package org.springframework.security.config.http;

import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.openjpa.persistence.query.AbstractVisitable;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.session.SessionManagementFilter;

/* loaded from: input_file:WEB-INF/lib/spring-security-config-3.0.5.RELEASE.jar:org/springframework/security/config/http/DefaultFilterChainValidator.class */
public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator {
    private Log logger = LogFactory.getLog(getClass());

    @Override // org.springframework.security.web.FilterChainProxy.FilterChainValidator
    public void validate(FilterChainProxy filterChainProxy) {
        Map<String, List<Filter>> filterChainMap = filterChainProxy.getFilterChainMap();
        Iterator<String> it = filterChainProxy.getFilterChainMap().keySet().iterator();
        while (it.hasNext()) {
            checkFilterStack(filterChainMap.get(it.next()));
        }
        checkLoginPageIsntProtected(filterChainProxy, filterChainMap.get(filterChainProxy.getMatcher().getUniversalMatchPattern()));
    }

    private Object getFilter(Class<?> cls, List<Filter> list) {
        for (Filter filter : list) {
            if (cls.isAssignableFrom(filter.getClass())) {
                return filter;
            }
        }
        return null;
    }

    private void checkFilterStack(List<Filter> list) {
        checkForDuplicates(SecurityContextPersistenceFilter.class, list);
        checkForDuplicates(UsernamePasswordAuthenticationFilter.class, list);
        checkForDuplicates(SessionManagementFilter.class, list);
        checkForDuplicates(BasicAuthenticationFilter.class, list);
        checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, list);
        checkForDuplicates(ExceptionTranslationFilter.class, list);
        checkForDuplicates(FilterSecurityInterceptor.class, list);
    }

    private void checkForDuplicates(Class<? extends Filter> cls, List<Filter> list) {
        for (int i = 0; i < list.size(); i++) {
            if (cls.isAssignableFrom(list.get(i).getClass())) {
                for (int i2 = i + 1; i2 < list.size(); i2++) {
                    if (cls.isAssignableFrom(list.get(i2).getClass())) {
                        this.logger.warn("Possible error: Filters at position " + i + " and " + i2 + " are both instances of " + cls.getName());
                        return;
                    }
                }
            }
        }
    }

    private void checkLoginPageIsntProtected(FilterChainProxy filterChainProxy, List<Filter> list) {
        ExceptionTranslationFilter exceptionTranslationFilter = (ExceptionTranslationFilter) getFilter(ExceptionTranslationFilter.class, list);
        if (exceptionTranslationFilter.getAuthenticationEntryPoint() instanceof LoginUrlAuthenticationEntryPoint) {
            String loginFormUrl = ((LoginUrlAuthenticationEntryPoint) exceptionTranslationFilter.getAuthenticationEntryPoint()).getLoginFormUrl();
            List<Filter> filters = filterChainProxy.getFilters(loginFormUrl);
            this.logger.info("Checking whether login URL '" + loginFormUrl + "' is accessible with your configuration");
            if (filters == null || filters.isEmpty()) {
                this.logger.debug("Filter chain is empty for the login page");
                return;
            }
            if (getFilter(DefaultLoginPageGeneratingFilter.class, filters) != null) {
                this.logger.debug("Default generated login page is in use");
                return;
            }
            FilterSecurityInterceptor filterSecurityInterceptor = (FilterSecurityInterceptor) getFilter(FilterSecurityInterceptor.class, filters);
            DefaultFilterInvocationSecurityMetadataSource defaultFilterInvocationSecurityMetadataSource = (DefaultFilterInvocationSecurityMetadataSource) filterSecurityInterceptor.getSecurityMetadataSource();
            if (defaultFilterInvocationSecurityMetadataSource.lookupAttributes(loginFormUrl, "POST") == null) {
                this.logger.debug("No access attributes defined for login page URL");
                if (filterSecurityInterceptor.isRejectPublicInvocations()) {
                    this.logger.warn("FilterSecurityInterceptor is configured to reject public invocations. Your login page may not be accessible.");
                    return;
                }
                return;
            }
            AnonymousAuthenticationFilter anonymousAuthenticationFilter = (AnonymousAuthenticationFilter) getFilter(AnonymousAuthenticationFilter.class, filters);
            if (anonymousAuthenticationFilter == null) {
                this.logger.warn("The login page is being protected by the filter chain, but you don't appear to have anonymous authentication enabled. This is almost certainly an error.");
                return;
            }
            try {
                filterSecurityInterceptor.getAccessDecisionManager().decide(new AnonymousAuthenticationToken("key", anonymousAuthenticationFilter.getUserAttribute().getPassword(), anonymousAuthenticationFilter.getUserAttribute().getAuthorities()), new Object(), defaultFilterInvocationSecurityMetadataSource.lookupAttributes(loginFormUrl, "POST"));
            } catch (Exception e) {
                this.logger.warn("Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: " + e + AbstractVisitable.CLOSE_BRACE);
            }
        }
    }
}
