package org.jboss.ejb3.security;

import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import javax.ejb.EJBAccessException;
import javax.security.auth.Subject;
import org.jboss.aop.advice.Interceptor;
import org.jboss.aop.joinpoint.Invocation;
import org.jboss.aop.joinpoint.MethodInvocation;
import org.jboss.ejb3.Container;
import org.jboss.ejb3.EJBContainer;
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.logging.Logger;
import org.jboss.security.ISecurityManagement;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityUtil;
import org.jboss.security.identity.plugins.SimpleIdentity;
import org.jboss.security.javaee.EJBAuthenticationHelper;
import org.jboss.security.javaee.SecurityHelperFactory;

/* loaded from: input_file:org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.class */
public class Ejb3AuthenticationInterceptorv2 implements Interceptor {
    protected Logger log = Logger.getLogger(getClass());
    private EJBContainer container;

    public Ejb3AuthenticationInterceptorv2(Container container) {
        this.container = (EJBContainer) container;
    }

    public String getName() {
        return getClass().getName();
    }

    public Object invoke(Invocation invocation) throws Throwable {
        SecurityHelper securityHelper = new SecurityHelper();
        MethodInvocation methodInvocation = (MethodInvocation) invocation;
        Method method = methodInvocation.getMethod();
        if (securityHelper.isEJBTimeOutCallback(method) || securityHelper.containsTimeoutAnnotation(this.container, method) || securityHelper.isMDB(this.container)) {
            return invocation.invokeNext();
        }
        SecurityContext securityContext = SecurityActions.getSecurityContext();
        try {
            SecurityContext securityContext2 = (SecurityContext) invocation.getMetaData("security", "context");
            SecurityDomain annotation = this.container.getAnnotation(SecurityDomain.class);
            if ((annotation == null || annotation.value() == null || annotation.value().length() <= 0) ? false : true) {
                final SecurityContext createSecurityContext = SecurityActions.createSecurityContext(canonicalizeSecurityDomain(annotation.value()));
                if (securityHelper.isLocalCall(methodInvocation)) {
                    if (securityContext == null) {
                        throw new IllegalStateException("Local Call: Security Context is null");
                    }
                    populateSecurityContext(createSecurityContext, securityContext);
                } else {
                    if (securityContext2 == null) {
                        throw new IllegalStateException("Remote Call: Invocation Security Context is null");
                    }
                    populateSecurityContext(createSecurityContext, securityContext2);
                }
                SecurityActions.setSecurityContext(createSecurityContext);
                AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        createSecurityContext.setSecurityManagement(Ejb3AuthenticationInterceptorv2.this.getSecurityManagement());
                        return null;
                    }
                });
                try {
                    EJBAuthenticationHelper eJBAuthenticationHelper = SecurityHelperFactory.getEJBAuthenticationHelper(createSecurityContext);
                    if (!(hasIncomingRunAsIdentity(createSecurityContext) || eJBAuthenticationHelper.isTrusted())) {
                        Subject subject = new Subject();
                        Principal userPrincipal = createSecurityContext.getUtil().getUserPrincipal();
                        String unauthenticatedPrincipal = annotation.unauthenticatedPrincipal();
                        if (userPrincipal == null && unauthenticatedPrincipal != null && unauthenticatedPrincipal.length() > 0) {
                            SimpleIdentity simpleIdentity = new SimpleIdentity(unauthenticatedPrincipal);
                            createSecurityContext.getSubjectInfo().addIdentity(simpleIdentity);
                            subject.getPrincipals().add(simpleIdentity.asPrincipal());
                        } else if (!eJBAuthenticationHelper.isValid(subject, method.getName())) {
                            throw new EJBAccessException("Invalid User");
                        }
                        eJBAuthenticationHelper.pushSubjectContext(subject);
                    }
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            } else if (securityContext2 != null) {
                SecurityActions.setSecurityContext(securityContext2);
            }
            Object invokeNext = invocation.invokeNext();
            SecurityActions.setSecurityContext(securityContext);
            return invokeNext;
        } catch (Throwable th) {
            SecurityActions.setSecurityContext(securityContext);
            throw th;
        }
    }

    private String canonicalizeSecurityDomain(String str) {
        return SecurityUtil.unprefixSecurityDomain(str);
    }

    private void populateSecurityContext(SecurityContext securityContext, SecurityContext securityContext2) {
        SecurityActions.setSubjectInfo(securityContext, securityContext2.getSubjectInfo());
        SecurityActions.setIncomingRunAs(securityContext, securityContext2.getOutgoingRunAs());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ISecurityManagement getSecurityManagement() throws Exception {
        return (ISecurityManagement) SecurityActions.loadClass("org.jboss.security.integration.JNDIBasedSecurityManagement").newInstance();
    }

    private boolean hasIncomingRunAsIdentity(SecurityContext securityContext) {
        RunAs incomingRunAs = securityContext.getIncomingRunAs();
        return incomingRunAs != null && (incomingRunAs instanceof RunAsIdentity);
    }
}
