefPermission(str, str2, principal);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public void logout(HttpRequest httpRequest) {
        boolean isSecurityExtensionEnabled = isSecurityExtensionEnabled(httpRequest.getRequest().getServletContext());
        byte[] bArr = reentrancyStatus.get();
        if (!isSecurityExtensionEnabled || this.authenticationService == null || bArr[0] != 0) {
            doLogout(httpRequest, bArr[0] == 1);
            return;
        }
        bArr[0] = 1;
        MessageInfo messageInfo = (MessageInfo) httpRequest.getRequest().getAttribute(MESSAGE_INFO);
        if (messageInfo == null) {
            messageInfo = new HttpMessageInfo((HttpServletRequest) httpRequest.getRequest(), (HttpServletResponse) httpRequest.getResponse().getResponse());
        }
        messageInfo.getMap().put(HttpServletConstants.IS_MANDATORY, Boolean.TRUE.toString());
        try {
            try {
                ServerAuthContext serverAuthContext = this.authenticationService.getServerAuthContext(messageInfo, null);
                if (serverAuthContext != null) {
                    SecurityContext current = SecurityContext.getCurrent();
                    Subject subject = current.didServerGenerateCredentials() ? new Subject() : current.getSubject();
                    if (subject == null) {
                        subject = new Subject();
                    }
                    if (subject.isReadOnly()) {
                        LOG.log(Level.WARNING, "Read-only subject found during logout processing");
                    }
                    try {
                        httpRequest.getContext().fireContainerEvent("beforePostAuthentication", null);
                        serverAuthContext.cleanSubject(messageInfo, subject);
                        httpRequest.getContext().fireContainerEvent("afterPostAuthentication", null);
                    } catch (Throwable th) {
                        httpRequest.getContext().fireContainerEvent("afterPostAuthentication", null);
                        throw th;
                    }
                }
            } catch (AuthException e) {
                throw new RuntimeException(e);
            }
        } finally {
            doLogout(httpRequest, true);
            bArr[0] = 0;
        }
    }

    private void doLogout(HttpRequest httpRequest, boolean z) {
        Context context = httpRequest.getContext();
        Authenticator authenticator = null;
        if (context != null) {
            authenticator = context.getAuthenticator();
        }
        if (authenticator == null) {
            throw new RuntimeException("Context or Authenticator is null");
        }
        try {
            if (z) {
                new AuthenticatorProxy(authenticator, null, null).logout(httpRequest);
            } else {
                authenticator.logout(httpRequest);
            }
            logout();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void logout() {
        setSecurityContext(null);
        final WebSecurityManager webSecurityManager = getWebSecurityManager(false);
        if (webSecurityManager != null) {
            AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.sun.web.security.RealmAdapter.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    webSecurityManager.onLogout();
                    return null;
                }
            });
        }
    }

    public boolean authenticate(HttpServletRequest httpServletRequest, WebPrincipal webPrincipal) {
        return webPrincipal.isUsingCertificate() ? authenticate(httpServletRequest, null, null, null, webPrincipal.getCertificates()) : authenticate(httpServletRequest, webPrincipal.getName(), webPrincipal.getPassword(), null, null);
    }

    private boolean authenticate(HttpServletRequest httpServletRequest, String str, char[] cArr, DigestCredentials digestCredentials, X509Certificate[] x509CertificateArr) {
        try {
            if (x509CertificateArr != null) {
                LoginContextDriver.doX500Login(generateX500Subject(x509CertificateArr), this.moduleID);
            } else if (digestCredentials != null) {
                LoginContextDriver.login(digestCredentials);
            } else {
                LoginContextDriver.login(str, cArr, this.realmName);
            }
            LOG.log(Level.FINE, "Web login succeeded for: {0}", SecurityContext.getCurrent().getCallerPrincipal());
            WebSecurityManager webSecurityManager = getWebSecurityManager(false);
            if (webSecurityManager == null) {
                return true;
            }
            AccessController.doPrivileged(() -> {
                webSecurityManager.onLogin(httpServletRequest);
                return null;
            });
            return true;
        } catch (Exception e) {
            LOG.log(Level.WARNING, "WEB9102: Web Login Failed", (Throwable) e);
            return false;
        }
    }

    public void preSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        String str;
        if (Utility.isEmpty(this.runAsPrincipals) || (servletName = getServletName(componentInvocation)) == null || (str = this.runAsPrincipals.get(servletName)) == null) {
            return;
        }
        componentInvocation.setOldSecurityContext(getSecurityContext());
        loginForRunAs(str);
        LOG.log(Level.FINE, "The run-as principal for servlet {0} set to {1}", new Object[]{servletName, str});
    }

    private String getServletName(ComponentInvocation componentInvocation) {
        String instanceName = componentInvocation.getInstanceName();
        if (instanceName != null) {
            return instanceName;
        }
        Object componentInvocation2 = componentInvocation.getInstance();
        if (!(componentInvocation2 instanceof HttpServlet)) {
            return null;
        }
        HttpServlet httpServlet = (HttpServlet) componentInvocation2;
        if (httpServlet.getServletConfig() != null) {
            return httpServlet.getServletName();
        }
        return null;
    }

    public void postSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        if ((this.runAsPrincipals != null && this.runAsPrincipals.isEmpty()) || (servletName = getServletName(componentInvocation)) == null || this.runAsPrincipals.get(servletName) == null) {
            return;
        }
        setSecurityContext((SecurityContext) componentInvocation.getOldSecurityContext());
    }

    private void loginForRunAs(String str) {
        LoginContextDriver.loginPrincipal(str, this.realmName);
    }

    private SecurityContext getSecurityContext() {
        return SecurityContext.getCurrent();
    }

    private void setSecurityContext(SecurityContext securityContext) {
        SecurityContext.setCurrent(securityContext);
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected char[] getPassword(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    public Principal createFailOveredPrincipal(String str) {
        LOG.log(Level.FINEST, "createFailOveredPrincipal(username={0})", str);
        loginForRunAs(str);
        SecurityContext current = SecurityContext.getCurrent();
        LOG.log(Level.FINE, "Security context is {0}", current);
        WebPrincipal webPrincipal = new WebPrincipal(str, (char[]) null, current);
        LOG.log(Level.INFO, "Principal created for FailOvered user {0}", webPrincipal);
        return webPrincipal;
    }

    private boolean invokeWebSecurityManager(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        try {
            this.rwLock.readLock().lock();
            boolean z = this.contextEvaluated;
            this.rwLock.readLock().unlock();
            if (!z) {
                try {
                    this.rwLock.writeLock().lock();
                    if (!this.contextEvaluated) {
                        LoginConfig loginConfig = ((Context) getContainer()).getLoginConfig();
                        if (loginConfig != null && "FORM".equals(loginConfig.getAuthMethod())) {
                            this.loginPage = loginConfig.getLoginPage();
                            this.errorPage = loginConfig.getErrorPage();
                        }
                        this.contextEvaluated = true;
                    }
                } finally {
                    this.rwLock.writeLock().unlock();
                }
            }
            if (this.loginPage != null || this.errorPage != null) {
                String dataChunk = httpRequest.getRequestPathMB().toString();
                LOG.log(Level.FINE, "requestURI: {0}, loginPage: {1}, errorPage: {2}", new Object[]{dataChunk, this.loginPage, this.errorPage});
                if (this.loginPage != null && this.loginPage.equals(dataChunk)) {
                    LOG.log(Level.FINE, "Allowed access to login page {0}", this.loginPage);
                    return true;
                }
                if (this.errorPage != null && this.errorPage.equals(dataChunk)) {
                    LOG.log(Level.FINE, "Allowed access to error page {0}", this.errorPage);
                    return true;
                }
                if (dataChunk.endsWith("/j_security_check")) {
                    LOG.log(Level.FINE, "Allowed access to username/password submission ({0})", "/j_security_check");
                    return true;
                }
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
            if (httpServletRequest.getServletPath() == null) {
                httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
            }
            LOG.log(Level.FINE, "Checking web security manager for the access of principal {0} to context path {1}.", new Object[]{httpServletRequest.getUserPrincipal(), httpServletRequest.getContextPath()});
            WebSecurityManager webSecurityManager = getWebSecurityManager(true);
            if (webSecurityManager == null) {
                return false;
            }
            return webSecurityManager.hasResourcePermission(httpServletRequest);
        } catch (Throwable th) {
            this.rwLock.readLock().unlock();
            throw th;
        }
    }

    private List<String> getHostAndPort(HttpRequest httpRequest) throws IOException {
        Enumeration<String> headerNames = ((HttpServletRequest) httpRequest.getRequest()).getHeaderNames();
        String[] strArr = null;
        boolean z = false;
        boolean z2 = false;
        while (headerNames.hasMoreElements()) {
            String nextElement = headerNames.nextElement();
            if (nextElement.equalsIgnoreCase("Host")) {
                z = true;
                strArr = ((HttpServletRequest) httpRequest.getRequest()).getHeader(nextElement).split(":");
            }
        }
        if (strArr == null) {
            throw new ProtocolException(resourceBundle.getString("missing_http_header.host"));
        }
        boolean z3 = strArr.length <= 1 || strArr[1] == null || strArr[1].isBlank();
        if (!z) {
            z2 = false;
        } else if (!z3) {
            boolean z4 = false;
            for (NetworkListener networkListener : this.networkListeners.getNetworkListener()) {
                String address = networkListener.getAddress();
                if (address == null || address.equals("0.0.0.0")) {
                    if (!NetUtils.getCanonicalHostName().equals(strArr[0])) {
                        InetAddress[] hostAddresses = NetUtils.getHostAddresses();
                        if (hostAddresses == null) {
                            break;
                        }
                        InetAddress byName = InetAddress.getByName(strArr[0]);
                        int length = hostAddresses.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            if (hostAddresses[i].equals(byName)) {
                                if (networkListener.getPort().equals(strArr[1])) {
                                    z2 = false;
                                    z4 = true;
                                    break;
                                }
                                z2 = true;
                            }
                            i++;
                        }
                    } else if (networkListener.getPort().equals(strArr[1])) {
                        z2 = false;
                        z4 = true;
                    } else {
                        z2 = true;
                    }
                }
                if (z4 && !z2) {
                    break;
                }
            }
        } else {
            z2 = true;
        }
        String serverName = httpRequest.getRequest().getServerName();
        int redirectPort = httpRequest.getConnector().getRedirectPort();
        if (z2) {
            serverName = strArr[0];
            redirectPort = z3 ? -1 : Integer.parseInt(strArr[1]);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(serverName);
        arrayList.add(String.valueOf(redirectPort));
        return arrayList;
    }

    private boolean redirect(HttpRequest httpRequest, HttpResponse httpResponse) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
        HttpServletResponse httpServletResponse = (HttpServletResponse) httpResponse.getResponse();
        if (httpRequest.getConnector().getRedirectPort() <= 0) {
            LOG.fine("SSL redirect is disabled");
            httpServletResponse.sendError(403, URLEncoder.encode(httpServletRequest.getRequestURI(), StandardCharsets.UTF_8));
            return false;
        }
        StringBuffer stringBuffer = new StringBuffer(httpServletRequest.getRequestURI());
        String requestedSessionId = httpServletRequest.getRequestedSessionId();
        if (requestedSessionId != null && httpServletRequest.isRequestedSessionIdFromURL()) {
            stringBuffer.append(";jsessionid=");
            stringBuffer.append(requestedSessionId);
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            stringBuffer.append('?');
            stringBuffer.append(queryString);
        }
        List<String> hostAndPort = getHostAndPort(httpRequest);
        try {
            httpServletResponse.sendRedirect(new URL("https", hostAndPort.get(0), Integer.parseInt(hostAndPort.get(1)), stringBuffer.toString()).toString());
            return false;
        } catch (MalformedURLException e) {
            httpServletResponse.sendError(500, URLEncoder.encode(httpServletRequest.getRequestURI(), StandardCharsets.UTF_8));
            return false;
        }
    }

    private String getCanonicalName(HttpRequest httpRequest) {
        return httpRequest.getWrapper().getServletName();
    }

    private String getResourceName(String str, String str2) {
        return str2.length() < str.length() ? str.substring(str2.length()) : "";
    }

    public void setRealmName(String str) {
    }

    private BaseAuthenticationService createAuthenticationService(ServletContext servletContext) throws IOException {
        HashMap hashMap = new HashMap();
        String contextID = WebSecurityManager.getContextID(this.webBundleDescriptor);
        if (contextID != null) {
            hashMap.put(HttpServletConstants.POLICY_CONTEXT, contextID);
        }
        String providerID = AuthMessagePolicy.getProviderID(AuthMessagePolicy.getSunWebApp(Map.of(AuthMessagePolicy.WEB_BUNDLE, this.webBundleDescriptor)));
        if (providerID != null) {
            hashMap.put("authModuleId", providerID);
        }
        return new DefaultAuthenticationService(getAppContextID(servletContext), hashMap, new ConfigDomainParser(), new ServerContainerCallbackHandler(this.realmName));
    }

    private String getAppContextID(ServletContext servletContext) {
        if (!servletContext.getVirtualServerName().equals(this.virtualServer.getName())) {
            LOG.log(Level.WARNING, "Virtual server name from ServletContext: {0} differs from name from virtual.getName(): {1}", new Object[]{servletContext.getVirtualServerName(), this.virtualServer.getName()});
        }
        if (!servletContext.getContextPath().equals(this.webBundleDescriptor.getContextRoot())) {
            LOG.log(Level.WARNING, "Context path from ServletContext: {0} differs from path from bundle: {1}", new Object[]{servletContext.getContextPath(), this.webBundleDescriptor.getContextRoot()});
        }
        return servletContext.getVirtualServerName() + " " + servletContext.getContextPath();
    }

    private boolean validate(HttpRequest httpRequest, HttpResponse httpResponse, LoginConfig loginConfig, Authenticator authenticator, boolean z) throws IOException {
        ServerAuthContext serverAuthContext;
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest(true);
        HttpServletResponse httpServletResponse = (HttpServletResponse) httpResponse.getResponse();
        Subject subject = new Subject();
        HttpMessageInfo httpMessageInfo = new HttpMessageInfo(httpServletRequest, httpServletResponse);
        boolean z2 = false;
        boolean z3 = true;
        try {
            z3 = !getWebSecurityManager(true).permitAll(httpServletRequest);
            if (z3 || z) {
                httpMessageInfo.getMap().put(HttpServletConstants.IS_MANDATORY, Boolean.TRUE.toString());
            }
            serverAuthContext = this.authenticationService.getServerAuthContext(httpMessageInfo, null);
        } catch (AuthException e) {
            LOG.log(Level.SEVERE, "Jakarta Authentication: http msg authentication fail", (Throwable) e);
            httpServletResponse.setStatus(500);
        } catch (RuntimeException e2) {
            LOG.log(Level.SEVERE, "Jakarta Authentication: Exception during validateRequest", (Throwable) e2);
            httpServletResponse.sendError(500);
        }
        if (serverAuthContext == null) {
            throw new AuthException("null ServerAuthContext");
        }
        z2 = AuthStatus.SUCCESS.equals(serverAuthContext.validateRequest(httpMessageInfo, subject, null));
        if (z2) {
            httpMessageInfo.getMap().put(SERVER_AUTH_CONTEXT, serverAuthContext);
            httpServletRequest.setAttribute(MESSAGE_INFO, httpMessageInfo);
        }
        if (z2) {
            Caller caller = getCaller(subject);
            if (caller != null) {
                Subject subject2 = new Subject();
                Subject reuseSessionSubject = reuseSessionSubject(caller);
                if (reuseSessionSubject != null) {
                    copySubject(subject2, reuseSessionSubject);
                } else {
                    Principal glassFishCallerPrincipal = getGlassFishCallerPrincipal(caller);
                    toSubject(subject2, glassFishCallerPrincipal);
                    DistinguishedPrincipalCredential distinguishedPrincipalCredential = new DistinguishedPrincipalCredential(glassFishCallerPrincipal);
                    toSubject(subject2, distinguishedPrincipalCredential);
                    toSubjectCredential(subject2, distinguishedPrincipalCredential);
                    Iterator<String> it = caller.getGroups().iterator();
                    while (it.hasNext()) {
                        toSubject(subject2, new Group(it.next()));
                    }
                    if (glassFishCallerPrincipal.equals(SecurityContext.getDefaultCallerPrincipal())) {
                        if (((HttpServletRequest) httpMessageInfo.getRequestMessage()).getUserPrincipal() != null) {
                            httpRequest.setUserPrincipal(null);
                            httpRequest.setAuthType(null);
                        }
                        if (z3) {
                            z2 = false;
                        }
                    } else {
                        LoginContextDriver.jmacLogin(subject2, glassFishCallerPrincipal, this.realmName);
                        SecurityContext securityContext = new SecurityContext(subject2);
                        SecurityContext.setCurrent(securityContext);
                        WebPrincipal webPrincipal = new WebPrincipal(securityContext.getCallerPrincipal(), securityContext);
                        try {
                            String str = (String) httpMessageInfo.getMap().get(HttpServletConstants.AUTH_TYPE);
                            if (str == null && loginConfig != null && loginConfig.getAuthMethod() != null) {
                                str = loginConfig.getAuthMethod();
                            }
                            if (shouldRegister(httpMessageInfo.getMap())) {
                                new AuthenticatorProxy(authenticator, webPrincipal, str).authenticate(httpRequest, httpResponse, loginConfig);
                            } else {
                                httpRequest.setAuthType(str == null ? PROXY_AUTH_TYPE : str);
                                httpRequest.setUserPrincipal(webPrincipal);
                            }
                        } catch (LifecycleException e3) {
                            LOG.log(Level.SEVERE, "Unable to register session", (Throwable) e3);
                        }
                    }
                }
            }
            if (z2) {
                HttpServletRequest httpServletRequest2 = (HttpServletRequest) httpMessageInfo.getRequestMessage();
                if (httpServletRequest2 != httpServletRequest) {
                    httpRequest.setNote(Globals.WRAPPED_REQUEST, new HttpRequestWrapper(httpRequest, httpServletRequest2));
                }
                HttpServletResponse httpServletResponse2 = (HttpServletResponse) httpMessageInfo.getResponseMessage();
                if (httpServletResponse2 != httpServletResponse) {
                    httpRequest.setNote(Globals.WRAPPED_RESPONSE, new HttpResponseWrapper(httpResponse, httpServletResponse2));
                }
            }
        }
        return z2;
    }

    private Caller getCaller(Subject subject) {
        Set principals = subject.getPrincipals(Caller.class);
        if (principals.isEmpty()) {
            return null;
        }
        return (Caller) principals.iterator().next();
    }

    private Principal findPrincipalWrapper(Principal principal) {
        if (principal != null && !(principal instanceof WebPrincipal)) {
            Principal sessionPrincipal = SecurityContext.getCurrent().getSessionPrincipal();
            if (sessionPrincipal instanceof WebPrincipal) {
                WebPrincipal webPrincipal = (WebPrincipal) sessionPrincipal;
                if (webPrincipal.getCustomPrincipal() == principal) {
                    return webPrincipal;
                }
            }
        }
        return principal;
    }

    private Subject reuseSessionSubject(Caller caller) {
        Principal findPrincipalWrapper = findPrincipalWrapper(caller.getCallerPrincipal());
        if (findPrincipalWrapper instanceof WebPrincipal) {
            return reuseWebPrincipal((WebPrincipal) findPrincipalWrapper);
        }
        return null;
    }

    private Subject reuseWebPrincipal(final WebPrincipal webPrincipal) {
        SecurityContext securityContext = webPrincipal.getSecurityContext();
        final Subject subject = securityContext != null ? securityContext.getSubject() : null;
        final Principal callerPrincipal = securityContext != null ? securityContext.getCallerPrincipal() : null;
        final Principal defaultCallerPrincipal = SecurityContext.getDefaultCallerPrincipal();
        return (Subject) AppservAccessController.doPrivileged(new PrivilegedAction<Subject>() { // from class: com.sun.web.security.RealmAdapter.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Subject run() {
                if (callerPrincipal == null || callerPrincipal.equals(defaultCallerPrincipal) || subject == null) {
                    return null;
                }
                boolean z = false;
                Set publicCredentials = subject.getPublicCredentials(DistinguishedPrincipalCredential.class);
                if (publicCredentials.size() == 1) {
                    Iterator it = publicCredentials.iterator();
                    while (it.hasNext()) {
                        if (((DistinguishedPrincipalCredential) it.next()).getPrincipal().equals(callerPrincipal)) {
                            z = true;
                        }
                    }
                }
                if (!z) {
                    Set principals = subject.getPrincipals(DistinguishedPrincipalCredential.class);
                    if (principals.size() == 1) {
                        Iterator it2 = principals.iterator();
                        while (it2.hasNext()) {
                            if (((DistinguishedPrincipalCredential) it2.next()).getPrincipal().equals(callerPrincipal)) {
                                z = true;
                            }
                        }
                    }
                }
                if (z && subject.getPrincipals().contains(callerPrincipal) && webPrincipal.getName() != null && webPrincipal.getName().equals(callerPrincipal.getName())) {
                    return subject;
                }
                return null;
            }
        });
    }

    private Principal getGlassFishCallerPrincipal(Caller caller) {
        Principal callerPrincipal = caller.getCallerPrincipal();
        return !(callerPrincipal instanceof CallerPrincipal) ? callerPrincipal : callerPrincipal.getName() == null ? SecurityContext.getDefaultCallerPrincipal() : "certificate".equals(this.realmName) ? new X500Principal(callerPrincipal.getName()) : new UserNameAndPassword(callerPrincipal.getName());
    }

    public static void copySubject(Subject subject, Subject subject2) {
        PriviledgedAccessController.privileged(() -> {
            subject.getPrincipals().addAll(subject2.getPrincipals());
            subject.getPublicCredentials().addAll(subject2.getPublicCredentials());
            subject.getPrivateCredentials().addAll(subject2.getPrivateCredentials());
        });
    }

    public static void toSubject(Subject subject, Principal principal) {
        PriviledgedAccessController.privileged(() -> {
            return Boolean.valueOf(subject.getPrincipals().add(principal));
        });
    }

    public static void toSubject(Subject subject, Set<Principal> set) {
        PriviledgedAccessController.privileged(() -> {
            return Boolean.valueOf(subject.getPrincipals().addAll(set));
        });
    }

    public static void toSubjectCredential(Subject subject, Object obj) {
        PriviledgedAccessController.privileged(() -> {
            return Boolean.valueOf(subject.getPublicCredentials().add(obj));
        });
    }

    public static void removeFromCredentials(Subject subject, Class<?> cls) {
        PriviledgedAccessController.privileged(() -> {
            Iterator<Object> it = subject.getPublicCredentials().iterator();
            while (it.hasNext()) {
                if (cls.isInstance(it.next())) {
                    it.remove();
                }
            }
        });
    }

    private boolean shouldRegister(Map map) {
        return map.containsKey(REGISTER_WITH_AUTHENTICATOR) || mapEntryToBoolean(HttpServletConstants.REGISTER_SESSION, map);
    }

    private boolean mapEntryToBoolean(String str, Map map) {
        Object obj;
        if (map.containsKey(str) && (obj = map.get(str)) != null && (obj instanceof String)) {
            return Boolean.parseBoolean((String) obj);
        }
        return false;
    }

    private static String getDefaultSystemProviderID() {
        String property = System.getProperty(SYSTEM_HTTPSERVLET_SECURITY_PROVIDER);
        if (property != null) {
            property = property.trim();
            if (property.length() == 0) {
                property = null;
            }
        }
        return property;
    }

    protected void configureSecurity(WebBundleDescriptor webBundleDescriptor, boolean z) {
        try {
            this.webSecurityManagerFactory.createManager(webBundleDescriptor, true, this.serverContext).commitPolicy();
            String contextID = WebSecurityManager.getContextID(webBundleDescriptor);
            if (z && contextID.equals("__admingui/__admingui")) {
                websecurityProbeProvider.policyCreationEvent(contextID);
            }
        } catch (Exception e) {
            throw new RuntimeException("Policy configuration failed!", e);
        }
    }

    private SecurityContext getSecurityContextForPrincipal(final Principal principal) {
        if (principal == null) {
            return null;
        }
        return principal instanceof WebPrincipal ? ((WebPrincipal) principal).getSecurityContext() : (SecurityContext) AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() { // from class: com.sun.web.security.RealmAdapter.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityContext run() {
                Subject subject = new Subject();
                subject.getPrincipals().add(principal);
                return new SecurityContext(principal.getName(), subject);
            }
        });
    }

    public void setCurrentSecurityContextWithWebPrincipal(Principal principal) {
        if (principal instanceof WebPrincipal) {
            SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
        }
    }

    public void setCurrentSecurityContext(Principal principal) {
        SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
    }

    public synchronized void initAuthenticationService(ServletContext servletContext) {
        if (this.authenticationService != null) {
            return;
        }
        try {
            this.authenticationService = createAuthenticationService(servletContext);
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    public BaseAuthenticationService getAuthenticationService() {
        return this.authenticationService;
    }

    @Override // org.glassfish.hk2.api.PostConstruct
    public void postConstruct() {
        this.networkListeners = this.networkConfig.getNetworkListeners();
    }

    private String findRealmName(String str) {
        String realm = this.webBundleDescriptor.getApplication().getRealm();
        LoginConfiguration loginConfiguration = this.webBundleDescriptor.getLoginConfiguration();
        if (realm == null && loginConfiguration != null) {
            realm = loginConfiguration.getRealmName();
        }
        if (str != null && Utility.isEmpty(realm)) {
            realm = str;
        }
        return realm;
    }

    private void collectRunAsPrincipals() {
        this.runAsPrincipals = new HashMap<>();
        for (WebComponentDescriptor webComponentDescriptor : this.webBundleDescriptor.getWebComponentDescriptors()) {
            RunAsIdentityDescriptor runAsIdentity = webComponentDescriptor.getRunAsIdentity();
            if (runAsIdentity != null) {
                String principal = runAsIdentity.getPrincipal();
                String canonicalName = webComponentDescriptor.getCanonicalName();
                if (Utility.isAnyNull(principal, canonicalName)) {
                    LOG.warning("WEB8080: Null run-as principal or servlet, ignoring run-as element.");
                } else {
                    this.runAsPrincipals.put(canonicalName, principal);
                    LOG.log(Level.FINE, "Servlet {0} will run-as: {1}", new Object[]{canonicalName, principal});
                }
            }
        }
    }

    private SecurityConstraint[] findSecurityConstraints(Context context) {
        if (this.authenticationService == null) {
            initAuthenticationService(context.getServletContext());
        }
        WebSecurityManager webSecurityManager = getWebSecurityManager(false);
        if (webSecurityManager == null || !webSecurityManager.hasNoConstrainedResources() || isSecurityExtensionEnabled(context.getServletContext())) {
            return emptyConstraints;
        }
        return null;
    }

    private boolean isRequestAuthenticated(HttpRequest httpRequest) {
        return ((HttpServletRequest) httpRequest).getUserPrincipal() != null;
    }

    private boolean isJakartaAuthenticationEnabled() throws IOException {
        try {
            if (this.authenticationService != null) {
                if (this.authenticationService.getServerAuthConfig() != null) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    private Subject generateX500Subject(X509Certificate[] x509CertificateArr) {
        Subject subject = new Subject();
        subject.getPublicCredentials().add(x509CertificateArr[0].getSubjectX500Principal());
        subject.getPublicCredentials().add(Arrays.asList(x509CertificateArr));
        return subject;
    }

    private DigestCredentials generateDigestCredentials(HttpServletRequest httpServletRequest) {
        try {
            DigestAlgorithmParameter[] generateDigestParameters = generateDigestParameters(httpServletRequest);
            validateDigestParameters(generateDigestParameters);
            return new DigestCredentials(this.realmName, findDigestKey(generateDigestParameters).getUsername(), generateDigestParameters);
        } catch (Exception e) {
            LOG.log(Level.WARNING, "WEB9102: Web Login Failed", (Throwable) e);
            return null;
        }
    }

    private DigestAlgorithmParameter[] generateDigestParameters(HttpServletRequest httpServletRequest) throws InvalidAlgorithmParameterException {
        return DigestParameterGenerator.getInstance(DigestParameterGenerator.HTTP_DIGEST).generateParameters(new HttpAlgorithmParameterImpl(httpServletRequest));
    }

    private void validateDigestParameters(DigestAlgorithmParameter[] digestAlgorithmParameterArr) {
        NonceInfo nonceInfo;
        if (this.cnonces == null) {
            String appName = this.webBundleDescriptor.getApplication().getAppName();
            synchronized (this) {
                if (this.haCNonceCacheMap == null) {
                    this.haCNonceCacheMap = this.appCNonceCacheMapProvider.get2();
                }
                if (this.haCNonceCacheMap != null) {
                    this.cnonces = this.haCNonceCacheMap.get(appName);
                }
                if (this.cnonces == null) {
                    if (this.cNonceCacheFactory == null) {
                        this.cNonceCacheFactory = this.cNonceCacheFactoryProvider.get2();
                    }
                    this.cnonces = this.cNonceCacheFactory.createCNonceCache(this.webBundleDescriptor.getApplication().getAppName(), null, null, null);
                }
            }
        }
        String str = null;
        String str2 = null;
        for (DigestAlgorithmParameter digestAlgorithmParameter : digestAlgorithmParameterArr) {
            if (digestAlgorithmParameter instanceof NestedDigestAlgoParamImpl) {
                for (DigestAlgorithmParameter digestAlgorithmParameter2 : (DigestAlgorithmParameter[]) ((NestedDigestAlgoParamImpl) digestAlgorithmParameter).getNestedParams()) {
                    if (Constants.CNONCE.equals(digestAlgorithmParameter2.getName())) {
                        str = new String(digestAlgorithmParameter2.getValue());
                    } else if (Constants.NONCE_COUNT.equals(digestAlgorithmParameter2.getName())) {
                        str2 = new String(digestAlgorithmParameter2.getValue());
                    }
                    if (str != null && str2 != null) {
                        break;
                    }
                }
                if (str != null && str2 != null) {
                    break;
                }
            }
            if (Constants.CNONCE.equals(digestAlgorithmParameter.getName())) {
                str = new String(digestAlgorithmParameter.getValue());
            } else if (Constants.NONCE_COUNT.equals(digestAlgorithmParameter.getName())) {
                str2 = new String(digestAlgorithmParameter.getValue());
            }
        }
        long currentTimeMillis = System.currentTimeMillis();
        long count = getCount(str2);
        synchronized (this.cnonces) {
            nonceInfo = this.cnonces.get(str);
        }
        if (nonceInfo == null) {
            nonceInfo = new NonceInfo();
        } else if (count <= nonceInfo.getCount()) {
            throw new RuntimeException("Invalid Request : Possible Replay Attack detected ?");
        }
        nonceInfo.setCount(count);
        nonceInfo.setTimestamp(currentTimeMillis);
        synchronized (this.cnonces) {
            this.cnonces.put(str, nonceInfo);
        }
    }

    private long getCount(String str) {
        try {
            return Long.parseLong(str, 16);
        } catch (NumberFormatException e) {
            throw new RuntimeException(e);
        }
    }

    private Key findDigestKey(DigestAlgorithmParameter[] digestAlgorithmParameterArr) {
        for (DigestAlgorithmParameter digestAlgorithmParameter : digestAlgorithmParameterArr) {
            if (Constants.A1.equals(digestAlgorithmParameter.getName()) && (digestAlgorithmParameter instanceof Key)) {
                return (Key) digestAlgorithmParameter;
            }
        }
        throw new RuntimeException("No key found in parameters");
    }
}
