package org.ow2.jonas.web.tomcat6.security;

import java.io.IOException;
import java.security.Principal;
import java.security.acl.Group;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.Constants;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;
import org.apache.catalina.servlets.WebdavStatus;
import org.apache.catalina.util.StringManager;
import org.apache.tomcat.util.http.BaseRequest;
import org.ow2.jonas.deployment.web.ServletDesc;
import org.ow2.jonas.deployment.web.WebContainerDeploymentDesc;
import org.ow2.jonas.lib.security.auth.JSigned;
import org.ow2.jonas.lib.security.context.SecurityContext;
import org.ow2.jonas.lib.security.context.SecurityCurrent;
import org.ow2.jonas.security.SecurityService;
import org.ow2.jonas.security.auth.callback.NoInputCallbackHandler;
import org.ow2.jonas.security.realm.factory.JResource;
import org.ow2.jonas.security.realm.factory.JResourceException;
import org.ow2.jonas.security.realm.principal.JUser;
import org.ow2.jonas.web.base.lib.PermissionManager;
import org.ow2.jonas.web.tomcat6.JOnASStandardContext;
import org.ow2.util.log.Log;
import org.ow2.util.log.LogFactory;

/* loaded from: input_file:org/ow2/jonas/web/tomcat6/security/Realm.class */
public class Realm extends RealmBase implements Cloneable {
    private static final String DEFAULT_JAAS_ENTRY_NAME = "tomcat";
    private JResource jResource = null;
    private String resourceName = null;
    private String jaasEntry = DEFAULT_JAAS_ENTRY_NAME;
    private SecurityService securityService = null;
    private PermissionManager permissionManager = null;
    private ThreadLocal<Request> lastRequestThread = new ThreadLocal<>();
    private Context context = null;
    private String realmName = NAME;
    private static final String NAME = Realm.class.getSimpleName();
    private static final String INFO = Realm.class.getName() + "/1.0";
    private static StringManager sm = StringManager.getManager(Constants.Package);
    private static Log logger = LogFactory.getLog(Realm.class);

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public String getInfo() {
        return INFO;
    }

    public String getResourceName() {
        return this.resourceName;
    }

    public void setResourceName(String str) {
        this.resourceName = str;
    }

    public String getJaasEntry() {
        return this.jaasEntry;
    }

    public void setJaasEntry(String str) {
        this.jaasEntry = str;
    }

    public void setPermissionManager(PermissionManager permissionManager) {
        this.permissionManager = permissionManager;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public SecurityConstraint[] findSecurityConstraints(Request request, Context context) {
        return super.findSecurityConstraints(request, context);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        this.lastRequestThread.set(request);
        LoginConfig loginConfig = context.getLoginConfig();
        if (loginConfig != null && "FORM".equals(loginConfig.getAuthMethod())) {
            String decodedRequestURI = request.getDecodedRequestURI();
            String str = context.getPath() + loginConfig.getLoginPage();
            if (str.equals(decodedRequestURI)) {
                logger.debug("{0}: Allow access to login page {1}", new Object[]{this.realmName, str});
                return true;
            }
            String str2 = context.getPath() + loginConfig.getErrorPage();
            if (str2.equals(decodedRequestURI)) {
                logger.debug("{0}: Allow access to error page {1}", new Object[]{this.realmName, str2});
                return true;
            }
            if (decodedRequestURI.endsWith("/j_security_check")) {
                logger.debug("{0}: Allow access to username/password submission", new Object[]{this.realmName});
                return true;
            }
        }
        Principal userPrincipal = request.getUserPrincipal();
        String[] strArr = null;
        String str3 = null;
        if (userPrincipal instanceof GenericPrincipal) {
            strArr = ((GenericPrincipal) userPrincipal).getRoles();
            str3 = userPrincipal.getName();
        }
        if (this.permissionManager == null) {
            logger.error("{0}: No permission manager is set. Realm used without using the JOnAS deployer but only Tomcat.", new Object[]{this.realmName});
            return false;
        }
        boolean checkWebResourcePermission = this.permissionManager.checkWebResourcePermission(request, str3, strArr);
        if (!checkWebResourcePermission) {
            response.sendError(WebdavStatus.SC_FORBIDDEN, sm.getString("realmBase.forbidden"));
        }
        return checkWebResourcePermission;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasRole(Principal principal, String str) {
        if (principal == null || str == null || !(principal instanceof GenericPrincipal)) {
            return false;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("{0}: Principal = {1}", new Object[]{this.realmName, principal});
            logger.debug("{0}: Role = {1}", new Object[]{this.realmName, str});
        }
        if (this.context == null) {
            logger.error("{0}: Cannot find a servlet name for isUserInRole() as no context was found", new Object[]{this.realmName});
            return false;
        }
        Request request = this.lastRequestThread.get();
        if (request == null) {
            logger.error("{0}: Cannot find a servlet name for isUserInRole(). No previous request !", new Object[]{this.realmName});
            return false;
        }
        String findServletName = findServletName(request);
        String[] strArr = null;
        String str2 = null;
        if (principal instanceof GenericPrincipal) {
            strArr = ((GenericPrincipal) principal).getRoles();
            str2 = principal.getName();
        }
        if (this.permissionManager != null) {
            return this.permissionManager.checkWebRoleRefPermission(request, findServletName, str2, strArr, str);
        }
        logger.error("{0}: No permission manager is set. Using this realm without using the JOnAS deployer but only Tomcat.", new Object[]{this.realmName});
        return false;
    }

    private String findServletName(Request request) {
        if (request == null || request.getRequestURI() == null || request.getContextPath() == null) {
            return null;
        }
        String substring = request.getRequestURI().substring(request.getContextPath().length());
        if (logger.isDebugEnabled()) {
            logger.debug("{0}: User Pattern = {1}", new Object[]{this.realmName, substring});
        }
        String str = org.apache.naming.factory.Constants.OBJECT_FACTORIES;
        String[] findServletMappings = this.context.findServletMappings();
        boolean z = false;
        String str2 = org.apache.naming.factory.Constants.OBJECT_FACTORIES;
        int i = 0;
        while (i < findServletMappings.length && !z) {
            str2 = findServletMappings[i];
            if (logger.isDebugEnabled()) {
                logger.debug("{0}: Pattern found = {1}", new Object[]{this.realmName, str2});
                logger.debug("{0}: Servlet name for pattern = {1}", new Object[]{this.realmName, this.context.findServletMapping(str2)});
            }
            if (str2.startsWith("*.") && substring.endsWith(str2.substring(1))) {
                z = true;
            } else if (str2.equals(substring)) {
                z = true;
            } else {
                i++;
            }
        }
        if (z) {
            str = this.context.findServletMapping(str2);
            if (str.equals(org.apache.catalina.core.Constants.JSP_SERVLET_NAME)) {
                str = org.apache.naming.factory.Constants.OBJECT_FACTORIES;
            }
            if (logger.isDebugEnabled()) {
                logger.debug("{0}: Found servlet name = {1}", new Object[]{this.realmName, str});
            }
        }
        return str;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] securityConstraintArr) throws IOException {
        this.lastRequestThread.set(request);
        if (request.getRequest().isSecure()) {
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("{0}: User data constraint already satisfied", new Object[]{this.realmName});
            return true;
        }
        Principal userPrincipal = request.getUserPrincipal();
        String[] strArr = null;
        String str = null;
        if (userPrincipal instanceof GenericPrincipal) {
            strArr = ((GenericPrincipal) userPrincipal).getRoles();
            str = userPrincipal.getName();
        }
        for (SecurityConstraint securityConstraint : securityConstraintArr) {
            String userConstraint = securityConstraint.getUserConstraint();
            if (userConstraint != null && (userConstraint.equals("INTEGRAL") || userConstraint.equals("CONFIDENTIAL"))) {
                int redirectPort = request.getConnector().getRedirectPort();
                if (redirectPort <= 0) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("{0}: SSL redirect is disabled", new Object[]{this.realmName});
                    }
                    response.sendError(WebdavStatus.SC_FORBIDDEN, request.getRequestURI());
                    return false;
                }
                StringBuffer stringBuffer = new StringBuffer();
                String serverName = request.getServerName();
                stringBuffer.append(BaseRequest.SCHEME_HTTPS).append("://");
                stringBuffer.append(serverName).append(":").append(redirectPort);
                stringBuffer.append(request.getRequestURI());
                String requestedSessionId = request.getRequestedSessionId();
                if (requestedSessionId != null && request.isRequestedSessionIdFromURL()) {
                    stringBuffer.append(";jsessionid=");
                    stringBuffer.append(requestedSessionId);
                }
                String queryString = request.getQueryString();
                if (queryString != null) {
                    stringBuffer.append('?');
                    stringBuffer.append(queryString);
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("{0}: Redirecting to {1}", new Object[]{this.realmName, stringBuffer});
                }
                response.sendRedirect(stringBuffer.toString());
                return false;
            }
        }
        if (this.permissionManager != null) {
            return this.permissionManager.checkWebUserDataPermission(request, str, strArr);
        }
        logger.error("{0}: No permission manager is set. Realm used without using the JOnAS deployer but only Tomcat.", new Object[]{this.realmName});
        return false;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, String str2) {
        return this.jResource != null ? authenticateResource(str, str2) : authenticateJAAS(str, str2);
    }

    public Principal authenticateResource(String str, String str2) {
        if (str == null) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("{0}: No username so no authentication", new Object[]{this.realmName});
            return null;
        }
        try {
            JUser findUser = this.jResource.findUser(str);
            if (findUser == null) {
                if (!logger.isDebugEnabled()) {
                    return null;
                }
                logger.debug("{0}: User {1} not found.", new Object[]{this.realmName, str});
                return null;
            }
            if (!this.jResource.isValidUser(findUser, str2)) {
                logger.error("{0}: The password for the user {1} is not valid", new Object[]{this.realmName, str});
                return null;
            }
            try {
                ArrayList arrayListCombinedRoles = this.jResource.getArrayListCombinedRoles(findUser);
                GenericPrincipal genericPrincipal = new GenericPrincipal(this, findUser.getName(), findUser.getPassword(), arrayListCombinedRoles);
                SecurityContext securityContext = new SecurityContext(genericPrincipal.getName(), arrayListCombinedRoles);
                String findServletName = findServletName(this.lastRequestThread.get());
                if (findServletName != null) {
                    WebContainerDeploymentDesc webDeploymentDescriptor = ((JOnASStandardContext) this.context).getWebDeploymentDescriptor();
                    Iterator it = webDeploymentDescriptor.getServletDescList().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        ServletDesc servletDesc = (ServletDesc) it.next();
                        if (servletDesc.getServletName().equals(findServletName)) {
                            if (servletDesc.getServletRunAS() != null) {
                                String roleName = servletDesc.getServletRunAS().getRoleName();
                                String servletPrincipalName = webDeploymentDescriptor.getServletPrincipalName(findServletName);
                                if (servletPrincipalName == null) {
                                    servletPrincipalName = roleName;
                                }
                                securityContext.pushRunAs(roleName, servletPrincipalName, new String[]{roleName});
                            }
                        }
                    }
                }
                SecurityCurrent.getCurrent().setSecurityContext(securityContext);
                return genericPrincipal;
            } catch (JResourceException e) {
                logger.error("{0}: Cannot get the roles from the user {1}", new Object[]{this.realmName, str, e});
                return null;
            }
        } catch (Exception e2) {
            logger.error("{0}: Cannot find the user {1}", new Object[]{this.realmName, str, e2});
            return null;
        }
    }

    public Principal authenticateJAAS(String str, String str2) {
        if (str == null) {
            logger.error("{0}: No username so no authentication", new Object[]{this.realmName});
            return null;
        }
        try {
            LoginContext loginContext = new LoginContext(this.jaasEntry, new NoInputCallbackHandler(str, str2));
            try {
                loginContext.login();
                Subject subject = loginContext.getSubject();
                if (subject == null) {
                    logger.error("{0}: No subject for the user {1}", new Object[]{this.realmName, str});
                    return null;
                }
                String str3 = (String) subject.getPrivateCredentials().iterator().next();
                Iterator it = subject.getPrincipals(Principal.class).iterator();
                String str4 = null;
                while (it.hasNext() && str4 == null) {
                    Principal principal = (Principal) it.next();
                    if (!(principal instanceof Group)) {
                        str4 = principal.getName();
                    }
                }
                if (str4 == null) {
                    logger.error("{0}: No Username found in the subject", new Object[]{this.realmName});
                    return null;
                }
                JSigned jSigned = null;
                Set<Group> principals = subject.getPrincipals(Group.class);
                ArrayList arrayList = new ArrayList();
                for (Group group : principals) {
                    if (group instanceof JSigned) {
                        jSigned = (JSigned) group;
                    } else {
                        Enumeration<? extends Principal> members = group.members();
                        while (members.hasMoreElements()) {
                            arrayList.add(members.nextElement().getName());
                        }
                    }
                }
                GenericPrincipal genericPrincipal = new GenericPrincipal(this, str4, str3, arrayList);
                SecurityContext securityContext = new SecurityContext(str4, arrayList);
                if (jSigned != null) {
                    securityContext.setSignature(jSigned.getSignature());
                }
                SecurityCurrent.getCurrent().setSecurityContext(securityContext);
                return genericPrincipal;
            } catch (FailedLoginException e) {
                logger.error("{0}: Failed Login for the user {1}", new Object[]{this.realmName, str, e});
                return null;
            } catch (CredentialExpiredException e2) {
                logger.error("{0}: Credential expired for the user {1}", new Object[]{this.realmName, str, e2});
                return null;
            } catch (AccountExpiredException e3) {
                logger.error("{0}: Account expired for the user {1}", new Object[]{this.realmName, str, e3});
                return null;
            } catch (LoginException e4) {
                logger.error("{0}: Login exception for the user {1}", new Object[]{this.realmName, str, e4});
                return null;
            }
        } catch (LoginException e5) {
            logger.error("{0}: LoginException for user {1}", new Object[]{this.realmName, str, e5});
            return null;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        return authenticate(x509CertificateArr[0].getSubjectDN().getName(), DEFAULT_JAAS_ENTRY_NAME);
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getName() {
        return NAME;
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getPassword(String str) {
        return null;
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str) {
        return null;
    }

    public void setContext(Context context) {
        this.context = context;
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[");
        stringBuffer.append(NAME);
        stringBuffer.append(":");
        stringBuffer.append(this.resourceName);
        stringBuffer.append(":");
        if (context != null) {
            stringBuffer.append(context.getName());
        }
        stringBuffer.append("] ");
        this.realmName = stringBuffer.toString();
    }

    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Lifecycle
    public synchronized void start() throws LifecycleException {
        if (this.resourceName != null) {
            if (this.securityService == null) {
                throw new LifecycleException("Security service not set, cannot start");
            }
            this.jResource = this.securityService.getJResource(this.resourceName);
            if (this.jResource == null) {
                throw new LifecycleException("Can't retrieve resource '" + this.resourceName + "' from the security service");
            }
            if (!DEFAULT_JAAS_ENTRY_NAME.equals(this.jaasEntry)) {
                throw new LifecycleException("Invalid Realm configuration: cannot use both resourceName and jaasEntry attributes.");
            }
        }
        super.start();
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Lifecycle
    public synchronized void stop() throws LifecycleException {
        super.stop();
        this.jResource = null;
    }

    public Object clone() throws CloneNotSupportedException {
        Realm realm = new Realm();
        realm.setResourceName(this.resourceName);
        realm.setJaasEntry(this.jaasEntry);
        realm.setSecurityService(this.securityService);
        return realm;
    }

    public PermissionManager getPermissionManager() {
        return this.permissionManager;
    }
}
