package com.sun.web.security;

import com.sun.enterprise.deployment.Application;
import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.enterprise.deployment.WebComponentDescriptor;
import com.sun.enterprise.deployment.web.LoginConfiguration;
import com.sun.enterprise.security.AppCNonceCacheMap;
import com.sun.enterprise.security.CNonceCacheFactory;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.auth.WebAndEjbToJaasBridge;
import com.sun.enterprise.security.auth.digest.api.Constants;
import com.sun.enterprise.security.auth.digest.api.DigestAlgorithmParameter;
import com.sun.enterprise.security.auth.digest.api.Key;
import com.sun.enterprise.security.auth.digest.impl.CNonceValidator;
import com.sun.enterprise.security.auth.digest.impl.DigestParameterGenerator;
import com.sun.enterprise.security.auth.digest.impl.HttpAlgorithmParameterImpl;
import com.sun.enterprise.security.auth.login.DigestCredentials;
import com.sun.enterprise.security.integration.RealmInitializer;
import com.sun.enterprise.security.jacc.JaccWebAuthorizationManager;
import com.sun.enterprise.security.jacc.context.PolicyContextHandlerImpl;
import com.sun.enterprise.security.web.integration.WebPrincipal;
import com.sun.enterprise.security.web.integration.WebSecurityManagerFactory;
import com.sun.enterprise.util.net.NetUtils;
import com.sun.logging.LogDomains;
import com.sun.web.security.realmadapter.AuthenticatorProxy;
import com.sun.web.security.realmadapter.JaspicRealm;
import fish.payara.nucleus.requesttracing.RequestTracingService;
import java.io.IOException;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.ProtocolException;
import java.net.URL;
import java.net.URLEncoder;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.ResourceBundle;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Provider;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.security.jacc.PolicyContext;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Authenticator;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.HttpRequest;
import org.apache.catalina.HttpResponse;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.RealmBase;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.grizzly.config.dom.NetworkConfig;
import org.glassfish.grizzly.config.dom.NetworkListener;
import org.glassfish.grizzly.config.dom.NetworkListeners;
import org.glassfish.hk2.api.PerLookup;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.internal.api.ServerContext;
import org.jvnet.hk2.annotations.Service;

@Service
@PerLookup
/* loaded from: input_file:com/sun/web/security/RealmAdapter.class */
public class RealmAdapter extends RealmBase implements RealmInitializer, PostConstruct {
    public static final String SECURITY_CONTEXT = "SecurityContext";
    public static final String BASIC = "BASIC";
    public static final String FORM = "FORM";
    private WebBundleDescriptor webDescriptor;
    private HashMap<String, String> runAsPrincipals;
    private String realmName;
    protected static final String name = "J2EE-RI-RealmAdapter";
    private String jaccContextId;
    protected volatile JaccWebAuthorizationManager jaccWebAuthorizationManager;
    protected boolean isCurrentURIincluded;
    protected final ReadWriteLock rwLock = new ReentrantReadWriteLock();
    private boolean contextEvaluated;
    private String loginPage;
    private String errorPage;
    private String moduleID;

    @Inject
    private ServerContext serverContext;

    @Inject
    private Provider<AppCNonceCacheMap> appCNonceCacheMapProvider;

    @Inject
    private Provider<CNonceCacheFactory> cNonceCacheFactoryProvider;

    @Inject
    @Named(ServerEnvironment.DEFAULT_INSTANCE_NAME)
    private NetworkConfig networkConfig;

    @Inject
    protected WebSecurityManagerFactory webSecurityManagerFactory;

    @Inject
    private RequestTracingService requestTracing;
    private NetworkListeners nwListeners;
    private JaspicRealm jaspicRealm;
    private CNonceValidator cNonceValidator;
    private static final Logger LOG = LogDomains.getLogger(RealmAdapter.class, LogDomains.WEB_LOGGER);
    private static final ResourceBundle resourceBundle = LOG.getResourceBundle();
    private static final SecurityConstraint[] emptyConstraints = new SecurityConstraint[0];
    private static ThreadLocal<byte[]> reentrancyStatus = ThreadLocal.withInitial(() -> {
        return new byte[]{0};
    });

    @FunctionalInterface
    /* loaded from: input_file:com/sun/web/security/RealmAdapter$IOSupplier.class */
    public interface IOSupplier<T> {
        T get() throws IOException;
    }

    public RealmAdapter() {
    }

    public RealmAdapter(String str, String str2) {
        this.realmName = str;
        this.moduleID = str2;
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void initializeRealm(Object obj, boolean z, String str) {
        this.webDescriptor = (WebBundleDescriptor) obj;
        LOG.config(() -> {
            return String.format("initializeRealm(bundleDescriptor.appContextId=%s, isSystemApp=%s, defaultRealmName=%s)", this.webDescriptor.getAppContextId(), Boolean.valueOf(z), str);
        });
        this.realmName = computeRealmName(str);
        this.jaccContextId = JaccWebAuthorizationManager.getContextID(this.webDescriptor);
        this.runAsPrincipals = new HashMap<>();
        for (WebComponentDescriptor webComponentDescriptor : this.webDescriptor.getWebComponentDescriptors()) {
            RunAsIdentityDescriptor runAsIdentity = webComponentDescriptor.getRunAsIdentity();
            if (runAsIdentity != null) {
                String principal = runAsIdentity.getPrincipal();
                String canonicalName = webComponentDescriptor.getCanonicalName();
                if (principal == null || canonicalName == null) {
                    LOG.warning("web.realmadapter.norunas");
                } else {
                    this.runAsPrincipals.put(canonicalName, principal);
                    LOG.fine(() -> {
                        return "Servlet " + canonicalName + " will run-as: " + principal;
                    });
                }
            }
        }
        this.moduleID = this.webDescriptor.getModuleID();
        this.jaspicRealm = new JaspicRealm(this.realmName, z, this.webDescriptor, this.requestTracing);
        this.cNonceValidator = new CNonceValidator(this.webDescriptor, this.appCNonceCacheMapProvider, this.cNonceCacheFactoryProvider);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean isSecurityExtensionEnabled(ServletContext servletContext) {
        return this.jaspicRealm.isJaspicEnabled(servletContext);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public SecurityConstraint[] findSecurityConstraints(HttpRequest httpRequest, Context context) {
        return findSecurityConstraints(null, null, context);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public SecurityConstraint[] findSecurityConstraints(String str, String str2, Context context) {
        if (!this.jaspicRealm.isInitialised()) {
            this.jaspicRealm.initJaspicServices(context.getServletContext());
        }
        JaccWebAuthorizationManager jaccWebAuthorizationManager = getJaccWebAuthorizationManager(false);
        if (jaccWebAuthorizationManager == null || !jaccWebAuthorizationManager.hasNoConstrainedResources() || this.jaspicRealm.isJaspicEnabled(context.getServletContext())) {
            return emptyConstraints;
        }
        return null;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        return hasUserDataPermission(httpRequest, httpResponse, securityConstraintArr, null, null);
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasUserDataPermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, String str, String str2) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
        if (httpServletRequest.getServletPath() == null) {
            httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
        }
        logHasUserDataPermission(httpServletRequest);
        if (httpRequest.getRequest().isSecure()) {
            logRequestSecure(httpRequest);
            return true;
        }
        JaccWebAuthorizationManager jaccWebAuthorizationManager = getJaccWebAuthorizationManager(true);
        if (jaccWebAuthorizationManager == null) {
            return false;
        }
        try {
            int hasUserDataPermission = jaccWebAuthorizationManager.hasUserDataPermission(httpServletRequest, str, str2);
            if (hasUserDataPermission == -1) {
                logSSLRedirect();
                return redirect(httpRequest, httpResponse);
            }
            if (hasUserDataPermission != 0) {
                return true;
            }
            sendForbidden(httpResponse);
            return false;
        } catch (IllegalArgumentException e) {
            sendBadRequest(httpResponse, e);
            return false;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public int preAuthenticateCheck(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, boolean z, boolean z2, boolean z3) throws IOException {
        try {
            if (!hasRequestPrincipal(httpRequest)) {
                SecurityContext.setUnauthenticatedContext();
            }
            if (this.jaspicRealm.isJaspicEnabled()) {
                return 1;
            }
            if (!invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr)) {
                if (hasRequestPrincipal(httpRequest)) {
                    sendForbidden(httpResponse);
                    return -1;
                }
                disableProxyCaching(httpRequest, httpResponse, z, z2);
                return 1;
            }
            if (!hasRequestPrincipal(httpRequest)) {
                return 0;
            }
            disableProxyCaching(httpRequest, httpResponse, z, z2);
            if (!z3) {
                return 0;
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
            if (getJaccWebAuthorizationManager(true).isPermitAll(httpServletRequest)) {
                return 0;
            }
            httpServletRequest.getSession(true);
            return 0;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            sendServiceUnavailable(httpResponse, th);
            return -1;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean invokeAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context, Authenticator authenticator, boolean z) throws IOException {
        return this.jaspicRealm.isJaspicEnabled() ? this.jaspicRealm.validateRequest(httpRequest, httpResponse, context, authenticator, z, httpServletRequest -> {
            return Boolean.valueOf(!getJaccWebAuthorizationManager(true).isPermitAll(httpServletRequest));
        }) : ((AuthenticatorBase) authenticator).authenticate(httpRequest, httpResponse, context.getLoginConfig());
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected String getName() {
        return name;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public String getRealmName() {
        return this.realmName;
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void setVirtualServer(Object obj) {
        this.jaspicRealm.setVirtualServer((Container) obj);
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void updateWebSecurityManager() {
        if (this.jaccWebAuthorizationManager == null) {
            this.jaccWebAuthorizationManager = getJaccWebAuthorizationManager(true);
        }
        if (this.jaccWebAuthorizationManager != null) {
            try {
                this.jaccWebAuthorizationManager.release();
                this.jaccWebAuthorizationManager.destroy();
            } catch (Exception e) {
                LOG.log(Level.SEVERE, "Failed to release and destroy the jaccWebAuthorizationManager", (Throwable) e);
            }
            this.jaccWebAuthorizationManager = this.webSecurityManagerFactory.createManager(this.webDescriptor, true, this.serverContext);
            LOG.fine(() -> {
                return "JaccWebAuthorizationManager for " + this.jaccContextId + " has been updated";
            });
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(String str, char[] cArr) {
        LOG.finest(() -> {
            return String.format("authenticate(username=%s, password)", str);
        });
        if (authenticate(str, cArr, null, null)) {
            return new WebPrincipal(str, cArr, SecurityContext.getCurrent());
        }
        return null;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(HttpServletRequest httpServletRequest) {
        try {
            DigestAlgorithmParameter[] digestParameters = getDigestParameters(httpServletRequest);
            String username = getDigestKey(digestParameters).getUsername();
            if (authenticate(username, null, null, digestParameters)) {
                return new WebPrincipal(username, (char[]) null, SecurityContext.getCurrent());
            }
            return null;
        } catch (Exception e) {
            LOG.log(Level.WARNING, "web.login.failed", (Object) e);
            return null;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public Principal authenticate(X509Certificate[] x509CertificateArr) {
        if (authenticate(null, null, x509CertificateArr, null)) {
            return new WebPrincipal(x509CertificateArr, SecurityContext.getCurrent(), true);
        }
        return null;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasResourcePermission(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr, Context context) throws IOException {
        boolean z = false;
        try {
            z = invokeWebSecurityManager(httpRequest, httpResponse, securityConstraintArr);
            if (z) {
                return z;
            }
            ((HttpServletResponse) httpResponse.getResponse()).sendError(403);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            invokePostAuthenticateDelegate(httpRequest, httpResponse, context);
            return z;
        } catch (IOException e) {
            throw e;
        } catch (Throwable th) {
            LOG.log(Level.SEVERE, "web_server.excep_authenticate_realmadapter", th);
            ((HttpServletResponse) httpResponse.getResponse()).sendError(503);
            httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
            return z;
        }
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean invokePostAuthenticateDelegate(HttpRequest httpRequest, HttpResponse httpResponse, Context context) throws IOException {
        if (this.jaspicRealm.isJaspicEnabled()) {
            return this.jaspicRealm.secureResponse(httpRequest, httpResponse, context);
        }
        return false;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public boolean hasRole(HttpRequest httpRequest, HttpResponse httpResponse, Principal principal, String str) {
        JaccWebAuthorizationManager jaccWebAuthorizationManager = getJaccWebAuthorizationManager(true);
        if (jaccWebAuthorizationManager == null) {
            return false;
        }
        String canonicalName = getCanonicalName(httpRequest);
        boolean hasRoleRefPermission = jaccWebAuthorizationManager.hasRoleRefPermission(canonicalName, str, principal);
        LOG.fine(() -> {
            return "Checking if servlet " + canonicalName + " with principal " + principal + " has role " + str + " isGranted: " + hasRoleRefPermission;
        });
        return hasRoleRefPermission;
    }

    @Override // org.apache.catalina.realm.RealmBase, org.apache.catalina.Realm
    public void logout(HttpRequest httpRequest) {
        ServletContext servletContext = httpRequest.getRequest().getServletContext();
        byte[] bArr = reentrancyStatus.get();
        if (!this.jaspicRealm.isJaspicEnabled(servletContext) || bArr[0] != 0) {
            doLogout(httpRequest, bArr[0] == 1);
            return;
        }
        bArr[0] = 1;
        try {
            try {
                this.jaspicRealm.cleanSubject(httpRequest);
                doLogout(httpRequest, true);
                bArr[0] = 0;
            } catch (AuthException e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            doLogout(httpRequest, true);
            bArr[0] = 0;
            throw th;
        }
    }

    @Override // com.sun.enterprise.security.integration.RealmInitializer
    public void logout() {
        setSecurityContext(null);
        AccessController.doPrivileged(() -> {
            resetPolicyContext();
            return null;
        });
    }

    @Override // org.apache.catalina.realm.RealmBase
    public void destroy() {
        super.destroy();
        this.jaspicRealm.destroy();
    }

    public boolean authenticate(WebPrincipal webPrincipal) {
        return webPrincipal.isUsingCertificate() ? authenticate(null, null, webPrincipal.getCertificates(), null) : authenticate(webPrincipal.getName(), webPrincipal.getPassword(), null, null);
    }

    public JaccWebAuthorizationManager getJaccWebAuthorizationManager(boolean z) {
        if (this.jaccWebAuthorizationManager == null) {
            synchronized (this) {
                this.jaccWebAuthorizationManager = this.webSecurityManagerFactory.getManager(this.jaccContextId, null, false);
            }
            if (this.jaccWebAuthorizationManager == null && z) {
                LOG.log(Level.WARNING, "realmAdapter.noWebSecMgr", this.jaccContextId);
            }
        }
        return this.jaccWebAuthorizationManager;
    }

    public Principal createFailOveredPrincipal(String str) {
        LOG.log(Level.FINEST, "createFailOveredPrincipal ({0})", str);
        loginForRunAs(str);
        SecurityContext current = SecurityContext.getCurrent();
        LOG.log(Level.FINE, "Security context is {0}", current);
        WebPrincipal webPrincipal = new WebPrincipal(str, (char[]) null, current);
        LOG.log(Level.INFO, "Principal created for FailOvered user {0}", webPrincipal);
        return webPrincipal;
    }

    public boolean hasRole(String str, Principal principal, String str2) {
        JaccWebAuthorizationManager jaccWebAuthorizationManager = getJaccWebAuthorizationManager(true);
        if (jaccWebAuthorizationManager == null) {
            return false;
        }
        return jaccWebAuthorizationManager.hasRoleRefPermission(str, str2, principal);
    }

    public void preSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        String str;
        if ((this.runAsPrincipals != null && this.runAsPrincipals.isEmpty()) || (servletName = getServletName(componentInvocation)) == null || (str = this.runAsPrincipals.get(servletName)) == null) {
            return;
        }
        componentInvocation.setOldSecurityContext(getSecurityContext());
        loginForRunAs(str);
        LOG.fine(() -> {
            return "run-as principal for " + servletName + " set to: " + str;
        });
    }

    public void postSetRunAsIdentity(ComponentInvocation componentInvocation) {
        String servletName;
        if ((this.runAsPrincipals != null && this.runAsPrincipals.isEmpty()) || (servletName = getServletName(componentInvocation)) == null || this.runAsPrincipals.get(servletName) == null) {
            return;
        }
        setSecurityContext((SecurityContext) componentInvocation.getOldSecurityContext());
    }

    private boolean authenticate(String str, char[] cArr, X509Certificate[] x509CertificateArr, DigestAlgorithmParameter[] digestAlgorithmParameterArr) {
        try {
            if (x509CertificateArr != null) {
                WebAndEjbToJaasBridge.doX500Login(createSubjectWithCerts(x509CertificateArr), this.moduleID);
            } else if (digestAlgorithmParameterArr != null) {
                WebAndEjbToJaasBridge.login(new DigestCredentials(this.realmName, str, digestAlgorithmParameterArr));
            } else {
                WebAndEjbToJaasBridge.login(str, cArr, this.realmName);
            }
            LOG.log(Level.FINE, () -> {
                return "Web login succeeded for: " + str;
            });
            return true;
        } catch (Exception e) {
            LOG.log(Level.WARNING, "web.login.failed", (Object) e);
            if (!LOG.isLoggable(Level.FINE)) {
                return false;
            }
            LOG.log(Level.FINE, "Web login failed for user " + str, (Throwable) e);
            return false;
        }
    }

    private String computeRealmName(String str) {
        Application application = this.webDescriptor.getApplication();
        LoginConfiguration loginConfiguration = this.webDescriptor.getLoginConfiguration();
        String realm = application.getRealm();
        if (realm == null && loginConfiguration != null) {
            realm = loginConfiguration.getRealmName();
        }
        if (str != null && (realm == null || realm.isEmpty())) {
            realm = str;
        }
        return realm;
    }

    private void doLogout(HttpRequest httpRequest, boolean z) {
        Context context = httpRequest.getContext();
        Authenticator authenticator = context == null ? null : context.getAuthenticator();
        Objects.requireNonNull(authenticator, "Context or Authenticator is null");
        try {
            if (z) {
                new AuthenticatorProxy(authenticator, null, null).logout(httpRequest);
            } else {
                authenticator.logout(httpRequest);
            }
            logout();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private String getServletName(ComponentInvocation componentInvocation) {
        String instanceName = componentInvocation.getInstanceName();
        if (instanceName != null) {
            return instanceName;
        }
        Object componentInvocation2 = componentInvocation.getInstance();
        if (!(componentInvocation2 instanceof HttpServlet)) {
            return null;
        }
        HttpServlet httpServlet = (HttpServlet) componentInvocation2;
        if (httpServlet.getServletConfig() != null) {
            return httpServlet.getServletName();
        }
        return null;
    }

    private void loginForRunAs(String str) {
        WebAndEjbToJaasBridge.loginPrincipal(str, this.realmName);
    }

    private SecurityContext getSecurityContext() {
        return SecurityContext.getCurrent();
    }

    private void setSecurityContext(SecurityContext securityContext) {
        SecurityContext.setCurrent(securityContext);
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected char[] getPassword(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    @Override // org.apache.catalina.realm.RealmBase
    protected Principal getPrincipal(String str) {
        throw new IllegalStateException("Should not reach here");
    }

    private boolean invokeWebSecurityManager(HttpRequest httpRequest, HttpResponse httpResponse, SecurityConstraint[] securityConstraintArr) throws IOException {
        try {
            this.rwLock.readLock().lock();
            boolean z = this.contextEvaluated;
            this.rwLock.readLock().unlock();
            if (!z) {
                try {
                    this.rwLock.writeLock().lock();
                    if (!this.contextEvaluated) {
                        LoginConfig loginConfig = ((Context) getContainer()).getLoginConfig();
                        if (loginConfig != null && "FORM".equals(loginConfig.getAuthMethod())) {
                            this.loginPage = loginConfig.getLoginPage();
                            this.errorPage = loginConfig.getErrorPage();
                        }
                        this.contextEvaluated = true;
                    }
                } finally {
                    this.rwLock.writeLock().unlock();
                }
            }
            if (this.loginPage != null || this.errorPage != null) {
                String dataChunk = httpRequest.getRequestPathMB().toString();
                LOG.fine(() -> {
                    return "[Web-Security]  requestURI: " + dataChunk + " loginPage: " + this.loginPage;
                });
                if (this.loginPage != null && this.loginPage.equals(dataChunk)) {
                    LOG.fine(() -> {
                        return " Allow access to login page " + this.loginPage;
                    });
                    return true;
                }
                if (this.errorPage != null && this.errorPage.equals(dataChunk)) {
                    LOG.fine(() -> {
                        return " Allow access to error page " + this.errorPage;
                    });
                    return true;
                }
                if (dataChunk.endsWith("/j_security_check")) {
                    LOG.fine(" Allow access to username/password submission");
                    return true;
                }
            }
            HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest;
            if (httpServletRequest.getServletPath() == null) {
                httpRequest.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
            }
            LOG.fine(() -> {
                return "[Web-Security] [ hasResourcePermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath();
            });
            JaccWebAuthorizationManager jaccWebAuthorizationManager = getJaccWebAuthorizationManager(true);
            if (jaccWebAuthorizationManager == null) {
                return false;
            }
            return jaccWebAuthorizationManager.hasResourcePermission(httpServletRequest);
        } catch (Throwable th) {
            this.rwLock.readLock().unlock();
            throw th;
        }
    }

    private boolean redirect(HttpRequest httpRequest, HttpResponse httpResponse) throws IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) httpRequest.getRequest();
        HttpServletResponse httpServletResponse = (HttpServletResponse) httpResponse.getResponse();
        if (httpRequest.getConnector().getRedirectPort() <= 0) {
            LOG.fine("[Web-Security]  SSL redirect is disabled");
            httpServletResponse.sendError(403, URLEncoder.encode(httpServletRequest.getRequestURI(), "UTF-8"));
            return false;
        }
        StringBuilder sb = new StringBuilder(httpServletRequest.getRequestURI());
        String requestedSessionId = httpServletRequest.getRequestedSessionId();
        if (requestedSessionId != null && httpServletRequest.isRequestedSessionIdFromURL()) {
            sb.append(";jsessionid=");
            sb.append(requestedSessionId);
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            sb.append('?');
            sb.append(queryString);
        }
        List<String> hostAndPort = getHostAndPort(httpRequest);
        try {
            httpServletResponse.sendRedirect(new URL("https", hostAndPort.get(0), Integer.parseInt(hostAndPort.get(1)), sb.toString()).toExternalForm());
            return false;
        } catch (MalformedURLException e) {
            httpServletResponse.sendError(500, URLEncoder.encode(httpServletRequest.getRequestURI(), "UTF-8"));
            return false;
        }
    }

    private List<String> getHostAndPort(HttpRequest httpRequest) throws IOException {
        boolean z = false;
        Enumeration<String> headerNames = ((HttpServletRequest) httpRequest.getRequest()).getHeaderNames();
        String[] strArr = null;
        boolean z2 = false;
        while (headerNames.hasMoreElements()) {
            String nextElement = headerNames.nextElement();
            if (nextElement.equalsIgnoreCase("Host")) {
                z2 = true;
                strArr = ((HttpServletRequest) httpRequest.getRequest()).getHeader(nextElement).split(":");
            }
        }
        if (strArr == null) {
            throw new ProtocolException(resourceBundle.getString("missing_http_header.host"));
        }
        boolean z3 = strArr.length <= 1 || strArr[1] == null || strArr[1].trim().isEmpty();
        if (!z2) {
            z = false;
        } else if (!z3) {
            boolean z4 = false;
            for (NetworkListener networkListener : this.nwListeners.getNetworkListener()) {
                String address = networkListener.getAddress();
                if (address == null || address.equals("0.0.0.0")) {
                    if (!NetUtils.getCanonicalHostName().equals(strArr[0])) {
                        InetAddress[] hostAddresses = NetUtils.getHostAddresses();
                        InetAddress byName = InetAddress.getByName(strArr[0]);
                        int length = hostAddresses.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            if (hostAddresses[i].equals(byName)) {
                                if (networkListener.getPort().equals(strArr[1])) {
                                    z = false;
                                    z4 = true;
                                    break;
                                }
                                z = true;
                            }
                            i++;
                        }
                    } else if (networkListener.getPort().equals(strArr[1])) {
                        z = false;
                        z4 = true;
                    } else {
                        z = true;
                    }
                }
                if (z4 && !z) {
                    break;
                }
            }
        } else {
            z = true;
        }
        String serverName = httpRequest.getRequest().getServerName();
        int redirectPort = httpRequest.getConnector().getRedirectPort();
        if (z) {
            serverName = strArr[0];
            redirectPort = z3 ? -1 : Integer.parseInt(strArr[1]);
        }
        return Arrays.asList(serverName, String.valueOf(redirectPort));
    }

    private String getCanonicalName(HttpRequest httpRequest) {
        return httpRequest.getWrapper().getServletName();
    }

    private String getResourceName(String str, String str2) {
        return str2.length() < str.length() ? str.substring(str2.length()) : "";
    }

    private void logHasUserDataPermission(HttpServletRequest httpServletRequest) {
        LOG.fine(() -> {
            return "[Web-Security][ hasUserDataPermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath();
        });
    }

    private void logRequestSecure(HttpRequest httpRequest) {
        LOG.fine(() -> {
            return "[Web-Security] request.getRequest().isSecure(): " + httpRequest.getRequest().isSecure();
        });
    }

    private void logSSLRedirect() {
        LOG.fine("[Web-Security] redirecting using SSL");
    }

    private void sendBadRequest(HttpResponse httpResponse, Exception exc) throws IOException {
        LOG.log(Level.WARNING, resourceBundle.getString("realmAdapter.badRequestWithId"), (Throwable) exc);
        ((HttpServletResponse) httpResponse.getResponse()).sendError(400, resourceBundle.getString("realmAdapter.badRequest"));
    }

    private void sendForbidden(HttpResponse httpResponse) throws IOException {
        ((HttpServletResponse) httpResponse.getResponse()).sendError(403, resourceBundle.getString("realmBase.forbidden"));
    }

    private void sendServiceUnavailable(HttpResponse httpResponse, Throwable th) throws IOException {
        LOG.log(Level.SEVERE, "web_server.excep_authenticate_realmadapter", th);
        ((HttpServletResponse) httpResponse.getResponse()).sendError(503);
        httpResponse.setDetailMessage(resourceBundle.getString("realmBase.forbidden"));
    }

    private void resetPolicyContext() {
        ((PolicyContextHandlerImpl) PolicyContextHandlerImpl.getInstance()).reset();
        PolicyContext.setContextID(null);
    }

    private SecurityContext getSecurityContextForPrincipal(final Principal principal) {
        if (principal == null) {
            return null;
        }
        return principal instanceof WebPrincipal ? ((WebPrincipal) principal).getSecurityContext() : (SecurityContext) AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() { // from class: com.sun.web.security.RealmAdapter.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecurityContext run() {
                Subject subject = new Subject();
                subject.getPrincipals().add(principal);
                return new SecurityContext(principal.getName(), subject);
            }
        });
    }

    public void setCurrentSecurityContextWithWebPrincipal(Principal principal) {
        if (principal instanceof WebPrincipal) {
            SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
        }
    }

    public void setCurrentSecurityContext(Principal principal) {
        SecurityContext.setCurrent(getSecurityContextForPrincipal(principal));
    }

    private Subject createSubjectWithCerts(X509Certificate[] x509CertificateArr) {
        Subject subject = new Subject();
        subject.getPublicCredentials().add(x509CertificateArr[0].getSubjectX500Principal());
        subject.getPublicCredentials().add(Arrays.asList(x509CertificateArr));
        return subject;
    }

    @Override // org.glassfish.hk2.api.PostConstruct
    public void postConstruct() {
        this.nwListeners = this.networkConfig.getNetworkListeners();
    }

    private DigestAlgorithmParameter[] getDigestParameters(HttpServletRequest httpServletRequest) throws InvalidAlgorithmParameterException {
        return this.cNonceValidator.validateCnonce(DigestParameterGenerator.getInstance(DigestParameterGenerator.HTTP_DIGEST).generateParameters(new HttpAlgorithmParameterImpl(httpServletRequest)));
    }

    private Key getDigestKey(DigestAlgorithmParameter[] digestAlgorithmParameterArr) {
        for (DigestAlgorithmParameter digestAlgorithmParameter : digestAlgorithmParameterArr) {
            if (Constants.A1.equals(digestAlgorithmParameter.getName()) && (digestAlgorithmParameter instanceof Key)) {
                return (Key) digestAlgorithmParameter;
            }
        }
        throw new RuntimeException("No key found in parameters");
    }

    private boolean hasRequestPrincipal(HttpRequest httpRequest) {
        return ((HttpServletRequest) httpRequest).getUserPrincipal() != null;
    }
}
