package org.granite.messaging.service.security;

import java.lang.reflect.InvocationTargetException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.granite.context.GraniteContext;
import org.granite.logging.Logger;
import org.granite.messaging.webapp.HttpGraniteContext;
import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.security.AbstractAuthenticationManager;
import org.springframework.security.AccessDeniedException;
import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationException;
import org.springframework.security.BadCredentialsException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.security.providers.anonymous.AnonymousAuthenticationToken;
import org.springframework.security.userdetails.UsernameNotFoundException;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:WEB-INF/lib/granite-spring-2.3.2.GA.jar:org/granite/messaging/service/security/SpringSecurityService.class */
public class SpringSecurityService extends AbstractSecurityService {
    private static final Logger log = Logger.getLogger((Class<?>) SpringSecurityService.class);
    private static final String FILTER_APPLIED = "__spring_security_filterSecurityInterceptor_filterApplied";
    private AbstractSpringSecurityInterceptor securityInterceptor = null;

    public SpringSecurityService() {
        log.debug("Starting Spring Security Service!", new Object[0]);
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void configure(Map<String, String> map) {
        log.debug("Configuring with parameters (NOOP) %s: ", map);
    }

    public void setSecurityInterceptor(AbstractSpringSecurityInterceptor abstractSpringSecurityInterceptor) {
        this.securityInterceptor = abstractSpringSecurityInterceptor;
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void login(Object obj, String str) {
        List asList = Arrays.asList(decodeBase64Credentials(obj, str));
        HttpServletRequest request = ((HttpGraniteContext) GraniteContext.getCurrentInstance()).getRequest();
        String str2 = (String) asList.get(0);
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str2, (String) asList.get(1));
        WebApplicationContext webApplicationContext = WebApplicationContextUtils.getWebApplicationContext(request.getSession().getServletContext());
        if (webApplicationContext != null) {
            try {
                Authentication authenticate = ((AbstractAuthenticationManager) BeanFactoryUtils.beanOfTypeIncludingAncestors(webApplicationContext, AbstractAuthenticationManager.class)).authenticate(usernamePasswordAuthenticationToken);
                SecurityContext context = SecurityContextHolder.getContext();
                context.setAuthentication(authenticate);
                SecurityContextHolder.setContext(context);
                saveSecurityContextInSession(context, 0);
                endLogin(obj, str);
            } catch (AuthenticationException e) {
                handleAuthenticationExceptions(e);
            }
        }
        log.debug("User %s logged in", str2);
    }

    protected void handleAuthenticationExceptions(AuthenticationException authenticationException) {
        if (!(authenticationException instanceof BadCredentialsException) && !(authenticationException instanceof UsernameNotFoundException)) {
            throw SecurityServiceException.newAuthenticationFailedException(authenticationException.getMessage());
        }
        throw SecurityServiceException.newInvalidCredentialsException(authenticationException.getMessage());
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public Object authorize(AbstractSecurityContext abstractSecurityContext) throws Exception {
        log.debug("Authorize: %s", abstractSecurityContext);
        log.debug("Is %s secured? %b", abstractSecurityContext.getDestination().getId(), Boolean.valueOf(abstractSecurityContext.getDestination().isSecured()));
        startAuthorization(abstractSecurityContext);
        HttpGraniteContext httpGraniteContext = (HttpGraniteContext) GraniteContext.getCurrentInstance();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        int i = 0;
        if (httpGraniteContext.getRequest().getAttribute(FILTER_APPLIED) == null) {
            SecurityContext loadSecurityContextFromSession = loadSecurityContextFromSession();
            if (loadSecurityContextFromSession == null) {
                loadSecurityContextFromSession = SecurityContextHolder.getContext();
            } else {
                i = loadSecurityContextFromSession.hashCode();
            }
            SecurityContextHolder.setContext(loadSecurityContextFromSession);
            authentication = loadSecurityContextFromSession.getAuthentication();
        }
        if (abstractSecurityContext.getDestination().isSecured()) {
            if (!isAuthenticated(authentication) || (authentication instanceof AnonymousAuthenticationToken)) {
                log.debug("Is not authenticated!", new Object[0]);
                throw SecurityServiceException.newNotLoggedInException("User not logged in");
            }
            if (!userCanAccessService(abstractSecurityContext, authentication)) {
                log.debug("Access denied for: %s", authentication.getName());
                throw SecurityServiceException.newAccessDeniedException("User not in required role");
            }
        }
        try {
            try {
                return this.securityInterceptor != null ? this.securityInterceptor.invoke(abstractSecurityContext) : endAuthorization(abstractSecurityContext);
            } catch (AccessDeniedException e) {
                throw SecurityServiceException.newAccessDeniedException(e.getMessage());
            } catch (InvocationTargetException e2) {
                handleAuthorizationExceptions(e2);
                throw e2;
            }
        } finally {
            if (httpGraniteContext.getRequest().getAttribute(FILTER_APPLIED) == null) {
                SecurityContext context = SecurityContextHolder.getContext();
                SecurityContextHolder.clearContext();
                saveSecurityContextInSession(context, i);
            }
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void logout() {
        HttpSession session = ((HttpGraniteContext) GraniteContext.getCurrentInstance()).getSession(false);
        if (session != null && session.getAttribute("SPRING_SECURITY_CONTEXT") != null) {
            session.invalidate();
        }
        SecurityContextHolder.clearContext();
    }

    protected boolean isUserInRole(Authentication authentication, String str) {
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if (grantedAuthority.getAuthority().matches(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isAuthenticated(Authentication authentication) {
        return authentication != null && authentication.isAuthenticated();
    }

    protected boolean userCanAccessService(AbstractSecurityContext abstractSecurityContext, Authentication authentication) {
        log.debug("Is authenticated as: %s", authentication.getName());
        for (String str : abstractSecurityContext.getDestination().getRoles()) {
            if (isUserInRole(authentication, str)) {
                log.debug("Allowed access to %s in role %s", authentication.getName(), str);
                return true;
            }
            log.debug("Access denied for %s not in role %s", authentication.getName(), str);
        }
        return false;
    }

    protected SecurityContext loadSecurityContextFromSession() {
        return (SecurityContext) ((HttpGraniteContext) GraniteContext.getCurrentInstance()).getRequest().getSession().getAttribute("SPRING_SECURITY_CONTEXT");
    }

    protected void saveSecurityContextInSession(SecurityContext securityContext, int i) {
        if (securityContext.hashCode() == i || (securityContext.getAuthentication() instanceof AnonymousAuthenticationToken)) {
            return;
        }
        ((HttpGraniteContext) GraniteContext.getCurrentInstance()).getRequest().getSession().setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
    }

    protected void handleAuthorizationExceptions(InvocationTargetException invocationTargetException) {
        Throwable th;
        Throwable th2 = invocationTargetException;
        while (true) {
            th = th2;
            if (th == null) {
                return;
            }
            if ((th instanceof SecurityException) || (th instanceof AccessDeniedException) || "javax.ejb.EJBAccessException".equals(th.getClass().getName())) {
                break;
            } else {
                th2 = th.getCause();
            }
        }
        throw SecurityServiceException.newAccessDeniedException(th.getMessage());
    }
}
