package com.ibm.ws.security.auth.kerberos;

import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSFactory;
import com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5NLS;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.security.auth.module.Krb5LoginModule;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.callback.WSAuthMechOidCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
import com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSRealmNameCallbackImpl;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.auth.util.CredentialsHelper;
import com.ibm.ws.security.common.auth.util.Util;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.token.WSCredentialTokenMapper;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.webservices.wssecurity.util.KRB5Util;
import com.ibm.wsspi.management.agent.AdminSubsystemExtensionHandler;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.security.auth.callback.WSAppContextCallback;
import com.ibm.wsspi.security.auth.callback.WSServletRequestCallback;
import com.ibm.wsspi.security.auth.callback.WSServletResponseCallback;
import com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback;
import com.ibm.wsspi.security.auth.callback.WSX509CertificateChainCallback;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/auth/kerberos/Krb5LoginModuleWrapper.class */
public class Krb5LoginModuleWrapper extends Krb5LoginModule {
    private Subject _subject;
    private CallbackHandler _callbackHandler;
    private Map _sharedState;
    private Map _options;
    private KerberosPrincipal _kPrinc = null;
    private KerberosTicket _kTicket = null;
    private GSSCredential _gssCred = null;
    private KRBAuthnToken _krbAuthnToken = null;
    private boolean isKerberosLogin = true;
    private boolean login_called = false;
    private boolean succeeded = true;
    protected boolean debug = true;
    private static final TraceComponent tc = Tr.register(Krb5LoginModuleWrapper.class, "Security", Krb5NLS.MSG_FILE);

    public Krb5LoginModuleWrapper() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Krb5LoginModuleWrapper()");
            Tr.exit(tc, "Krb5LoginModuleWrapper()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(subject = \"" + subject.toString() + "\", callbackHandler = \"" + callbackHandler.toString() + "\", sharedState = \"" + map.toString() + "\", options = \"" + map2.toString() + "\")");
        }
        try {
            super.initialize(subject, callbackHandler, map, map2);
            this._subject = subject;
            this._callbackHandler = callbackHandler;
            this._sharedState = map;
            this._options = map2;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.initialize", "172", this);
            if (this.debug || tc.isDebugEnabled()) {
                Tr.error(tc, AdminSubsystemExtensionHandler.INITIALIZE, new Object[]{e});
            }
        }
        this.debug = "true".equalsIgnoreCase((String) this._options.get("debug"));
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Krb5LoginModuleWrapper");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options)");
        }
    }

    public boolean login() throws CredentialExpiredException, FailedLoginException, LoginException {
        final GSSCredential createGSSCredential;
        char[] password;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (!contextManagerFactory.isCellSecurityEnabled()) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "login(security disabled)");
            }
            this.isKerberosLogin = false;
            this.succeeded = true;
            return this.succeeded;
        }
        if (this._callbackHandler == null) {
            throw new LoginException("No CallbackHandler available to gather authentication information from the user.");
        }
        char[] cArr = null;
        NameCallback nameCallback = null;
        PasswordCallback passwordCallback = null;
        WSCredTokenCallbackImpl wSCredTokenCallbackImpl = null;
        WSTokenHolderCallback wSTokenHolderCallback = null;
        WSRealmNameCallbackImpl wSRealmNameCallbackImpl = null;
        WSX509CertificateChainCallback wSX509CertificateChainCallback = null;
        WSAuthMechOidCallbackImpl wSAuthMechOidCallbackImpl = null;
        if (this._sharedState.containsKey(Constants.CALLBACK_KEY)) {
            NameCallback[] nameCallbackArr = (Callback[]) this._sharedState.get(Constants.CALLBACK_KEY);
            for (int i = 0; i < nameCallbackArr.length; i++) {
                if (nameCallbackArr[i] != null) {
                    if (nameCallbackArr[i] instanceof NameCallback) {
                        nameCallback = nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSCredTokenCallbackImpl) {
                        wSCredTokenCallbackImpl = (WSCredTokenCallbackImpl) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSServletRequestCallback) {
                    } else if (nameCallbackArr[i] instanceof WSServletResponseCallback) {
                    } else if (nameCallbackArr[i] instanceof WSAppContextCallback) {
                    } else if (nameCallbackArr[i] instanceof WSTokenHolderCallback) {
                        wSTokenHolderCallback = (WSTokenHolderCallback) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSRealmNameCallbackImpl) {
                        wSRealmNameCallbackImpl = (WSRealmNameCallbackImpl) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSX509CertificateChainCallback) {
                        wSX509CertificateChainCallback = (WSX509CertificateChainCallback) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSAuthMechOidCallbackImpl) {
                        wSAuthMechOidCallbackImpl = (WSAuthMechOidCallbackImpl) nameCallbackArr[i];
                    } else if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "The following callback was ignored: " + nameCallbackArr[i].getClass().getName());
                    }
                }
            }
        } else {
            if (this._callbackHandler == null) {
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException("No CallbackHandler available to gather authentication information from the user.");
                contextManagerFactory.setRootException(wSLoginFailedException);
                throw wSLoginFailedException;
            }
            NameCallback nameCallback2 = new NameCallback("Username: ");
            nameCallback = nameCallback2;
            PasswordCallback passwordCallback2 = new PasswordCallback("Password: ", false);
            passwordCallback = passwordCallback2;
            WSCredTokenCallbackImpl wSCredTokenCallbackImpl2 = new WSCredTokenCallbackImpl("Credential Token: ");
            wSCredTokenCallbackImpl = wSCredTokenCallbackImpl2;
            WSTokenHolderCallback wSTokenHolderCallback2 = new WSTokenHolderCallback("Authz Token List: ");
            wSTokenHolderCallback = wSTokenHolderCallback2;
            WSRealmNameCallbackImpl wSRealmNameCallbackImpl2 = new WSRealmNameCallbackImpl("Realm Name", contextManagerFactory.getDefaultRealm());
            wSRealmNameCallbackImpl = wSRealmNameCallbackImpl2;
            WSX509CertificateChainCallback wSX509CertificateChainCallback2 = new WSX509CertificateChainCallback("X509Certificate[]: ");
            wSX509CertificateChainCallback = wSX509CertificateChainCallback2;
            WSAuthMechOidCallbackImpl wSAuthMechOidCallbackImpl2 = new WSAuthMechOidCallbackImpl("AuthMechOid: ");
            wSAuthMechOidCallbackImpl = wSAuthMechOidCallbackImpl2;
            Callback[] callbackArr = {nameCallback2, passwordCallback2, wSCredTokenCallbackImpl2, new WSServletRequestCallback("HttpServletRequest: "), new WSServletResponseCallback("HttpServletResponse: "), new WSAppContextCallback("ApplicationContextCallback: "), wSTokenHolderCallback2, wSRealmNameCallbackImpl2, wSX509CertificateChainCallback2, wSAuthMechOidCallbackImpl2};
            try {
                this._callbackHandler.handle(callbackArr);
                this._sharedState.put(Constants.CALLBACK_KEY, callbackArr);
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "269", this);
                Tr.error(tc, "security.jaas.callBackHandlerIOException", new Object[]{getClass().getName(), e});
                contextManagerFactory.setRootException(e);
                throw new WSLoginFailedException("IOException: " + e.getMessage(), e);
            } catch (UnsupportedCallbackException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "274", this);
                Tr.error(tc, "security.jaas.callBackHandlerException", new Object[]{getClass().getName(), e2.getCallback().toString(), e2});
                contextManagerFactory.setRootException(e2);
                throw new WSLoginFailedException(e2.getCallback().toString() + " not supported by CallbackHandler to gather authentication information from the user" + e2.getMessage(), e2);
            }
        }
        String authMechOid = wSAuthMechOidCallbackImpl != null ? wSAuthMechOidCallbackImpl.getAuthMechOid() : null;
        String name = nameCallback != null ? nameCallback.getName() : null;
        this.isKerberosLogin = Krb5Utils.isKrb5Login(authMechOid, name);
        if (!this.isKerberosLogin) {
            this.succeeded = true;
            return this.succeeded;
        }
        X509Certificate[] x509CertificateChain = wSX509CertificateChainCallback != null ? wSX509CertificateChainCallback.getX509CertificateChain() : null;
        if (x509CertificateChain != null) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate pass in. Skipping Krb5LoginModuleWrapper. Handling login outside this login module.");
            }
            this.isKerberosLogin = false;
            this.succeeded = true;
            return this.succeeded;
        }
        if (passwordCallback != null && (password = passwordCallback.getPassword()) != null && password.length != 0) {
            cArr = new char[password.length];
            System.arraycopy(password, 0, cArr, 0, password.length);
        }
        String realmName = wSRealmNameCallbackImpl != null ? wSRealmNameCallbackImpl.getRealmName() : null;
        if (wSCredTokenCallbackImpl != null) {
            byte[] credToken = wSCredTokenCallbackImpl.getCredToken();
            r15 = credToken != null ? CredentialsHelper.copyCredToken(credToken) : null;
            if (authMechOid == null || authMechOid.length() == 0) {
                try {
                    authMechOid = GSSFactory.getMechOIDFromGSSToken(r15);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "authMechOid pass in is null, get authMechOid from the credToken: " + authMechOid);
                    }
                } catch (Exception e3) {
                    Object[] objArr = {Krb5LoginModuleWrapper.class, "credToken"};
                    throw new WSLoginFailedException("Get authMechOid from the credToken exception - " + e3.getMessage(), e3);
                }
            }
        }
        List tokenHolderList = wSTokenHolderCallback != null ? wSTokenHolderCallback.getTokenHolderList() : null;
        Hashtable hashtable = (Hashtable) this._sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY);
        if (hashtable == null) {
            try {
                final Subject subject = this._subject;
                hashtable = (Hashtable) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws CredentialDestroyedException, CredentialExpiredException {
                        Object[] array = subject.getPublicCredentials().toArray();
                        if (Krb5LoginModuleWrapper.this.debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                            Tr.debug(Krb5LoginModuleWrapper.tc, "Looking for custom properties in public cred list.");
                        }
                        for (int i2 = 0; i2 < array.length; i2++) {
                            if (Krb5LoginModuleWrapper.this.debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                                Tr.debug(Krb5LoginModuleWrapper.tc, "Object[" + i2 + "] in public list: " + array[i2]);
                            }
                            if ((array[i2] instanceof Hashtable) && ((Hashtable) array[i2]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null && ((Hashtable) array[i2]).get(AttributeNameConstants.WSCREDENTIAL_PASSWORD) != null) {
                                return array[i2];
                            }
                        }
                        Object[] array2 = subject.getPrivateCredentials().toArray();
                        Tr.debug(Krb5LoginModuleWrapper.tc, "Looking for custom properties in private cred list.");
                        for (int i3 = 0; i3 < array2.length; i3++) {
                            if (Krb5LoginModuleWrapper.this.debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                                Tr.debug(Krb5LoginModuleWrapper.tc, "Object[" + i3 + "] in private list: " + array2[i3]);
                            }
                            if ((array2[i3] instanceof Hashtable) && ((Hashtable) array2[i3]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null && ((Hashtable) array2[i3]).get(AttributeNameConstants.WSCREDENTIAL_PASSWORD) != null) {
                                return array2[i3];
                            }
                        }
                        return null;
                    }
                });
                if (hashtable != null) {
                    this._sharedState.put(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY, hashtable);
                }
            } catch (PrivilegedActionException e4) {
                FFDCFilter.processException(e4.getException(), "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "415", this);
                contextManagerFactory.setRootException(e4.getException());
                throw new WSLoginFailedException(e4.getException().getMessage(), e4.getException());
            }
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "uid = " + name);
            Tr.debug(tc, "password = " + (cArr != null ? "<not null>" : "<null>"));
            Tr.debug(tc, "realm = " + realmName);
            Tr.debug(tc, "cred token = " + Util.toString(r15));
            Tr.debug(tc, "certChain = " + x509CertificateChain);
            Tr.debug(tc, "authz token list = " + tokenHolderList);
            Tr.debug(tc, "custom properties = " + hashtable);
            Tr.debug(tc, "authMechOid = " + authMechOid);
        }
        if (hashtable != null) {
            String str = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_USERID);
            String str2 = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_PASSWORD);
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Logging in using JAASClient login configuration with user: " + str);
            }
            if (str != null && !str.equals("") && str2 != null && !str2.equals("")) {
                str2.toCharArray();
                String string = SecurityObjectLocator.getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Realm");
                String defaultRealm = contextManagerFactory.getDefaultRealm();
                if (!realmName.equals(defaultRealm) && !realmName.equals(string) && !realmName.equals(CommonConstants.DEFAULT_REALM)) {
                    String str3 = "The login will be failed because the Kerberos realm name specified in the callback handler, " + realmName + ", does not match the Kerberos realm name specified in the server's security configuration: " + string + " or the default realm name: " + defaultRealm;
                    if (this.debug || tc.isEntryEnabled()) {
                        Tr.exit(tc, "login()", str3);
                    }
                    throw new WSLoginFailedException(str3);
                }
                try {
                    LoginContext loginContext = new LoginContext(KRB5Util.DEFAULT_JAAS_LOGIN_CONFIG, new WSCallbackHandlerImpl(str, str2));
                    loginContext.login();
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Getting subject from login context.");
                    }
                    Subject subject2 = loginContext.getSubject();
                    if (subject2 != null && (createGSSCredential = Krb5Utils.createGSSCredential(subject2)) != null) {
                        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.2
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                if (Krb5LoginModuleWrapper.this._subject.getPrivateCredentials().contains(createGSSCredential)) {
                                    return null;
                                }
                                if (Krb5LoginModuleWrapper.this.debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                                    Tr.debug(Krb5LoginModuleWrapper.tc, "Adding GSSCredential to Subject.");
                                }
                                Krb5LoginModuleWrapper.this._subject.getPrivateCredentials().add(createGSSCredential);
                                return null;
                            }
                        });
                    }
                    this.succeeded = true;
                    return this.succeeded;
                } catch (LoginException e5) {
                    FFDCFilter.processException(e5, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "491", this);
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception calling JAASClient login context: " + e5.toString());
                    }
                    this.succeeded = true;
                    return this.succeeded;
                }
            }
        }
        if (WSCredentialTokenMapper.isAnyPropagationEnabled() && tokenHolderList != null && r15 == null) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Security attribute propagation data has been received.  Handling login outside this login module.");
                Tr.exit(tc, "login()");
            }
            this.succeeded = true;
            return this.succeeded;
        }
        if (name == null && ((cArr == null || cArr.length == 0) && r15 == null)) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "No uid, password and Kerberos token have been received. Skipping Krb5LoginModuleWrapper. Handling login outside this login module.");
            }
            this.isKerberosLogin = false;
            this.succeeded = true;
            return this.succeeded;
        }
        if (name != null && ((cArr == null || cArr.length == 0) && r15 == null)) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "uid with no password and no credToken has been received. Handling login outside this login module.");
            }
            this.isKerberosLogin = false;
            this.succeeded = true;
            return this.succeeded;
        }
        if (name != null && cArr != null) {
            this.login_called = true;
            String string2 = SecurityObjectLocator.getSecurityConfig("security").getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Realm");
            String defaultRealm2 = contextManagerFactory.getDefaultRealm();
            if (!realmName.equals(defaultRealm2) && !realmName.equals(string2) && !realmName.equals(CommonConstants.DEFAULT_REALM)) {
                String str4 = "The login failed because the Kerberos realm name specified in the callback handler, " + realmName + ", does not match the Kerberos realm name specified in the server's security configuration: " + string2 + " or the default realm name: " + defaultRealm2;
                if (this.debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "login()", str4);
                }
                throw new WSLoginFailedException(str4);
            }
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Calling super.login() from wrapper with uid and password.");
            }
            try {
                this.succeeded = super.login();
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "super.login() result: " + this.succeeded);
                }
                this._kTicket = (KerberosTicket) this._sharedState.get(AttributeNameConstants.KERBEROS_TICKET);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "super.login(), _kTicket: " + this._kTicket);
                }
                this._kPrinc = (KerberosPrincipal) this._sharedState.get(AttributeNameConstants.KERBEROS_PRINCIPAL);
                addKrbAuthnTokenToSubject(this._kPrinc);
                this.succeeded = true;
                return this.succeeded;
            } catch (Exception e6) {
                FFDCFilter.processException(e6, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "554", this);
                if (this.debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "login()", new Object[]{e6});
                }
                contextManagerFactory.setRootException(e6);
                throw new WSLoginFailedException(e6.getMessage(), e6);
            }
        }
        if (r15 != null) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Using Kerberos token for authentication");
            }
            try {
                this.login_called = false;
                return validateKerberosToken(r15);
            } catch (WSLoginFailedException e7) {
                throw e7;
            } catch (Exception e8) {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.error(tc, "security.auth.kerberos.validateKerberosTokenException", new Object[]{e8});
                }
            }
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.login() from wrapper.");
        }
        try {
            this.login_called = true;
            this.succeeded = super.login();
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "super.login() result: " + this.succeeded);
            }
            this._kTicket = (KerberosTicket) this._sharedState.get(AttributeNameConstants.KERBEROS_TICKET);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "super.login(), _kTicket: " + this._kTicket);
            }
            this._kPrinc = (KerberosPrincipal) this._sharedState.get(AttributeNameConstants.KERBEROS_PRINCIPAL);
            addKrbAuthnTokenToSubject(this._kPrinc);
            return this.succeeded;
        } catch (Exception e9) {
            FFDCFilter.processException(e9, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "597", this);
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "login()", new Object[]{e9});
            }
            contextManagerFactory.setRootException(e9);
            throw new WSLoginFailedException(e9.getMessage(), e9);
        }
    }

    public boolean commit() throws LoginException {
        if (!this.isKerberosLogin) {
            return true;
        }
        if (this._krbAuthnToken != null && this._subject.getPrivateCredentials().contains(this._krbAuthnToken)) {
            this._subject.getPrivateCredentials().remove(this._krbAuthnToken);
        }
        if (!this.login_called) {
            return true;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.commit() from wrapper.");
        }
        return super.commit();
    }

    public boolean abort() throws LoginException {
        if (!this.login_called) {
            return true;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.abort() from wrapper.");
        }
        return super.abort();
    }

    public boolean logout() throws LoginException {
        if (!this.login_called) {
            return true;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.logout() from wrapper.");
        }
        return super.logout();
    }

    private boolean validateKerberosToken(final byte[] bArr) throws WSLoginFailedException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "validateKerberosToken()");
        }
        GSSManager gSSManager = GSSManager.getInstance();
        if (bArr != null) {
            try {
                if (bArr.length != 0) {
                    try {
                        GSSCredential serverSpnGSSCred = ContextManagerFactory.getInstance().getServerSpnGSSCred();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "acceptSecContext: SPN GSScredentials: " + serverSpnGSSCred);
                        }
                        try {
                            final GSSContext createContext = gSSManager.createContext(serverSpnGSSCred);
                            Krb5Utils.setUseSubjectCredsOnly(true);
                            try {
                                try {
                                    try {
                                        if (((byte[]) Subject.doAsPrivileged(this._subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.3
                                            @Override // java.security.PrivilegedExceptionAction
                                            public Object run() throws Exception {
                                                if (Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                                                    Tr.debug(Krb5LoginModuleWrapper.tc, "acceptSecContext: calling acceptSecContext.");
                                                }
                                                return createContext.acceptSecContext(bArr, 0, bArr.length);
                                            }
                                        }, java.security.AccessController.getContext())) == null && tc.isDebugEnabled()) {
                                            Tr.debug(tc, "acceptSecContext: outToken is null");
                                        }
                                        if (this._subject != null && this._subject.toString().length() != 0) {
                                            this._kTicket = SubjectHelper.getKerberosTicketFromSubject(this._subject);
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "acceptSecContext: " + this._subject.toString());
                                                Tr.debug(tc, "acceptSecContext: _kTicket: " + this._kTicket);
                                            }
                                            if (this._kTicket != null) {
                                                this._sharedState.put(AttributeNameConstants.KERBEROS_TICKET, this._kTicket);
                                            }
                                        } else if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "acceptSecContext: subject is null.");
                                        }
                                        if (!createContext.isEstablished()) {
                                            new Object[1][0] = createContext;
                                            throw new WSLoginFailedException("Server context is not establish");
                                        }
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "acceptSecContext: serverContext established successfully.");
                                        }
                                        boolean z = SecurityObjectLocator.getSecurityConfig().getActiveAuthMechanism().getBoolean("enabledGssCredDelegate");
                                        if (z) {
                                            try {
                                                if (tc.isDebugEnabled()) {
                                                    Tr.debug(tc, "acceptSecContext: delegated credentials state for the context is " + createContext.getCredDelegState());
                                                }
                                                this._gssCred = createContext.getDelegCred();
                                            } catch (GSSException e) {
                                                Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"getDelegCred()", e});
                                            }
                                        }
                                        GSSName name = this._gssCred != null ? this._gssCred.getName() : createContext.getSrcName();
                                        if (name == null) {
                                            Tr.error(tc, "security.auth.kerberos.gssUserNameIsNull", new Object[]{createContext});
                                            throw new WSLoginFailedException("GSS user name is null");
                                        }
                                        String obj = name.toString();
                                        this._kPrinc = new KerberosPrincipal(obj);
                                        addKrbAuthnTokenToSubject(this._kPrinc);
                                        this._sharedState.put(AttributeNameConstants.KERBEROS_PRINCIPAL, this._kPrinc);
                                        if (!this._subject.getPrivateCredentials().contains(this._kPrinc)) {
                                            this._subject.getPrivateCredentials().add(this._kPrinc);
                                        }
                                        if (this._gssCred == null && z) {
                                            Tr.warning(tc, "security.auth.kerberos.noDelegatedCredentialsFound", obj);
                                        }
                                        if (createContext != null) {
                                            try {
                                                createContext.dispose();
                                            } catch (GSSException e2) {
                                                FFDCFilter.processException((Throwable) e2, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.validateKerberosToken", "867", (Object) this);
                                                Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"dispose()", e2});
                                            }
                                        }
                                        if (!this.debug && !tc.isEntryEnabled()) {
                                            return true;
                                        }
                                        Tr.exit(tc, "validateKerberosToken()");
                                        return true;
                                    } catch (PrivilegedActionException e3) {
                                        if (!SecurityMessages.suppressFFDCforKrbSkewError(e3)) {
                                            FFDCFilter.processException(e3, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.validateKerberosToken", "756", this);
                                        }
                                        throw e3.getException();
                                    }
                                } catch (GSSException e4) {
                                    if (10 == e4.getMajor() && 37 == e4.getMinor()) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Suppressing SECJ9314E error message for retriable clock skew error.");
                                        }
                                        if (!SecurityMessages.suppressFFDCforKrbSkewError(e4)) {
                                            FFDCFilter.processException((Throwable) e4, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.validateKerberosToken", "764", (Object) this);
                                        }
                                    } else {
                                        Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"acceptSecContext()", e4});
                                        FFDCFilter.processException((Throwable) e4, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.validateKerberosToken", "770", (Object) this);
                                    }
                                    throw new WSLoginFailedException(e4.getMessage(), e4);
                                }
                            } catch (Exception e5) {
                                Tr.error(tc, "security.auth.kerberos.exception", new Object[]{"acceptSecContext()", e5});
                                FFDCFilter.processException(e5, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.validateKerberosToken", "777", this);
                                throw new WSLoginFailedException(e5.getMessage(), e5);
                            }
                        } catch (GSSException e6) {
                            e6.printStackTrace();
                            Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"createContext()", e6});
                            throw new WSLoginFailedException(e6.getMessage(), e6);
                        }
                    } catch (Exception e7) {
                        e7.printStackTrace();
                        Tr.error(tc, "security.auth.kerberos.exception", new Object[]{"getServerSpnGSSCred()", e7});
                        throw new WSLoginFailedException(e7.getMessage(), e7);
                    }
                }
            } catch (Exception e8) {
                if (SecurityMessages.suppressFFDCforKrbSkewError(e8)) {
                    Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"validateKerberosToken()", e8});
                } else {
                    FFDCFilter.processException(e8, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.validateKerberosToken", "849", this);
                }
                if (e8 instanceof WSLoginFailedException) {
                    throw ((WSLoginFailedException) e8);
                }
                throw new WSLoginFailedException(e8.getMessage(), e8);
            }
        }
        throw new WSLoginFailedException("CredToken is null");
    }

    public void addKrbAuthnTokenToSubject(KerberosPrincipal kerberosPrincipal) {
        if (kerberosPrincipal != null) {
            this._krbAuthnToken = Krb5Utils.createKRBAuthnToken(null, null, kerberosPrincipal, null, 0L);
            if (this._krbAuthnToken == null || this._subject.getPrivateCredentials().contains(this._krbAuthnToken)) {
                return;
            }
            this._subject.getPrivateCredentials().add(this._krbAuthnToken);
        }
    }
}
