package org.jboss.net.axis.server;

import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.StringTokenizer;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.jboss.axis.AxisFault;
import org.jboss.axis.MessageContext;
import org.jboss.axis.handlers.BasicHandler;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.RealmMapping;
import org.jboss.security.SimplePrincipal;

/* loaded from: input_file:org/jboss/net/axis/server/JBossAuthorizationHandler.class */
public class JBossAuthorizationHandler extends BasicHandler {
    protected RealmMapping realmMapping;
    protected final Set rolesAllowed = new HashSet();
    protected final Set rolesDenied = new HashSet();
    protected boolean isInitialised;

    protected void initialise() throws AxisFault {
        this.isInitialised = true;
        this.realmMapping = null;
        String str = (String) getOption(Constants.SECURITY_DOMAIN_OPTION);
        if (str != null) {
            try {
                this.realmMapping = (RealmMapping) new InitialContext().lookup(str);
            } catch (NamingException e) {
                throw new AxisFault(new StringBuffer().append("Could not lookup security domain ").append(str).toString(), e);
            }
        }
        String str2 = (String) getOption(Constants.ALLOWED_ROLES_OPTION);
        if (str2 == null) {
            str2 = "*";
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str2, ",");
        while (stringTokenizer.hasMoreTokens()) {
            this.rolesAllowed.add(getPrincipal(stringTokenizer.nextToken()));
        }
        String str3 = (String) getOption(Constants.DENIED_ROLES_OPTION);
        if (str3 != null) {
            StringTokenizer stringTokenizer2 = new StringTokenizer(str3, ",");
            while (stringTokenizer2.hasMoreTokens()) {
                this.rolesDenied.add(getPrincipal(stringTokenizer2.nextToken()));
            }
        }
    }

    protected Principal getPrincipal(String str) {
        return str.equals("*") ? AnybodyPrincipal.ANYBODY_PRINCIPAL : new SimplePrincipal(str);
    }

    protected Collection getAssociatedPrincipals(MessageContext messageContext) {
        Subject subject = (Subject) messageContext.getProperty("authenticatedUser");
        return subject == null ? Collections.singleton(NobodyPrincipal.NOBODY_PRINCIPAL) : subject.getPrincipals();
    }

    protected boolean doesUserHaveRole(Principal principal, Set set) {
        return this.realmMapping.doesUserHaveRole(principal, set);
    }

    public void invoke(MessageContext messageContext) throws AxisFault {
        if (!this.isInitialised) {
            synchronized (this) {
                if (!this.isInitialised) {
                    initialise();
                }
            }
        }
        if (this.realmMapping == null) {
            throw new AxisFault("No security domain associated.");
        }
        Iterator it = getAssociatedPrincipals(messageContext).iterator();
        boolean z = false;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Principal principal = (Principal) it.next();
            if (doesUserHaveRole(principal, this.rolesDenied)) {
                z = false;
                break;
            } else if (!z && doesUserHaveRole(principal, this.rolesAllowed)) {
                z = true;
            }
        }
        if (!z) {
            throw new AxisFault("Access denied.");
        }
    }
}
