package org.granite.spring.security;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.granite.context.GraniteContext;
import org.granite.logging.Logger;
import org.granite.messaging.service.security.AbstractSecurityContext;
import org.granite.messaging.service.security.AbstractSecurityService;
import org.granite.messaging.service.security.SecurityServiceException;
import org.granite.messaging.webapp.HttpGraniteContext;
import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.context.ApplicationContext;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.encoding.PasswordEncoder;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.session.SessionAuthenticationException;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:WEB-INF/lib/granite-spring-2.3.2.GA.jar:org/granite/spring/security/SpringSecurity3Service.class */
public class SpringSecurity3Service extends AbstractSecurityService {
    private static final Logger log = Logger.getLogger((Class<?>) SpringSecurity3Service.class);
    private static final String FILTER_APPLIED = "__spring_security_scpf_applied";
    private static final String SECURITY_SERVICE_APPLIED = "__spring_security_granite_service_applied";
    private AuthenticationManager authenticationManager = null;
    private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
    private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
    private AbstractSpringSecurity3Interceptor securityInterceptor = null;
    private SessionAuthenticationStrategy sessionAuthenticationStrategy = new SessionFixationProtectionStrategy();
    private PasswordEncoder passwordEncoder = null;
    private String authenticationManagerBeanName = null;
    private boolean allowAnonymousAccess = false;
    private Method getRequest;
    private Method getResponse;

    public SpringSecurity3Service() {
        this.getRequest = null;
        this.getResponse = null;
        log.debug("Starting Spring 3 Security Service", new Object[0]);
        try {
            this.getRequest = HttpRequestResponseHolder.class.getDeclaredMethod("getRequest", new Class[0]);
            this.getRequest.setAccessible(true);
            this.getResponse = HttpRequestResponseHolder.class.getDeclaredMethod("getResponse", new Class[0]);
            this.getResponse.setAccessible(true);
        } catch (Exception e) {
            throw new RuntimeException("Could not get methods from HttpRequestResponseHolder", e);
        }
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
        this.authenticationTrustResolver = authenticationTrustResolver;
    }

    public void setAllowAnonymousAccess(boolean z) {
        this.allowAnonymousAccess = z;
    }

    public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
        this.securityContextRepository = securityContextRepository;
    }

    public void setSecurityInterceptor(AbstractSpringSecurity3Interceptor abstractSpringSecurity3Interceptor) {
        this.securityInterceptor = abstractSpringSecurity3Interceptor;
    }

    public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) {
        if (sessionAuthenticationStrategy == null) {
            throw new NullPointerException("SessionAuthenticationStrategy cannot be null");
        }
        this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void configure(Map<String, String> map) {
        log.debug("Configuring with parameters %s: ", map);
        if (map.containsKey("authentication-manager-bean-name")) {
            this.authenticationManagerBeanName = map.get("authentication-manager-bean-name");
        }
        if (Boolean.TRUE.toString().equals(map.get("allow-anonymous-access"))) {
            this.allowAnonymousAccess = true;
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void login(Object obj, String str) {
        List asList = Arrays.asList(decodeBase64Credentials(obj, str));
        HttpGraniteContext httpGraniteContext = (HttpGraniteContext) GraniteContext.getCurrentInstance();
        HttpServletRequest request = httpGraniteContext.getRequest();
        String str2 = (String) asList.get(0);
        String str3 = (String) asList.get(1);
        if (this.passwordEncoder != null) {
            str3 = this.passwordEncoder.encodePassword(str3, (Object) null);
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str2, str3);
        WebApplicationContext webApplicationContext = WebApplicationContextUtils.getWebApplicationContext(request.getSession().getServletContext());
        if (webApplicationContext != null) {
            lookupAuthenticationManager(webApplicationContext, this.authenticationManagerBeanName);
            try {
                Authentication authenticate = this.authenticationManager.authenticate(usernamePasswordAuthenticationToken);
                if (authenticate != null && !this.authenticationTrustResolver.isAnonymous(authenticate)) {
                    try {
                        this.sessionAuthenticationStrategy.onAuthentication(authenticate, request, httpGraniteContext.getResponse());
                    } catch (SessionAuthenticationException e) {
                        log.debug(e, "SessionAuthenticationStrategy rejected the authentication object", new Object[0]);
                        SecurityContextHolder.clearContext();
                        handleAuthenticationExceptions(e);
                        return;
                    }
                }
                HttpRequestResponseHolder httpRequestResponseHolder = new HttpRequestResponseHolder(httpGraniteContext.getRequest(), httpGraniteContext.getResponse());
                SecurityContext loadContext = this.securityContextRepository.loadContext(httpRequestResponseHolder);
                loadContext.setAuthentication(authenticate);
                SecurityContextHolder.setContext(loadContext);
                try {
                    this.securityContextRepository.saveContext(loadContext, (HttpServletRequest) this.getRequest.invoke(httpRequestResponseHolder, new Object[0]), (HttpServletResponse) this.getResponse.invoke(httpRequestResponseHolder, new Object[0]));
                } catch (Exception e2) {
                    log.error(e2, "Could not save context after authentication", new Object[0]);
                }
                endLogin(obj, str);
            } catch (AuthenticationException e3) {
                handleAuthenticationExceptions(e3);
            }
        }
        log.debug("User %s logged in", str2);
    }

    protected void handleAuthenticationExceptions(AuthenticationException authenticationException) {
        if (!(authenticationException instanceof BadCredentialsException) && !(authenticationException instanceof UsernameNotFoundException)) {
            throw SecurityServiceException.newAuthenticationFailedException(authenticationException.getMessage());
        }
        throw SecurityServiceException.newInvalidCredentialsException(authenticationException.getMessage());
    }

    public void lookupAuthenticationManager(ApplicationContext applicationContext, String str) throws SecurityServiceException {
        if (this.authenticationManager != null) {
            return;
        }
        Map beansOfTypeIncludingAncestors = BeanFactoryUtils.beansOfTypeIncludingAncestors(applicationContext, AuthenticationManager.class);
        if (str != null) {
            this.authenticationManager = (AuthenticationManager) beansOfTypeIncludingAncestors.get(str);
            if (this.authenticationManager == null) {
                log.error("AuthenticationManager bean not found " + str, new Object[0]);
                throw SecurityServiceException.newAuthenticationFailedException("Authentication failed");
            }
            return;
        }
        if (beansOfTypeIncludingAncestors.size() > 1) {
            log.error("More than one AuthenticationManager beans found, specify which one to use in Spring config <graniteds:security-service authentication-manager='myAuthManager'/> or in granite-config.xml <security type='org.granite.spring.security.SpringSecurity3Service'><param name='authentication-manager-bean-name' value='myAuthManager'/></security>", new Object[0]);
            throw SecurityServiceException.newAuthenticationFailedException("Authentication failed");
        }
        this.authenticationManager = (AuthenticationManager) beansOfTypeIncludingAncestors.values().iterator().next();
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public Object authorize(AbstractSecurityContext abstractSecurityContext) throws Exception {
        log.debug("Authorize %s on destination %s (secured: %b)", abstractSecurityContext, abstractSecurityContext.getDestination().getId(), Boolean.valueOf(abstractSecurityContext.getDestination().isSecured()));
        startAuthorization(abstractSecurityContext);
        HttpGraniteContext httpGraniteContext = (HttpGraniteContext) GraniteContext.getCurrentInstance();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        HttpRequestResponseHolder httpRequestResponseHolder = null;
        if (httpGraniteContext.getRequest().getAttribute(FILTER_APPLIED) == null) {
            if (httpGraniteContext.getRequest().getAttribute(SECURITY_SERVICE_APPLIED) == null) {
                httpRequestResponseHolder = new HttpRequestResponseHolder(httpGraniteContext.getRequest(), httpGraniteContext.getResponse());
                SecurityContext loadContext = this.securityContextRepository.loadContext(httpRequestResponseHolder);
                SecurityContextHolder.setContext(loadContext);
                if (isAuthenticated(authentication)) {
                    loadContext.setAuthentication(authentication);
                } else {
                    authentication = loadContext.getAuthentication();
                }
                httpGraniteContext.getRequest().setAttribute(SECURITY_SERVICE_APPLIED, 0);
            } else {
                httpGraniteContext.getRequest().setAttribute(SECURITY_SERVICE_APPLIED, Integer.valueOf(((Integer) httpGraniteContext.getRequest().getAttribute(SECURITY_SERVICE_APPLIED)).intValue() + 1));
            }
        }
        if (abstractSecurityContext.getDestination().isSecured()) {
            if (!isAuthenticated(authentication) || (!this.allowAnonymousAccess && (authentication instanceof AnonymousAuthenticationToken))) {
                log.debug("User not authenticated!", new Object[0]);
                throw SecurityServiceException.newNotLoggedInException("User not logged in");
            }
            if (!userCanAccessService(abstractSecurityContext, authentication)) {
                log.debug("Access denied for user %s", authentication.getName());
                throw SecurityServiceException.newAccessDeniedException("User not in required role");
            }
        }
        try {
            try {
                Object invoke = this.securityInterceptor != null ? this.securityInterceptor.invoke(abstractSecurityContext) : endAuthorization(abstractSecurityContext);
                if (httpGraniteContext.getRequest().getAttribute(FILTER_APPLIED) == null) {
                    if (((Integer) httpGraniteContext.getRequest().getAttribute(SECURITY_SERVICE_APPLIED)).intValue() == 0) {
                        SecurityContext context = SecurityContextHolder.getContext();
                        SecurityContextHolder.clearContext();
                        try {
                            this.securityContextRepository.saveContext(context, (HttpServletRequest) this.getRequest.invoke(httpRequestResponseHolder, new Object[0]), (HttpServletResponse) this.getResponse.invoke(httpRequestResponseHolder, new Object[0]));
                        } catch (Exception e) {
                            log.error(e, "Could not extract wrapped context from holder", new Object[0]);
                        }
                        httpGraniteContext.getRequest().removeAttribute(SECURITY_SERVICE_APPLIED);
                    } else {
                        httpGraniteContext.getRequest().setAttribute(SECURITY_SERVICE_APPLIED, Integer.valueOf(((Integer) httpGraniteContext.getRequest().getAttribute(SECURITY_SERVICE_APPLIED)).intValue() - 1));
                    }
                }
                return invoke;
            } catch (InvocationTargetException e2) {
                handleAuthorizationExceptions(e2);
                throw e2;
            } catch (AccessDeniedException e3) {
                throw SecurityServiceException.newAccessDeniedException(e3.getMessage());
            }
        } catch (Throwable th) {
            if (httpGraniteContext.getRequest().getAttribute(FILTER_APPLIED) == null) {
                if (((Integer) httpGraniteContext.getRequest().getAttribute(SECURITY_SERVICE_APPLIED)).intValue() == 0) {
                    SecurityContext context2 = SecurityContextHolder.getContext();
                    SecurityContextHolder.clearContext();
                    try {
                        this.securityContextRepository.saveContext(context2, (HttpServletRequest) this.getRequest.invoke(httpRequestResponseHolder, new Object[0]), (HttpServletResponse) this.getResponse.invoke(httpRequestResponseHolder, new Object[0]));
                    } catch (Exception e4) {
                        log.error(e4, "Could not extract wrapped context from holder", new Object[0]);
                    }
                    httpGraniteContext.getRequest().removeAttribute(SECURITY_SERVICE_APPLIED);
                } else {
                    httpGraniteContext.getRequest().setAttribute(SECURITY_SERVICE_APPLIED, Integer.valueOf(((Integer) httpGraniteContext.getRequest().getAttribute(SECURITY_SERVICE_APPLIED)).intValue() - 1));
                }
            }
            throw th;
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void logout() {
        HttpGraniteContext httpGraniteContext = (HttpGraniteContext) GraniteContext.getCurrentInstance();
        HttpSession session = httpGraniteContext.getSession(false);
        if (session != null && this.securityContextRepository.containsContext(httpGraniteContext.getRequest())) {
            session.invalidate();
        }
        SecurityContextHolder.clearContext();
    }

    protected boolean isUserInRole(Authentication authentication, String str) {
        Iterator<? extends GrantedAuthority> it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            if (it.next().getAuthority().matches(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isAuthenticated(Authentication authentication) {
        return authentication != null && authentication.isAuthenticated();
    }

    protected boolean userCanAccessService(AbstractSecurityContext abstractSecurityContext, Authentication authentication) {
        log.debug("Is authenticated as: %s", authentication.getName());
        for (String str : abstractSecurityContext.getDestination().getRoles()) {
            if (isUserInRole(authentication, str)) {
                log.debug("Allowed access to %s in role %s", authentication.getName(), str);
                return true;
            }
            log.debug("Access denied for %s not in role %s", authentication.getName(), str);
        }
        return false;
    }

    protected void handleAuthorizationExceptions(InvocationTargetException invocationTargetException) {
        Throwable th;
        Throwable th2 = invocationTargetException;
        while (true) {
            th = th2;
            if (th == null) {
                return;
            }
            if ((th instanceof SecurityException) || (th instanceof AccessDeniedException) || "javax.ejb.EJBAccessException".equals(th.getClass().getName())) {
                break;
            } else {
                th2 = th.getCause();
            }
        }
        throw SecurityServiceException.newAccessDeniedException(th.getMessage());
    }
}
