package org.jboss.ejb.plugins;

import java.lang.reflect.Method;
import java.security.CodeSource;
import java.util.HashMap;
import javax.security.auth.Subject;
import org.jboss.ejb.Container;
import org.jboss.invocation.Invocation;
import org.jboss.metadata.BeanMetaData;
import org.jboss.mx.util.MBeanProxyExt;
import org.jboss.mx.util.MBeanServerLocator;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.SecurityConstants;
import org.jboss.security.Util;
import org.jboss.security.authorization.EJBResource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.plugins.AuthorizationManagerServiceMBean;

/* loaded from: input_file:org/jboss/ejb/plugins/SecurityAuthorizationInterceptor.class */
public class SecurityAuthorizationInterceptor extends AbstractInterceptor {
    protected boolean trace;
    protected AuthorizationManagerServiceMBean authorizationManagerService;
    protected String ejbName = null;
    protected CodeSource ejbCS = null;
    protected String appSecurityDomain = null;
    protected String defaultAuthorizationSecurityDomain = SecurityConstants.DEFAULT_EJB_APPLICATION_POLICY;

    public SecurityAuthorizationInterceptor() {
        this.trace = false;
        this.authorizationManagerService = null;
        this.trace = this.log.isTraceEnabled();
        this.authorizationManagerService = (AuthorizationManagerServiceMBean) MBeanProxyExt.create(AuthorizationManagerServiceMBean.class, AuthorizationManagerServiceMBean.OBJECT_NAME, MBeanServerLocator.locateJBoss());
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.ContainerPlugin
    public void setContainer(Container container) {
        super.setContainer(container);
        if (container != null) {
            BeanMetaData beanMetaData = container.getBeanMetaData();
            this.appSecurityDomain = container.getBeanMetaData().getApplicationMetaData().getSecurityDomain();
            this.ejbName = beanMetaData.getEjbName();
            this.ejbCS = container.getBeanClass().getProtectionDomain().getCodeSource();
        }
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invokeHome(Invocation invocation) throws Exception {
        checkAuthorization(invocation);
        return getNext().invokeHome(invocation);
    }

    @Override // org.jboss.ejb.plugins.AbstractInterceptor, org.jboss.ejb.Interceptor
    public Object invoke(Invocation invocation) throws Exception {
        checkAuthorization(invocation);
        return getNext().invoke(invocation);
    }

    private void checkAuthorization(Invocation invocation) throws Exception {
        boolean z;
        Method method = invocation.getMethod();
        if (method == null) {
            return;
        }
        Subject contextSubject = SecurityActions.getContextSubject();
        AuthorizationManager authorizationManager = getAuthorizationManager();
        HashMap hashMap = new HashMap();
        hashMap.put(ResourceKeys.EJB_NAME, this.ejbName);
        hashMap.put(ResourceKeys.EJB_METHOD, method);
        hashMap.put(ResourceKeys.EJB_PRINCIPAL, invocation.getPrincipal());
        hashMap.put(ResourceKeys.EJB_METHODINTERFACE, invocation.getType().toInterfaceString());
        hashMap.put(ResourceKeys.EJB_CODESOURCE, this.ejbCS);
        hashMap.put(ResourceKeys.CALLER_SUBJECT, contextSubject);
        hashMap.put(ResourceKeys.AUTHORIZATION_MANAGER, authorizationManager);
        hashMap.put(ResourceKeys.RUNASIDENTITY, SecurityActions.peekRunAsIdentity());
        hashMap.put(ResourceKeys.EJB_METHODROLES, this.container.getMethodPermissions(method, invocation.getType()));
        try {
            z = authorizationManager.authorize(new EJBResource(hashMap)) == 1;
        } catch (Exception e) {
            z = false;
            if (this.trace) {
                this.log.trace("Error in authorization:", e);
            } else {
                this.log.error("Error in authorization:" + e.getLocalizedMessage());
            }
        }
        String str = "Denied: caller=" + contextSubject;
        if (!z) {
            throw new SecurityException(str);
        }
    }

    private AuthorizationManager getAuthorizationManager() throws Exception {
        AuthorizationManager authorizationManager = this.authorizationManagerService.getAuthorizationManager(this.appSecurityDomain != null ? Util.unprefixSecurityDomain(this.appSecurityDomain) : this.defaultAuthorizationSecurityDomain);
        if (this.trace) {
            this.log.trace(authorizationManager.toString());
        }
        return authorizationManager;
    }
}
