package org.granite.messaging.service.security;

import java.lang.reflect.InvocationTargetException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.acegisecurity.AbstractAuthenticationManager;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.BadCredentialsException;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.granite.context.GraniteContext;
import org.granite.logging.Logger;
import org.granite.messaging.webapp.HttpGraniteContext;
import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:WEB-INF/lib/granite-spring-2.3.2.GA.jar:org/granite/messaging/service/security/AcegiSecurityService.class */
public class AcegiSecurityService extends AbstractSecurityService {
    private static final Logger log = Logger.getLogger((Class<?>) AcegiSecurityService.class);
    private static final String SPRING_AUTHENTICATION_TOKEN = String.valueOf(AcegiSecurityService.class.getName()) + ".SPRING_AUTHENTICATION_TOKEN";

    public AcegiSecurityService() {
        log.debug("Starting Service!", new Object[0]);
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void configure(Map<String, String> map) {
        log.debug("Configuring with parameters (NOOP) %s: ", map);
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void login(Object obj, String str) {
        List asList = Arrays.asList(decodeBase64Credentials(obj, str));
        HttpServletRequest request = ((HttpGraniteContext) GraniteContext.getCurrentInstance()).getRequest();
        String str2 = (String) asList.get(0);
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str2, (String) asList.get(1));
        WebApplicationContext webApplicationContext = WebApplicationContextUtils.getWebApplicationContext(request.getSession().getServletContext());
        if (webApplicationContext != null) {
            try {
                Authentication authenticate = ((AbstractAuthenticationManager) BeanFactoryUtils.beanOfTypeIncludingAncestors(webApplicationContext, AbstractAuthenticationManager.class)).authenticate(usernamePasswordAuthenticationToken);
                SecurityContextHolder.getContext().setAuthentication(authenticate);
                request.getSession().setAttribute(SPRING_AUTHENTICATION_TOKEN, authenticate);
                endLogin(obj, str);
            } catch (AuthenticationException e) {
                handleAuthenticationExceptions(e);
            }
        }
        log.debug("User %s logged in", str2);
    }

    protected void handleAuthenticationExceptions(AuthenticationException authenticationException) {
        if (!(authenticationException instanceof BadCredentialsException) && !(authenticationException instanceof UsernameNotFoundException)) {
            throw SecurityServiceException.newAuthenticationFailedException(authenticationException.getMessage());
        }
        throw SecurityServiceException.newInvalidCredentialsException(authenticationException.getMessage());
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public Object authorize(AbstractSecurityContext abstractSecurityContext) throws Exception {
        log.debug("Authorize: %s", abstractSecurityContext);
        log.debug("Is %s secured? %b", abstractSecurityContext.getDestination().getId(), Boolean.valueOf(abstractSecurityContext.getDestination().isSecured()));
        startAuthorization(abstractSecurityContext);
        Authentication authentication = getAuthentication();
        if (abstractSecurityContext.getDestination().isSecured()) {
            if (!isAuthenticated(authentication)) {
                log.debug("Is not authenticated!", new Object[0]);
                throw SecurityServiceException.newNotLoggedInException("User not logged in");
            }
            if (!userCanAccessService(abstractSecurityContext, authentication)) {
                log.debug("Access denied for: %s", authentication.getName());
                throw SecurityServiceException.newAccessDeniedException("User not in required role");
            }
        }
        if (isAuthenticated(authentication)) {
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
        try {
            try {
                Object endAuthorization = endAuthorization(abstractSecurityContext);
                SecurityContextHolder.clearContext();
                return endAuthorization;
            } catch (InvocationTargetException e) {
                handleAuthorizationExceptions(e);
                throw e;
            }
        } catch (Throwable th) {
            SecurityContextHolder.clearContext();
            throw th;
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void logout() {
        ((HttpGraniteContext) GraniteContext.getCurrentInstance()).getSession().invalidate();
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        SecurityContextHolder.clearContext();
    }

    protected boolean isUserInRole(Authentication authentication, String str) {
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if (grantedAuthority.getAuthority().matches(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isAuthenticated(Authentication authentication) {
        return authentication != null && authentication.isAuthenticated();
    }

    protected boolean userCanAccessService(AbstractSecurityContext abstractSecurityContext, Authentication authentication) {
        log.debug("Is authenticated as: %s", authentication.getName());
        for (String str : abstractSecurityContext.getDestination().getRoles()) {
            if (isUserInRole(authentication, str)) {
                log.debug("Allowed access to %s in role %s", authentication.getName(), str);
                return true;
            }
            log.debug("Access denied for %s not in role %s", authentication.getName(), str);
        }
        return false;
    }

    protected Authentication getAuthentication() {
        return (Authentication) ((HttpGraniteContext) GraniteContext.getCurrentInstance()).getRequest().getSession().getAttribute(SPRING_AUTHENTICATION_TOKEN);
    }

    protected void handleAuthorizationExceptions(InvocationTargetException invocationTargetException) {
        Throwable th;
        Throwable th2 = invocationTargetException;
        while (true) {
            th = th2;
            if (th == null) {
                return;
            }
            if ((th instanceof SecurityException) || (th instanceof AccessDeniedException) || "javax.ejb.EJBAccessException".equals(th.getClass().getName())) {
                break;
            } else {
                th2 = th.getCause();
            }
        }
        throw SecurityServiceException.newAccessDeniedException(th.getMessage());
    }
}
