package org.apache.geronimo.jetty.interceptor;

import java.io.IOException;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Principal;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebUserDataPermission;
import org.apache.geronimo.common.DeploymentException;
import org.apache.geronimo.common.GeronimoSecurityException;
import org.apache.geronimo.jetty.JAASJettyPrincipal;
import org.apache.geronimo.jetty.JAASJettyRealm;
import org.apache.geronimo.jetty.JettyContainer;
import org.apache.geronimo.security.ContextManager;
import org.apache.geronimo.security.IdentificationPrincipal;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
import org.apache.geronimo.security.util.ConfigurationUtil;
import org.mortbay.http.Authenticator;
import org.mortbay.http.HttpException;
import org.mortbay.http.HttpRequest;
import org.mortbay.http.HttpResponse;
import org.mortbay.http.SecurityConstraint;
import org.mortbay.jetty.servlet.FormAuthenticator;
import org.mortbay.jetty.servlet.ServletHttpRequest;

/* loaded from: input_file:org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.class */
public class SecurityContextBeforeAfter implements BeforeAfter {
    private final BeforeAfter next;
    private final int policyContextIDIndex;
    private final int webAppContextIndex;
    private final String policyContextID;
    private static final ThreadLocal currentWebAppContext;
    private final JAASJettyPrincipal defaultPrincipal;
    private final String formLoginPath;
    private final PermissionCollection checked;
    private final PermissionCollection excludedPermissions;
    private final Authenticator authenticator;
    private final JAASJettyRealm realm;
    static final boolean $assertionsDisabled;
    static Class class$org$apache$geronimo$jetty$interceptor$SecurityContextBeforeAfter;

    public SecurityContextBeforeAfter(BeforeAfter beforeAfter, int i, int i2, String str, DefaultPrincipal defaultPrincipal, Authenticator authenticator, PermissionCollection permissionCollection, PermissionCollection permissionCollection2, JAASJettyRealm jAASJettyRealm, ClassLoader classLoader) {
        if (!$assertionsDisabled && jAASJettyRealm == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && authenticator == null) {
            throw new AssertionError();
        }
        this.next = beforeAfter;
        this.policyContextIDIndex = i;
        this.webAppContextIndex = i2;
        this.policyContextID = str;
        this.defaultPrincipal = generateDefaultPrincipal(defaultPrincipal, classLoader);
        this.checked = permissionCollection;
        this.excludedPermissions = permissionCollection2;
        if (authenticator instanceof FormAuthenticator) {
            String loginPage = ((FormAuthenticator) authenticator).getLoginPage();
            this.formLoginPath = loginPage.indexOf(63) > 0 ? loginPage.substring(0, loginPage.indexOf(63)) : loginPage;
        } else {
            this.formLoginPath = null;
        }
        this.authenticator = authenticator;
        Subject subject = this.defaultPrincipal.getSubject();
        ContextManager.registerSubject(subject);
        subject.getPrincipals().add(new IdentificationPrincipal(ContextManager.getSubjectId(subject)));
        this.realm = jAASJettyRealm;
    }

    public void stop(JettyContainer jettyContainer) {
        ContextManager.unregisterSubject(this.defaultPrincipal.getSubject());
        jettyContainer.removeRealm(this.realm.getSecurityRealmName());
    }

    @Override // org.apache.geronimo.jetty.interceptor.BeforeAfter
    public void before(Object[] objArr, HttpRequest httpRequest, HttpResponse httpResponse) {
        objArr[this.policyContextIDIndex] = PolicyContext.getContextID();
        objArr[this.webAppContextIndex] = getCurrentSecurityInterceptor();
        PolicyContext.setContextID(this.policyContextID);
        setCurrentSecurityInterceptor(this);
        if (httpRequest != null) {
            PolicyContext.setHandlerData((ServletHttpRequest) httpRequest.getWrapper());
        }
        if (this.next != null) {
            this.next.before(objArr, httpRequest, httpResponse);
        }
    }

    @Override // org.apache.geronimo.jetty.interceptor.BeforeAfter
    public void after(Object[] objArr, HttpRequest httpRequest, HttpResponse httpResponse) {
        if (this.next != null) {
            this.next.after(objArr, httpRequest, httpResponse);
        }
        setCurrentSecurityInterceptor((SecurityContextBeforeAfter) objArr[this.webAppContextIndex]);
        PolicyContext.setContextID((String) objArr[this.policyContextIDIndex]);
    }

    private static void setCurrentSecurityInterceptor(SecurityContextBeforeAfter securityContextBeforeAfter) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(ContextManager.SET_CONTEXT);
        }
        currentWebAppContext.set(securityContextBeforeAfter);
    }

    private static SecurityContextBeforeAfter getCurrentSecurityInterceptor() {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(ContextManager.GET_CONTEXT);
        }
        return (SecurityContextBeforeAfter) currentWebAppContext.get();
    }

    public boolean checkSecurityConstraints(String str, HttpRequest httpRequest, HttpResponse httpResponse) throws HttpException, IOException {
        if (this.formLoginPath != null) {
            if ((str.indexOf(63) > 0 ? str.substring(0, str.indexOf(63)) : str).equals(this.formLoginPath)) {
                return true;
            }
        }
        try {
            ServletHttpRequest servletHttpRequest = (ServletHttpRequest) httpRequest.getWrapper();
            Permission webUserDataPermission = new WebUserDataPermission(servletHttpRequest);
            Permission webResourcePermission = new WebResourcePermission(servletHttpRequest);
            SecurityConstraint.Nobody obtainUser = obtainUser(str, httpRequest, httpResponse, webResourcePermission, webUserDataPermission);
            if (obtainUser == null) {
                return false;
            }
            if (obtainUser == SecurityConstraint.__NOBODY) {
                return true;
            }
            AccessControlContext currentContext = ContextManager.getCurrentContext();
            currentContext.checkPermission(webUserDataPermission);
            currentContext.checkPermission(webResourcePermission);
            return true;
        } catch (HttpException e) {
            httpResponse.sendError(e.getCode(), e.getReason());
            return false;
        } catch (AccessControlException e2) {
            httpResponse.sendError(403);
            return false;
        }
    }

    private Principal obtainUser(String str, HttpRequest httpRequest, HttpResponse httpResponse, WebResourcePermission webResourcePermission, WebUserDataPermission webUserDataPermission) throws IOException {
        Principal authenticate;
        boolean z = (this.checked.implies(webResourcePermission) || this.checked.implies(webUserDataPermission)) ? false : true;
        boolean z2 = this.excludedPermissions.implies(webResourcePermission) || this.excludedPermissions.implies(webUserDataPermission);
        if (!z && !z2) {
            return this.authenticator.authenticate(this.realm, str, httpRequest, httpResponse);
        }
        if ((this.authenticator instanceof FormAuthenticator) && str.endsWith("j_security_check")) {
            return this.authenticator.authenticate(this.realm, str, httpRequest, httpResponse);
        }
        if (httpRequest != null && (authenticate = this.authenticator.authenticate(this.realm, str, httpRequest, (HttpResponse) null)) != null) {
            return authenticate;
        }
        ContextManager.setCallers(this.defaultPrincipal.getSubject(), this.defaultPrincipal.getSubject());
        return this.defaultPrincipal;
    }

    protected JAASJettyPrincipal generateDefaultPrincipal(DefaultPrincipal defaultPrincipal, ClassLoader classLoader) throws GeronimoSecurityException {
        if (defaultPrincipal == null) {
            throw new GeronimoSecurityException("Unable to generate default principal");
        }
        try {
            JAASJettyPrincipal jAASJettyPrincipal = new JAASJettyPrincipal("default");
            jAASJettyPrincipal.setSubject(ConfigurationUtil.generateDefaultSubject(defaultPrincipal, classLoader));
            return jAASJettyPrincipal;
        } catch (DeploymentException e) {
            throw new GeronimoSecurityException("Unable to generate default principal", e);
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$apache$geronimo$jetty$interceptor$SecurityContextBeforeAfter == null) {
            cls = class$("org.apache.geronimo.jetty.interceptor.SecurityContextBeforeAfter");
            class$org$apache$geronimo$jetty$interceptor$SecurityContextBeforeAfter = cls;
        } else {
            cls = class$org$apache$geronimo$jetty$interceptor$SecurityContextBeforeAfter;
        }
        $assertionsDisabled = !cls.desiredAssertionStatus();
        currentWebAppContext = new ThreadLocal();
    }
}
