package org.jcors.web;

import java.io.IOException;
import java.util.Iterator;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.jcors.config.JCorsConfig;
import org.jcors.model.CorsHeaders;
import org.jcors.util.Constraint;

/* loaded from: input_file:org/jcors/web/ActualRequestHandler.class */
public class ActualRequestHandler implements RequestHandler {
    @Override // org.jcors.web.RequestHandler
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, JCorsConfig jCorsConfig) throws IOException, ServletException {
        String checkOriginHeader = checkOriginHeader(httpServletRequest, jCorsConfig);
        if (jCorsConfig.isCredentialsSupported()) {
            httpServletResponse.setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER, "true");
        }
        if (jCorsConfig.hasNotSimpleResponseHeadersExposed()) {
            Iterator<String> it = jCorsConfig.getExposedHeaders().iterator();
            while (it.hasNext()) {
                httpServletResponse.addHeader(CorsHeaders.ACCESS_CONTROL_EXPOSE_HEADERS_HEADER, it.next());
            }
        }
        httpServletResponse.setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, checkOriginHeader);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private String checkOriginHeader(HttpServletRequest httpServletRequest, JCorsConfig jCorsConfig) {
        String header = httpServletRequest.getHeader(CorsHeaders.ORIGIN_HEADER);
        Constraint.ensureNotEmpty(header, "Cross-Origin requests must specify an Origin Header");
        for (String str : header.split(" ")) {
            Constraint.ensureTrue(jCorsConfig.isOriginAllowed(str), String.format("The specified origin is not allowed: '%s'", str));
        }
        return header;
    }
}
