package org.jboss.wsf.stack.cxf.security.authentication;

import java.util.Calendar;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.ws.security.wss4j.AbstractUsernameTokenAuthenticatingInterceptor;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.wsf.spi.SPIProviderResolver;
import org.jboss.wsf.spi.invocation.SecurityAdaptorFactory;
import org.jboss.wsf.stack.cxf.security.authentication.callback.UsernameTokenCallbackHandler;
import org.jboss.wsf.stack.cxf.security.nonce.NonceStore;
import org.jboss.xb.binding.SimpleTypeBindings;

/* loaded from: input_file:org/jboss/wsf/stack/cxf/security/authentication/SubjectCreatingInterceptor.class */
public class SubjectCreatingInterceptor extends AbstractUsernameTokenAuthenticatingInterceptor {
    private static final Logger log = Logger.getLogger(SubjectCreatingInterceptor.class);
    private static final int TIMESTAMP_FRESHNESS_THRESHOLD = 300;
    private AuthenticationManagerLoader aml;
    private boolean propagateContext;
    private SecurityAdaptorFactory secAdaptorFactory;
    private int timestampThreshold;
    private NonceStore nonceStore;
    private boolean decodeNonce;

    public SubjectCreatingInterceptor() {
        this(new HashMap());
    }

    public SubjectCreatingInterceptor(Map<String, Object> map) {
        super(map);
        this.timestampThreshold = TIMESTAMP_FRESHNESS_THRESHOLD;
        this.decodeNonce = true;
        try {
            this.aml = (AuthenticationManagerLoader) AuthenticationManagerLoader.class.newInstance();
            this.secAdaptorFactory = (SecurityAdaptorFactory) SPIProviderResolver.getInstance().getProvider().getSPI(SecurityAdaptorFactory.class);
        } catch (Exception e) {
            log.error("AuthenticationManager can not be loaded");
            throw new SecurityException("AuthenticationManager can not be loaded");
        }
    }

    public Subject createSubject(String str, String str2, boolean z, String str3, String str4) {
        if (z) {
            verifyUsernameToken(str3, str4);
            CallbackHandlerPolicyContextHandler.setCallbackHandler(new UsernameTokenCallbackHandler(str3, str4, this.decodeNonce));
        }
        AuthenticationManager manager = this.aml.getManager();
        SimplePrincipal simplePrincipal = new SimplePrincipal(str);
        Subject subject = new Subject();
        boolean isTraceEnabled = log.isTraceEnabled();
        if (isTraceEnabled) {
            log.trace("About to authenticate, using security domain '" + manager.getSecurityDomain() + "'");
        }
        try {
            if (!manager.isValid(simplePrincipal, str2, subject)) {
                String str5 = "Authentication failed, principal=" + simplePrincipal.getName();
                log.error(str5);
                throw new SecurityException(str5);
            }
            if (isTraceEnabled) {
                log.trace("Authenticated, principal=" + str);
            }
            if (this.propagateContext) {
                this.secAdaptorFactory.newSecurityAdapter().pushSubjectContext(subject, simplePrincipal, str2);
                if (isTraceEnabled) {
                    log.trace("Security Context has been propagated");
                }
            }
            return subject;
        } finally {
            if (z) {
                CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            }
        }
    }

    private void verifyUsernameToken(String str, String str2) {
        if (str2 != null) {
            Calendar unmarshalDateTime = SimpleTypeBindings.unmarshalDateTime(str2);
            Calendar calendar = Calendar.getInstance();
            calendar.add(13, -this.timestampThreshold);
            if (calendar.after(unmarshalDateTime)) {
                throw new SecurityException("Request rejected since a stale timestamp has been provided: " + str2);
            }
        }
        if (str == null || this.nonceStore == null) {
            return;
        }
        if (this.nonceStore.hasNonce(str)) {
            throw new SecurityException("Request rejected since a message with the same nonce has been recently received; nonce = " + str);
        }
        this.nonceStore.putNonce(str);
    }

    public void setPropagateContext(boolean z) {
        this.propagateContext = z;
    }

    public void setTimestampThreshold(int i) {
        this.timestampThreshold = i;
    }

    public void setNonceStore(NonceStore nonceStore) {
        this.nonceStore = nonceStore;
    }

    public void setDecodeNonce(boolean z) {
        this.decodeNonce = z;
    }
}
