package org.jboss.ejb.plugins;

import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Map;
import javax.ejb.TimedObject;
import javax.ejb.Timer;
import javax.security.auth.Subject;
import org.jboss.ejb.Container;
import org.jboss.invocation.Invocation;
import org.jboss.invocation.PayloadKey;
import org.jboss.metadata.AssemblyDescriptorMetaData;
import org.jboss.metadata.BeanMetaData;
import org.jboss.metadata.SecurityIdentityMetaData;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityRolesAssociation;

/* loaded from: input_file:org/jboss/ejb/plugins/JaasAuthenticationInterceptor.class */
public class JaasAuthenticationInterceptor extends AbstractInterceptor {
    protected AuthenticationManager securityManager;
    protected Map securityRoles;
    protected RunAsIdentity runAsIdentity;
    protected Method ejbTimeout;

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.ContainerPlugin
    public void setContainer(Container container) {
        super.setContainer(container);
        if (container != null) {
            BeanMetaData beanMetaData = container.getBeanMetaData();
            AssemblyDescriptorMetaData assemblyDescriptor = beanMetaData.getApplicationMetaData().getAssemblyDescriptor();
            SecurityIdentityMetaData securityIdentityMetaData = beanMetaData.getSecurityIdentityMetaData();
            if (securityIdentityMetaData != null && !securityIdentityMetaData.getUseCallerIdentity()) {
                String runAsRoleName = securityIdentityMetaData.getRunAsRoleName();
                String runAsPrincipalName = securityIdentityMetaData.getRunAsPrincipalName();
                this.runAsIdentity = new RunAsIdentity(runAsRoleName, runAsPrincipalName, assemblyDescriptor.getSecurityRoleNamesByPrincipal(runAsPrincipalName));
            }
            this.securityManager = container.getSecurityManager();
            try {
                this.ejbTimeout = TimedObject.class.getMethod("ejbTimeout", Timer.class);
            } catch (NoSuchMethodException e) {
            }
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor
    public void start() throws Exception {
        super.start();
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invokeHome(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        SecurityActions.pushRunAsIdentity(this.runAsIdentity);
        try {
            return getNext().invokeHome(invocation);
        } finally {
            SecurityActions.popRunAsIdentity();
            SecurityActions.popSubjectContext();
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invoke(Invocation invocation) throws Exception {
        checkSecurityAssociation(invocation);
        RunAsIdentity peekRunAsIdentity = SecurityActions.peekRunAsIdentity();
        if (peekRunAsIdentity != null) {
            invocation.setValue("RunAsIdentity", peekRunAsIdentity, PayloadKey.TRANSIENT);
        }
        SecurityActions.pushRunAsIdentity(this.runAsIdentity);
        try {
            return getNext().invoke(invocation);
        } finally {
            SecurityActions.popRunAsIdentity();
            SecurityActions.popSubjectContext();
        }
    }

    private void checkSecurityAssociation(Invocation invocation) throws Exception {
        Principal principal = invocation.getPrincipal();
        Object credential = invocation.getCredential();
        boolean isTraceEnabled = this.log.isTraceEnabled();
        Method method = invocation.getMethod();
        if ((method == null || method.equals(this.ejbTimeout)) || this.securityManager == null || this.container == null) {
            SecurityActions.pushSubjectContext(principal, credential, null);
            return;
        }
        if (SecurityAssociation.peekRunAsIdentity() != null) {
            SecurityActions.dupSubjectContext();
            return;
        }
        SecurityRolesAssociation.setSecurityRoles(this.securityRoles);
        Subject subject = new Subject();
        if (!this.securityManager.isValid(principal, credential, subject)) {
            Exception contextException = SecurityActions.getContextException();
            if (contextException == null) {
                throw new SecurityException("Authentication exception, principal=" + principal);
            }
            throw contextException;
        }
        SecurityActions.pushSubjectContext(principal, credential, subject);
        if (isTraceEnabled) {
            this.log.trace("Authenticated  principal=" + principal);
        }
    }
}
