package com.ibm.ws.security.auth;

import com.ibm.CORBA.iiop.ORB;
import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityLocalObjectBaseL13Impl.DomainInfo;
import com.ibm.ISecurityLocalObjectBaseL13Impl.VaultImpl;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSFactory;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.OID;
import com.ibm.ISecurityUtilityImpl.SecurityServer;
import com.ibm.ISecurityUtilityImpl.StateofCurrObj;
import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.ISecurityUtilityImpl.ThreadContextImpl;
import com.ibm.ejs.oa.UserKey;
import com.ibm.ejs.ras.RasHelper;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.AdminContext;
import com.ibm.websphere.naming.PROPS;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WASPrincipal;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.AuthenticationFailedException;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.asynchbeans.ServiceWithContext;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.commands.properties.PropertiesBasedConfigConstants;
import com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtensionFactory;
import com.ibm.ws.security.auth.kerberos.Krb5Utils;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.TrustedAuthenticationRealm;
import com.ibm.ws.security.config.UserRegistryConfig;
import com.ibm.ws.security.context.ContextImpl;
import com.ibm.ws.security.context.ServiceWithContextImpl;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.internals.ContextManagerInternals;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.registry.UserRegistryImpl;
import com.ibm.ws.security.role.RoleBasedAuthorizer;
import com.ibm.ws.security.role.RoleBasedConfiguratorFactory;
import com.ibm.ws.security.server.SecurityServerFactory;
import com.ibm.ws.security.server.SecurityServerImpl;
import com.ibm.ws.security.service.SecurityService;
import com.ibm.ws.security.service.SecurityServiceEvent;
import com.ibm.ws.security.service.SecurityServiceListener;
import com.ibm.ws.security.stat.impl.SecurityAuthenticationModuleImpl;
import com.ibm.ws.security.token.AbstractTokenImpl;
import com.ibm.ws.security.token.WSCredentialTokenMapper;
import com.ibm.ws.security.token.WSCredentialTokenMapperInterface;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.ByteArray;
import com.ibm.ws.security.util.ConfigUtils;
import com.ibm.ws.security.zOS.PlatformCredentialManager;
import com.ibm.ws.util.PlatformHelper;
import com.ibm.ws.util.PlatformHelperFactory;
import com.ibm.ws.util.WSThreadLocal;
import com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket;
import com.ibm.ws390.sm.smf.SmfJActivity;
import com.ibm.wsspi.management.agent.AdminSubsystemExtensionHandler;
import com.ibm.wsspi.pmi.factory.StatsFactory;
import com.ibm.wsspi.runtime.component.WsComponent;
import com.ibm.wsspi.runtime.service.WsServiceRegistry;
import com.ibm.wsspi.security.audit.AuditService;
import com.ibm.wsspi.security.auth.WSSubjectWrapper;
import com.ibm.wsspi.security.context.Context;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.AuthenticationToken;
import com.ibm.wsspi.security.token.AuthorizationToken;
import com.ibm.wsspi.security.token.PropagationToken;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.security.token.Token;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.StringTokenizer;
import javax.naming.InitialContext;
import javax.rmi.PortableRemoteObject;
import javax.security.auth.RefreshFailedException;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.aspectj.apache.bcel.Constants;
import org.eclipse.jst.j2ee.internal.web.operations.CreateServletTemplateModel;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.omg.CSI.KRB5MechOID;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/auth/ContextManagerImpl.class */
public class ContextManagerImpl implements ContextManager, ContextManagerInternals, SecurityServiceListener {
    private static final String DEFAULT_REALM = "<default>";
    private static final String EMPTY = "";
    private PlatformCredentialManager _platformCredManager;
    private static final String DISABLE_AUTH_RETRY = "wssecurity.disableauthretry";
    private boolean cellSecurityEnabled;
    private HashMap<String, String> getPropertyCache;
    private static final String URL_HANDLER_PROP = "java.protocol.handler.pkgs";
    private static final String PKGNAME_DELIMITER = "|";
    private boolean isCellSecurityEnabledAlreadyChecked;
    private SecurityAuthenticationModuleImpl authModule;
    private static ServiceWithContext svc;
    private static final TraceComponent tc = Tr.register(ContextManagerImpl.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static final WebSphereRuntimePermission GET_OWN_CRED_PERM = new WebSphereRuntimePermission("SecOwnCredentials");
    private static final WebSphereRuntimePermission GET_SERVER_CRED_PERM = new WebSphereRuntimePermission("ContextManager.getServerCredential");
    private static final WebSphereRuntimePermission MAP_CREDENTIAL = new WebSphereRuntimePermission("mapCredential");
    private static final ThreadLocal<ThreadContextImpl> threadLocStorage = new SecurityThreadLocal();
    private static ServerCredSigner scs = null;
    private static String unauthenticatedId = null;
    private String WIM_UR = "WIMUserRegistry";
    private AuditService _auditService = null;
    private Object _registryObject = null;
    private SecurityCache cache = null;
    private JaasLoginHelper jaasLoginHelper = null;
    private String regionUserid = System.getProperty("user.name");
    private String SECURITY_REALM = "";
    private SecurityServer securityServer = null;
    private AuthenticationToken serverAuthToken = null;
    private AuthorizationToken serverAuthzToken = null;
    private WSCredential serverBACred = null;
    private Subject serverBASubject = null;
    private boolean serverSecurityEnabled = true;
    private SingleSignonToken serverSSOToken = null;
    private Subject serverSubject = null;
    private WSCredential serverTokenCred = null;
    private GSSCredential serverSpnGSSCred = null;
    private KRBAuthnToken serverKRBAuthnToken = null;
    private String serverUniqueIdentity = null;
    private boolean serverSubjectCreated = false;
    private WSCredentialTokenMapperInterface wsCredTokenMapper = null;
    private boolean isEnabled = false;
    private boolean isServerSecurityEnabledAlreadyChecked = false;
    private boolean isAuthenticateSpecialMethodsEnabled = false;
    private boolean isSecurityServiceStarted = false;
    private boolean isKerberosServerSubject = false;
    private String adminRealm = null;
    private String appRealm = null;
    private String _domainId = null;
    private boolean initialized = false;
    private SecurityConfig domainSecurityConfig = null;
    private SecurityConfig adminSecurityConfig = null;
    boolean refreshServerSubject = false;

    /* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/auth/ContextManagerImpl$SecurityThreadLocal.class */
    private static final class SecurityThreadLocal extends WSThreadLocal<ThreadContextImpl> {
        private SecurityThreadLocal() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // java.lang.ThreadLocal
        public ThreadContextImpl initialValue() {
            return new ThreadContextImpl();
        }

        public String toString() {
            return get().toString();
        }
    }

    public static synchronized void registerPackage(String str) {
        ArrayList arrayList = new ArrayList();
        String property = System.getProperty("java.protocol.handler.pkgs");
        if (property != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(property, "|");
            while (stringTokenizer.hasMoreTokens()) {
                arrayList.add(stringTokenizer.nextToken());
            }
        }
        if (arrayList.contains(str)) {
            return;
        }
        arrayList.add(str);
        StringBuffer stringBuffer = new StringBuffer();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            stringBuffer.append((String) it.next());
            if (it.hasNext()) {
                stringBuffer.append('|');
            }
        }
        System.setProperty("java.protocol.handler.pkgs", stringBuffer.toString());
    }

    public ContextManagerImpl() throws WSSecurityException {
        this.cellSecurityEnabled = true;
        this.getPropertyCache = null;
        this.isCellSecurityEnabledAlreadyChecked = false;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
        if (RasHelper.isServer()) {
            this.cellSecurityEnabled = SecurityObjectLocator.getSecurityConfigManager().getObject("security").getBoolean("enabled").booleanValue();
            this.isCellSecurityEnabledAlreadyChecked = true;
        }
        this.getPropertyCache = new HashMap<>();
        if (StatsFactory.isPMIEnabled()) {
            this.authModule = SecurityAuthenticationModuleImpl.getInstance("Security Authentication");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.CONSTRUCTOR_NAME);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void addWSSubjectToCache(Subject subject) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addWSSubjectToCache", subject);
        }
        if (subject != null && processIsServer() && isWSSubject(subject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding WSSubject to cache.");
            }
            this.cache.insert(subject);
            processSubjectForPropagationAfterLogin(subject, SecurityObjectLocator.getCSIv2Config().getString(CSIv2Config.AUTH_MECH_ALIAS));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addWSSubjectToCache");
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void addPropagationTokensToCacheObject(Object obj, Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addPropagationTokensToCacheObject", obj);
        }
        if (obj != null && processIsServer()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding WSSubject to cache.");
            }
            this.cache.updateEntry(obj, map);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addPropagationTokensToCacheObject");
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential authenticate(String str, byte[] bArr) throws AuthenticationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate", new Object[]{str, bArr});
        }
        try {
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(login(str, bArr));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "authenticate", wSCredentialFromSubject);
            }
            return wSCredentialFromSubject;
        } catch (LoginException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.authenticate", "556", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "authenticate failed: " + dump(e));
            }
            AuthenticationFailedException authenticationFailedException = new AuthenticationFailedException(e.getMessage());
            authenticationFailedException.addException(e);
            throw authenticationFailedException;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.ContextManagerImpl.authenticate", "563", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "authenticate failed: " + dump(e2));
            }
            AuthenticationFailedException authenticationFailedException2 = new AuthenticationFailedException(e2.getMessage());
            authenticationFailedException2.addException(e2);
            throw authenticationFailedException2;
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential authenticate(String str, String str2, String str3) throws AuthenticationFailedException {
        if (tc.isEntryEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = str2;
            objArr[2] = str3 == null ? null : "****";
            Tr.entry(traceComponent, "authenticate", objArr);
        }
        try {
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(login(str, str2, str3));
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "authenticate", wSCredentialFromSubject);
            }
            return wSCredentialFromSubject;
        } catch (WSLoginFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.authenticate", "589", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "authenticate failed: " + dump(e));
            }
            AuthenticationFailedException authenticationFailedException = new AuthenticationFailedException(e.getMessage());
            authenticationFailedException.addException(e);
            throw authenticationFailedException;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.ContextManagerImpl.authenticate", "596", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "authenticate failed: " + dump(e2));
            }
            AuthenticationFailedException authenticationFailedException2 = new AuthenticationFailedException(e2.getMessage());
            authenticationFailedException2.addException(e2);
            throw authenticationFailedException2;
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential authenticate(WSCredential wSCredential) throws AuthenticationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate", wSCredential);
        }
        try {
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(login(wSCredential));
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "authenticate", wSCredentialFromSubject);
            }
            return wSCredentialFromSubject;
        } catch (WSLoginFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.authenticate", "618", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "authenticate failed: " + dump(e));
            }
            AuthenticationFailedException authenticationFailedException = new AuthenticationFailedException(e.getMessage());
            authenticationFailedException.addException(e);
            throw authenticationFailedException;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.ContextManagerImpl.authenticate", "625", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "authenticate failed: " + dump(e2));
            }
            AuthenticationFailedException authenticationFailedException2 = new AuthenticationFailedException(e2.getMessage());
            authenticationFailedException2.addException(e2);
            throw authenticationFailedException2;
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean callerSubjectIsServerIdentity() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "callerSubjectIsServerIdentity");
        }
        boolean z = false;
        if (this.serverUniqueIdentity == null) {
            try {
                this.serverUniqueIdentity = SubjectHelper.getWSCredentialFromSubject(getServerSubject()).getAccessId();
            } catch (WSSecurityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.callerSubjectIsServerIdentity", "650", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getServerSubject() failed", e);
                }
            } catch (CredentialExpiredException e2) {
                FFDCFilter.processException((Throwable) e2, "com.ibm.ws.security.auth.ContextManagerImpl.callerSubjectIsServerIdentity", "654", (Object) this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getRealmUniqueSecurityName() on server credential failed", e2);
                }
            }
        }
        WSCredential wSCredential = null;
        try {
            wSCredential = SubjectHelper.getWSCredentialFromSubject(getCallerSubject());
        } catch (WSSecurityException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.auth.ContextManagerImpl.callerSubjectIsServerIdentity", "665", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getCallerSubject() failed", e3);
            }
        }
        if (wSCredential != null && wSCredential.isCurrent() && !wSCredential.isUnauthenticated()) {
            try {
                String accessId = wSCredential.getAccessId();
                SecurityConfig securityConfig = getSecurityConfig();
                if (accessId != null) {
                    if (accessId.equals(this.serverUniqueIdentity)) {
                        z = true;
                    } else if (accessId.equalsIgnoreCase(this.serverUniqueIdentity) && securityConfig.getActiveUserRegistry().getBoolean("ignoreCase")) {
                        z = true;
                    } else if (isInternalServerId(accessId)) {
                        z = true;
                    }
                }
            } catch (Exception e4) {
                FFDCFilter.processException(e4, "com.ibm.ws.security.auth.ContextManagerImpl.callerSubjectIsServerIdentity", "686", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getRealmUniqueSecurityName() failed", e4);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "callerSubjectIsServerIdentity", new Boolean(z));
        }
        return z;
    }

    protected boolean checkAuthRetryForThread() {
        if (!isCellSecurityEnabled()) {
            return false;
        }
        boolean z = false;
        Boolean bool = (Boolean) get(DISABLE_AUTH_RETRY);
        if (bool != null && bool.booleanValue() && getThreadLocal().get_authretry_for_jaas()) {
            getThreadLocal().set_authretry_for_jaas(false);
            z = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "checkAuthRetryForThread: changed = " + z);
        }
        return z;
    }

    protected void setAuthRetryForThread(boolean z) {
        if (isCellSecurityEnabled()) {
            getThreadLocal().set_authretry_for_jaas(z);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "setAuthRetryForThread: value = " + z);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void clearCallerContext() throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "clearCallerContext");
            }
            StateofCurrObj stateofCurrObj = getThreadLocal().get_state_of_curr_obj();
            stateofCurrObj.setCallerSubject(null);
            stateofCurrObj.setOwnSubject(null);
            stateofCurrObj.setInvocationSubject(null);
            stateofCurrObj.setFirstAuthUser(null);
            stateofCurrObj.setAuthFlag(false);
            removeStateFromTable();
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "clearCallerContext");
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void clearRootException() {
        setRootException(null);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean contains(String str) {
        if (isCellSecurityEnabled()) {
            return getThreadLocal().contains_property(str);
        }
        return false;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential createBasicAuthCredential(String str, String str2, String str3) {
        if (tc.isEntryEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = str2;
            objArr[2] = str3 == null ? null : "****";
            Tr.entry(traceComponent, "createBasicAuthCredential", objArr);
        }
        WSCredentialImpl wSCredentialImpl = (str == null || str.length() == 0) ? new WSCredentialImpl(getDefaultRealm(), str2, str3) : new WSCredentialImpl(str, str2, str3);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createBasicAuthCredential", wSCredentialImpl);
        }
        return wSCredentialImpl;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSPrincipal createPrincipal(WSCredential wSCredential) throws WSSecurityException {
        return SubjectHelper.createPrincipal(wSCredential);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public PropagationToken createPropagationToken(Subject subject) throws WSSecurityException {
        PropagationToken createPropagationTokenBeforeAuthenticatedCallerSet;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createPropagationToken", subject);
        }
        try {
            WSCredentialTokenMapperInterface wSCredTokenMapper = getWSCredTokenMapper();
            if (wSCredTokenMapper != null && subject != null) {
                createPropagationTokenBeforeAuthenticatedCallerSet = wSCredTokenMapper.createPropagationTokenFromWSCredential(SubjectHelper.getWSCredentialFromSubject(subject));
            } else {
                if (wSCredTokenMapper == null || subject != null) {
                    throw new WSSecurityException("Could not instantiate WSCredTokenMapper.");
                }
                createPropagationTokenBeforeAuthenticatedCallerSet = wSCredTokenMapper.createPropagationTokenBeforeAuthenticatedCallerSet();
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createPropagationToken", createPropagationTokenBeforeAuthenticatedCallerSet);
            }
            return createPropagationTokenBeforeAuthenticatedCallerSet;
        } catch (WSSecurityException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSSecurityException creating propagation token.");
            }
            throw e;
        } catch (Exception e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception creating propagation token.");
            }
            throw new WSSecurityException(e2.getMessage(), e2);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject createUnauthenticatedSubject() throws WSSecurityException {
        return SubjectHelper.createUnauthenticatedSubject();
    }

    private void debugCallingMethod() {
        if (tc.isDebugEnabled()) {
            for (StackTraceElement stackTraceElement : new Exception().getStackTrace()) {
                if (!stackTraceElement.getClassName().equals(getClass().getName()) && !stackTraceElement.getClassName().equals("com.ibm.ws.security.core.SecurityContext") && stackTraceElement.getClassName().startsWith("com.ibm.")) {
                    Tr.debug(tc, "Calling routine: " + stackTraceElement.getClassName() + "." + stackTraceElement.getMethodName() + "(" + stackTraceElement.getFileName() + ":" + stackTraceElement.getLineNumber() + ")");
                    return;
                }
            }
        }
    }

    private String dump(Throwable th) {
        StringWriter stringWriter = new StringWriter();
        th.printStackTrace(new PrintWriter(stringWriter));
        return stringWriter.toString();
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object get(String str) {
        if (isCellSecurityEnabled()) {
            return getThreadLocal().get_property(str);
        }
        return null;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public AuditService getAuditService() {
        return this._auditService;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential[] getCallerCredentials() throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCallerCredentials");
        }
        try {
            WSCredential[] wSReceivedCreds = getThreadLocal().get_state_of_curr_obj().getWSReceivedCreds();
            if (wSReceivedCreds != null && wSReceivedCreds[0] != null && !wSReceivedCreds[0].isCurrent()) {
                throw new WSSecurityException("Received credential has expired.");
            }
            if (wSReceivedCreds == null || wSReceivedCreds.length == 0) {
                wSReceivedCreds = null;
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getCallerCredentials");
            }
            return wSReceivedCreds;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getCallerCredentials", "890", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject getCallerSubject() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCallerSubject");
        }
        if (!isCellSecurityEnabled()) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "getCallerSubject cell security not enabled, returning");
            return null;
        }
        if (!this.initialized && RasHelper.isServer()) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "getCallerSubject ContextManager not initialized returning");
            return null;
        }
        try {
            final StateofCurrObj stateofCurrObj = getThreadLocal().get_state_of_curr_obj();
            final Subject subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    return stateofCurrObj.getCallerSubject();
                }
            });
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.2
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (!ContextManagerImpl.tc.isEntryEnabled()) {
                        return null;
                    }
                    Tr.exit(ContextManagerImpl.tc, "getCallerSubject", subject);
                    return null;
                }
            });
            return subject;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getCallerSubject", "925", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    public byte[] getClientUniqueIDArrayForOutboundRequests(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientUniqueIDArrayForOutboundRequests", subject);
        }
        String clientUniqueIDForOutboundRequests = getClientUniqueIDForOutboundRequests(subject);
        byte[] bytes = clientUniqueIDForOutboundRequests != null ? clientUniqueIDForOutboundRequests.getBytes() : null;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getClientUniqueIDArrayForOutboundRequests", bytes);
        }
        return bytes;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getClientUniqueIDForOutboundRequests(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientUniqueIDForOutboundRequests", subject);
        }
        String str = null;
        try {
            WSCredentialTokenMapperInterface wSCredTokenMapper = getWSCredTokenMapper();
            if (wSCredTokenMapper != null && subject != null) {
                str = wSCredTokenMapper.createUniqueIDFromAllTokens(subject);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getClientUniqueIDForOutboundRequests", "967");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getClientUniqueIDForOutboundRequests", str);
        }
        return str;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getDefaultRealm() {
        String str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultRealm");
        }
        if (isCellSecurityEnabled()) {
            str = RasHelper.isServer() ? getSecurityConfig().getActiveUserRegistry().getString("realm") : "<default>";
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Security is disabled, default realm name will be returned");
            }
            this.SECURITY_REALM = "<default>";
            str = this.SECURITY_REALM;
        }
        if (str == null || str.length() == 0) {
            str = this.SECURITY_REALM;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "realm still null or empty setting to SECURITY_REALM");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDefaultRealm", str);
        }
        return str;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getDefaultRealm(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultRealm", str);
        }
        String str2 = null;
        if (!isCellSecurityEnabled()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Security is disabled, default realm name will be returned");
            }
            this.SECURITY_REALM = "<default>";
            str2 = this.SECURITY_REALM;
        } else if (RasHelper.isServer()) {
            SecurityConfig securityConfig = getSecurityConfig();
            if (OID.compareOIDs(str, KRB5MechOID.value) && AuthMechanismConfig.TYPE_KERBEROS.equals(securityConfig.getActiveAuthMechanism().getType())) {
                try {
                    str2 = Krb5Utils.getKrb5Realm();
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getDefaultRealm", "1030", this);
                    if (tc.isEntryEnabled()) {
                        Tr.error(tc, "security.auth.kerberos.Exception", new Object[]{"getDefaultRealm()", e});
                    }
                }
            } else {
                str2 = getSecurityConfig().getActiveUserRegistry().getString("realm");
            }
        } else {
            if (OID.compareOIDs(str, KRB5MechOID.value)) {
                Tr.warning(tc, "security.auth.kerberos.cannot.getSPNonClient");
                return null;
            }
            str2 = "<default>";
        }
        if (str2 == null || str2.length() == 0) {
            str2 = this.SECURITY_REALM;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "realm still null or empty setting to SECURITY_REALM");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDefaultRealm", str2);
        }
        return str2;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getDefaultKrbSpn() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultKrbSpn");
        }
        String str = null;
        if (isCellSecurityEnabled()) {
            if (RasHelper.isServer()) {
                SecurityConfig securityConfig = getSecurityConfig();
                if (AuthMechanismConfig.TYPE_KERBEROS.equals(securityConfig.getActiveAuthMechanism().getType())) {
                    str = securityConfig.getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString(AuthMechanismConfig.KRB5_SPN);
                }
            } else {
                Tr.warning(tc, "security.auth.kerberos.cannot.getSPNonClient");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDefaultKrbSpn", str);
        }
        return str;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getAdminRealm() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAdminRealm");
        }
        if (!isCellSecurityEnabled()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Security is disabled, default realm name will be returned");
            }
            this.adminRealm = "<default>";
        } else if (this.adminRealm == null) {
            this.adminRealm = getAdminSecurityConfig().getActiveUserRegistry().getString("realm");
        }
        if (this.adminRealm == null || this.adminRealm.equals("")) {
            this.adminRealm = getDefaultRealm();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "admin realm still null or empty setting to default realm");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAdminRealm", this.adminRealm);
        }
        return this.adminRealm;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getAppRealm() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAppRealm ERROR SHOULD NOT BE CALLED");
        }
        if (!isCellSecurityEnabled()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Security is disabled, default realm name will be returned");
            }
            this.appRealm = "<default>";
        } else if (this.appRealm == null) {
            this.appRealm = DomainInfo.getDefaultRealm();
        }
        if (this.appRealm == null || this.appRealm.equals("")) {
            this.appRealm = getDefaultRealm();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "app realm still null or empty setting to default realm");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAppRealm", this.appRealm);
        }
        return this.appRealm;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean renew(final Subject subject, int i, boolean z) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "renew", new Object[]{new Integer(i), new Boolean(z)});
        }
        if (subject == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "Subject is null.");
            }
            throw new WSSecurityException("Subject is null.");
        }
        if (i >= 100 || i < 0) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "Not renewed - " + i + " % too large or too small");
            }
            throw new WSSecurityException("Not renewed - " + i + " % too large or too small");
        }
        if (!isCellSecurityEnabled()) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "Security is disabled.");
            return true;
        }
        if (!processIsServer()) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "Not applicable to client side");
            return true;
        }
        if (!SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.CSI.refreshClientSubjectGoingOutbound") && !isServerSubject(subject)) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "Client credential but com.ibm.CSI.getRefreshClientSubjectGoingOutbound is not enabled.");
            return false;
        }
        SecurityConfig securityConfig = getSecurityConfig();
        if (!z) {
            try {
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                if (wSCredentialFromSubject != null) {
                    if (wSCredentialFromSubject.isForwardable()) {
                        if (wSCredentialFromSubject != null) {
                            try {
                                long currentTimeMillis = System.currentTimeMillis();
                                long expiration = wSCredentialFromSubject.getExpiration() - currentTimeMillis;
                                long longValue = (((Long.valueOf(securityConfig.getActiveAuthMechanism().getLong("timeout")).longValue() * 60) * 1000) / 100) * i;
                                if (expiration > longValue) {
                                    KRBAuthnToken kerberosAuthnTokenFromSubject = SubjectHelper.getKerberosAuthnTokenFromSubject(subject);
                                    if (kerberosAuthnTokenFromSubject == null) {
                                        if (!tc.isEntryEnabled()) {
                                            return true;
                                        }
                                        Tr.exit(tc, "not renewed because WSCred remaining time " + expiration + " in milliseconds > threshold " + longValue);
                                        return true;
                                    }
                                    long tokenExpiration = (kerberosAuthnTokenFromSubject.getTokenExpiration() - currentTimeMillis) - this.cache.getCushion();
                                    int krb5ClockSkew = getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getKrb5ClockSkew();
                                    if (tokenExpiration > krb5ClockSkew) {
                                        if (tc.isEntryEnabled()) {
                                            Tr.exit(tc, "not renewed because KRBAuthnToken remaining time " + tokenExpiration + " in milliseconds > Kerberos clock skew " + krb5ClockSkew);
                                            Tr.exit(tc, "not renewed because WSCredential remaining time " + expiration + " in milliseconds > threshold " + longValue);
                                        }
                                        if (!tc.isDebugEnabled()) {
                                            return true;
                                        }
                                        Tr.debug(tc, "KRBAuthnToken refresh not required");
                                        return true;
                                    }
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "KRBAuthnToken needs to refresh");
                                    }
                                }
                            } catch (CredentialExpiredException e) {
                            }
                        }
                    }
                }
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "Not forwardable");
                return true;
            } catch (PrivilegedActionException e2) {
                FFDCFilter.processException(e2.getException(), "com.ibm.ws.security.auth.ContextManagerImpl.renew", "1343", this);
                setRootException(e2.getException());
                return false;
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Refreshing Subject.");
        }
        synchronized (subject) {
            AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.3
                /* JADX WARN: Multi-variable type inference failed */
                /* JADX WARN: Type inference failed for: r9v0 */
                /* JADX WARN: Type inference failed for: r9v1 */
                /* JADX WARN: Type inference failed for: r9v2 */
                /* JADX WARN: Type inference failed for: r9v4 */
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws WSLoginFailedException, WSSecurityException {
                    Token token = null;
                    boolean z2 = 0;
                    WSCredential wSCredentialFromSubject2 = SubjectHelper.getWSCredentialFromSubject(subject);
                    for (Object obj : subject.getPrivateCredentials()) {
                        if ((obj instanceof AuthorizationToken) && (obj instanceof AbstractTokenImpl)) {
                            z2 = (AuthorizationToken) ((AuthorizationToken) obj).clone();
                            ((AbstractTokenImpl) obj).setToken(((AbstractTokenImpl) z2).getToken());
                            if (ContextManagerImpl.tc.isDebugEnabled()) {
                                Tr.debug(ContextManagerImpl.tc, "New AuthorizationToken expiration: " + new Date(((Token) obj).getExpiration()));
                            }
                        } else if (obj instanceof KRBAuthnToken) {
                            try {
                                if (!ContextManagerImpl.this.isKrbAuthnTokenRenewable((KRBAuthnToken) obj)) {
                                    return false;
                                }
                                if (obj instanceof KRBTicket) {
                                    KerberosTicket refreshKerberosTicket = ContextManagerImpl.this.refreshKerberosTicket(((KRBTicket) obj).getKerberosTicket());
                                    if (refreshKerberosTicket == null) {
                                        return false;
                                    }
                                    ((KRBTicket) obj).setKerberosTicket(refreshKerberosTicket);
                                }
                                if (ContextManagerImpl.tc.isDebugEnabled()) {
                                    Tr.debug(ContextManagerImpl.tc, "New KRBAuthnToken expiration: " + new Date(((KRBAuthnToken) obj).getTokenExpiration()));
                                }
                            } catch (Exception e3) {
                                if (ContextManagerImpl.tc.isDebugEnabled()) {
                                    Tr.debug(ContextManagerImpl.tc, "Exception refreshing the KRBAuthnToken.", new Object[]{e3.getMessage()});
                                }
                                return false;
                            }
                        } else if ((obj instanceof AuthenticationToken) && (obj instanceof AbstractTokenImpl)) {
                            token = (AuthenticationToken) ((AuthenticationToken) obj).clone();
                            ((AbstractTokenImpl) obj).setToken(((AbstractTokenImpl) token).getToken());
                            if (ContextManagerImpl.tc.isDebugEnabled()) {
                                Tr.debug(ContextManagerImpl.tc, "New AuthenticationToken expiration: " + new Date(((Token) obj).getExpiration()));
                            }
                        } else if ((obj instanceof SingleSignonToken) && (obj instanceof AbstractTokenImpl)) {
                            ((AbstractTokenImpl) obj).setToken(((AbstractTokenImpl) ((SingleSignonToken) ((SingleSignonToken) obj).clone())).getToken());
                            if (ContextManagerImpl.tc.isDebugEnabled()) {
                                Tr.debug(ContextManagerImpl.tc, "New SingleSignonToken expiration: " + new Date(((Token) obj).getExpiration()));
                            }
                        }
                    }
                    if (token == null || !z2) {
                        return null;
                    }
                    try {
                        WSCredential createWSCredentialFromTokens = ContextManagerImpl.this.getWSCredTokenMapper().createWSCredentialFromTokens(token.getBytes(), z2);
                        if (ContextManagerImpl.tc.isDebugEnabled()) {
                            Tr.debug(ContextManagerImpl.tc, "Updating Subject with new wsCred token.");
                        }
                        ((WSCredentialImpl) wSCredentialFromSubject2).refreshCred(createWSCredentialFromTokens);
                        if (ContextManagerImpl.tc.isDebugEnabled()) {
                            Tr.debug(ContextManagerImpl.tc, "New WSCredential expiration: " + new Date(wSCredentialFromSubject2.getExpiration()));
                        }
                        return null;
                    } catch (Exception e4) {
                        FFDCFilter.processException(e4, "com.ibm.ws.security.auth.ContextManagerImpl.renew", "1331", this);
                        if (ContextManagerImpl.tc.isDebugEnabled()) {
                            Tr.debug(ContextManagerImpl.tc, "Exception refreshing the WSCredential.", new Object[]{e4});
                        }
                        throw new WSSecurityException(e4.getMessage(), e4);
                    }
                }
            });
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "renew if below " + i + " %");
        return true;
    }

    private Object getDistributedObject(Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDistributedObject", obj);
        }
        Object obj2 = null;
        try {
            obj2 = getWSCredTokenMapper().getDistributedObject(obj);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.distContextManager.getDistributedObject", "1380");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error getting distributed object.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDistributedObject", obj2);
        }
        return obj2;
    }

    private Object getDistributedObjectNotShared(Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDistributedObjectNotShared", obj);
        }
        Object obj2 = null;
        try {
            obj2 = getWSCredTokenMapper().getDistributedObjectNotShared(obj);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.distContextManager.getDistributedObjectNotShared", "1415");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error getting none shared distributed object.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDistributedObjectNotShared", obj2);
        }
        return obj2;
    }

    private byte[] getInitialContextTokenFromMBean(final ByteArray byteArray, final String str, final Properties properties) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInitialContextTokenFromMBean", new Object[]{byteArray, str, properties});
        }
        byte[] bArr = null;
        try {
            bArr = (byte[]) runAsSystem(new PrivilegedExceptionAction<byte[]>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.4
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws Exception {
                    try {
                        return ContextManagerImpl.this.getWSCredTokenMapper().getInitialContextTokenFromMBean(byteArray, str, properties);
                    } catch (Exception e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getInitialContextTokenFromMBean", "1441", this);
                        if (!ContextManagerImpl.tc.isDebugEnabled()) {
                            return null;
                        }
                        Tr.debug(ContextManagerImpl.tc, "Exception getting initial context token from originating server.");
                        return null;
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e.getException(), "com.ibm.ws.security.auth.ContextManagerImpl.getInitialContextTokenFromMBean", "1454", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting initial context token from originating server.", new Object[]{e.getException()});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getInitialContextTokenFromMBean", bArr);
        }
        return bArr;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential getInvocationCredential() throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInvocationCredential");
        }
        try {
            WSCredential wSInvocationCred = getThreadLocal().get_state_of_curr_obj().getWSInvocationCred();
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getInvocationCredential", wSInvocationCred);
            }
            return wSInvocationCred;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getInvocationCredential", "1477", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject getInvocationSubject() throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInvocationSubject");
        }
        try {
            Subject invocationSubject = getThreadLocal().get_state_of_curr_obj().getInvocationSubject();
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getInvocationSubject");
            }
            return invocationSubject;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getInvocationSubject", "1500", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    private JaasLoginHelper getJaasLoginHelper() throws WSSecurityException {
        if (this.jaasLoginHelper == null) {
            try {
                this.jaasLoginHelper = new JaasLoginHelper(SecurityObjectLocator.getCSIv2Config().getString(CSIv2Config.AUTH_MECH_ALIAS));
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getJaasLoginHelper()");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getJaasLoginHelper", "1518");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "", e);
                }
                this.jaasLoginHelper = null;
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
        return this.jaasLoginHelper;
    }

    private Object getOpaqueTokenFromCacheOrOriginatingServer(byte[] bArr) throws WSLoginFailedException {
        String[] attributes;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getOpaqueTokenFromCacheOrOriginatingServer");
        }
        Subject subject = null;
        Object obj = null;
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting distributed object from DynaCache.");
            }
            String[] strArr = null;
            String[] strArr2 = null;
            ByteArray byteArray = new ByteArray(bArr);
            byte[] bArr2 = (byte[]) getDistributedObject(byteArray);
            Properties properties = new Properties();
            KRBAuthnToken kRBAuthnToken = (KRBAuthnToken) getDistributedObjectNotShared(byteArray);
            if (kRBAuthnToken != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Setting return_object = KRBAuthnToken.");
                }
                obj = kRBAuthnToken;
            }
            String[] strArr3 = null;
            String[] strArr4 = null;
            String[] strArr5 = null;
            String[] strArr6 = null;
            boolean z = OID.compareOIDs(getSecurityConfig().getActiveAuthMechanism().getString(AuthMechanismConfig.OID), KRB5MechOID.value) || Boolean.valueOf(getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_SPNEGO).getBoolean("enabled")).booleanValue();
            if (bArr2 == null || (kRBAuthnToken == null && z)) {
                com.ibm.wsspi.security.ltpa.Token validateLTPAToken = getWSCredTokenMapper().validateLTPAToken(bArr);
                strArr = validateLTPAToken.getAttributes("process.serverName");
                if (strArr != null && tc.isDebugEnabled()) {
                    Tr.debug(tc, "serverName is " + strArr[0]);
                }
                strArr2 = validateLTPAToken.getAttributes(AttributeNameConstants.WSTOKEN_UNIQUEID);
                strArr3 = validateLTPAToken.getAttributes("java.naming.provider.url");
                strArr4 = validateLTPAToken.getAttributes("type");
                strArr5 = validateLTPAToken.getAttributes("host");
                strArr6 = validateLTPAToken.getAttributes("port");
                if (kRBAuthnToken == null) {
                    String[] attributes2 = validateLTPAToken.getAttributes(CommonConstants.SSO_KRB5_EXISTS);
                    if (attributes2 != null) {
                        z = "true".equalsIgnoreCase(attributes2[0]);
                    }
                    if (!z && (attributes = validateLTPAToken.getAttributes(CommonConstants.SSO_SPNEGO)) != null) {
                        z = "true".equalsIgnoreCase(attributes[0]);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SSO_KRB5_EXISTS is " + z);
                    }
                }
                if (byteArray != null && strArr4 != null && strArr5 != null && strArr6 != null && strArr != null && strArr[0] != null) {
                    properties.setProperty("type", strArr4[0]);
                    properties.setProperty("host", strArr5[0]);
                    properties.setProperty("port", strArr6[0]);
                }
            }
            if (bArr2 == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Not found subject in DynaCache, getting distributed object using MBean.");
                }
                if (strArr2 != null && strArr2[0] != null) {
                    subject = this.cache.getSubject(strArr2[0]);
                }
                if (subject != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found subject using token unique ID: " + strArr2);
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "getSubjectFromDynaCacheOrOriginatingServer");
                    }
                    return subject;
                }
                if (getSecurityConfig().getProperty(SecurityConfig.WEB_PROPAGATION_SERVER_TRANSPORT).equals("IIOP") && strArr3 != null) {
                    Hashtable hashtable = new Hashtable();
                    hashtable.put("java.naming.provider.url", strArr3[0]);
                    hashtable.put("java.naming.factory.initial", PROPS.INITIAL_CONTEXT_FACTORY);
                    bArr2 = getOpaqueTokenFromCorbaObject(byteArray, hashtable);
                } else if (byteArray != null && strArr4 != null && strArr5 != null && strArr6 != null && strArr != null && strArr[0] != null) {
                    bArr2 = getOpaqueTokenFromMBean(byteArray, strArr[0], properties);
                }
            }
            if (bArr2 != null) {
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Getting token holder list from opaque token.");
                    }
                    ArrayList createTokenHolderListFromOpaqueToken = WSOpaqueTokenHelper.getInstance().createTokenHolderListFromOpaqueToken(bArr2);
                    if (createTokenHolderListFromOpaqueToken != null && z && kRBAuthnToken == null) {
                        Iterator it = createTokenHolderListFromOpaqueToken.iterator();
                        boolean z2 = false;
                        while (it.hasNext()) {
                            if (((TokenHolder) it.next()).getName().startsWith(KRBAuthnToken.WSSECURITY_KRBAUTHNTOKEN_NAME)) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found \"" + KRBAuthnToken.WSSECURITY_KRBAUTHNTOKEN_NAME + "\" in the Subject.");
                                }
                                z2 = true;
                            }
                            if (!z2) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "KRBAuthnToken not found locally, getting from MBean.");
                                }
                                if (strArr != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Get token from Mbean " + byteArray + strArr[0]);
                                    }
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "serverName is null");
                                }
                                byte[] initialContextTokenFromMBean = getInitialContextTokenFromMBean(byteArray, strArr[0], properties);
                                if (initialContextTokenFromMBean != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Setting return_object = initial context token.");
                                    }
                                    obj = initialContextTokenFromMBean;
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Token is null");
                                }
                            }
                        }
                    }
                    if (createTokenHolderListFromOpaqueToken != null) {
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "Token holder list has been set on the thread.");
                        }
                        put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), createTokenHolderListFromOpaqueToken);
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Failed to get token holder list.");
                    }
                } catch (WSSecurityException e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Failed to get token holder list.", new Object[]{e});
                    }
                }
            } else if (strArr2 != null && strArr2[0] != null && SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.ws.security.webChallengeIfCustomSubjectNotFound")) {
                throw new WSLoginFailedException("SSO token uniqueID not null, but opaque token not found.  Need to re-challenge the user to login again.");
            }
        } catch (WSLoginFailedException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.ContextManagerImpl.getSubjectFromDynaCacheOrOriginatingServer", "1697", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting opaque token from originating server.", new Object[]{e2});
            }
            throw e2;
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.auth.ContextManagerImpl.getSubjectFromDynaCacheOrOriginatingServer", "1702", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting opaque token from originating server.");
            }
        }
        if (obj != null && (obj instanceof KRBAuthnToken)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getSubjectFromDynaCacheOrOriginatingServer (KRBAuthnToken)");
            } else if (obj != null) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getSubjectFromDynaCacheOrOriginatingServer (byte[])");
                } else if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getSubjectFromDynaCacheOrOriginatingServer (null)");
                }
            }
        }
        return obj;
    }

    private byte[] getOpaqueTokenFromCorbaObject(final ByteArray byteArray, final Hashtable hashtable) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getOpaqueTokenFromCorbaObject", new Object[]{byteArray, hashtable});
        }
        byte[] bArr = null;
        try {
            bArr = (byte[]) runAsSpecified(createUnauthenticatedSubject(), new PrivilegedExceptionAction<byte[]>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws Exception {
                    com.ibm.ws.security.server.SecurityServer securityServer;
                    TokenHolder opaqueToken;
                    try {
                        Object lookup = new InitialContext(hashtable).lookup("SecurityServer");
                        if (lookup == null || (securityServer = (com.ibm.ws.security.server.SecurityServer) PortableRemoteObject.narrow(lookup, com.ibm.ws.security.server.SecurityServer.class)) == null || (opaqueToken = securityServer.getOpaqueToken(byteArray)) == null) {
                            return null;
                        }
                        return opaqueToken.getBytes();
                    } catch (Exception e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getOpaqueTokenFromCorbaObject", "1749", this);
                        if (!ContextManagerImpl.tc.isDebugEnabled()) {
                            return null;
                        }
                        Tr.debug(ContextManagerImpl.tc, "Exception getting opaque token from originating server.", new Object[]{e});
                        return null;
                    }
                }
            });
        } catch (WSSecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getOpaqueTokenFromCorbaObject", "1762", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting opaque token from originating server.", new Object[]{e});
            }
        } catch (PrivilegedActionException e2) {
            FFDCFilter.processException(e2.getException(), "com.ibm.ws.security.auth.ContextManagerImpl.getOpaqueTokenFromCorbaObject", "1766", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting opaque token from originating server.", new Object[]{e2.getException()});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getOpaqueTokenFromCorbaObject", bArr);
        }
        return bArr;
    }

    private byte[] getOpaqueTokenFromMBean(final ByteArray byteArray, final String str, final Properties properties) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getOpaqueTokenFromMBean", new Object[]{byteArray, str, properties});
        }
        byte[] bArr = null;
        try {
            bArr = (byte[]) runAsSystem(new PrivilegedExceptionAction<byte[]>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.6
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws Exception {
                    try {
                        return ContextManagerImpl.this.getWSCredTokenMapper().getOpaqueTokenFromMBean(byteArray, str, properties);
                    } catch (Exception e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getOpaqueTokenFromMBean", "1795", this);
                        if (!ContextManagerImpl.tc.isDebugEnabled()) {
                            return null;
                        }
                        Tr.debug(ContextManagerImpl.tc, "Exception getting opaque token from originating server.");
                        return null;
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e.getException(), "com.ibm.ws.security.auth.ContextManagerImpl.getOpaqueTokenFromMBean", "1808", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting opaque token from originating server.", new Object[]{e.getException()});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getOpaqueTokenFromMBean", bArr);
        }
        return bArr;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject getOwnSubject() throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getOwnSubject");
        }
        try {
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                    Tr.debug(tc, "Expecting : " + GET_OWN_CRED_PERM.toString());
                }
                securityManager.checkPermission(GET_OWN_CRED_PERM);
            }
            Subject ownSubject = getThreadLocal().get_state_of_curr_obj().getOwnSubject();
            if (ownSubject == null && !processIsServer()) {
                ownSubject = VaultImpl.getInstance().get_default_subject();
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getOwnSubject");
            }
            return ownSubject;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getOwnSubject", "1844", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public PlatformHelper getPlatformHelper() {
        return PlatformHelperFactory.getPlatformHelper();
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public PropagationToken getPropagationToken(String str) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPropagationToken", str);
        }
        if (str == null) {
            throw new WSSecurityException("Invalid null parameter");
        }
        PropagationToken propagationToken = null;
        if (isCellSecurityEnabled()) {
            propagationToken = getThreadLocal().get_propagation_token(str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPropagationToken", propagationToken);
        }
        return propagationToken;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Map getPropagationTokens() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPropagationTokens");
        }
        Map map = null;
        if (isCellSecurityEnabled()) {
            map = getThreadLocal().get_propagation_tokens();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPropagationTokens", map);
        }
        return map;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getProperty(String str) {
        ORB orb;
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, "getProperty : " + str);
        }
        String str2 = this.getPropertyCache.get(str);
        if (str2 == null) {
            String str3 = null;
            CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
            if (cSIv2Config != null) {
                str3 = cSIv2Config.getString(str);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Property from csiv2 config is: " + str3);
                }
            }
            if (str3 == null && RasHelper.isServer()) {
                str3 = getPropertyFromSecurityConfig(str);
            } else if (!RasHelper.isServer() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getProperty is called on client, skipping SecurityConfig check.");
            }
            if (str3 == null && (orb = VaultImpl.getInstance().getORB()) != null) {
                str3 = orb.getProperty(str);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Property from orb is: " + str3 + ", the orb: " + orb);
                }
            }
            str2 = str3 != null ? str3 : "";
            if (str2 != null) {
                this.getPropertyCache.put(str, str2);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Returning: " + str2);
        }
        return str2;
    }

    String getPropertyFromSecurityConfig(String str) {
        String str2 = null;
        SecurityConfig securityConfig = getSecurityConfig();
        if (securityConfig != null) {
            str2 = securityConfig.getProperty(str);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Property from security config is: " + str2);
            }
            if (str2 == null) {
                str2 = securityConfig.getString(str);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "String from security config is: " + str2);
                }
            }
        }
        return str2;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getProperty(String str, String str2) {
        String property = getProperty(str);
        return (property == null || "".equals(property)) ? str2 : property;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public List getRealms() {
        List list;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRealms");
        }
        try {
            list = getSecurityServer().getRealms();
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getRealms", "1977", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception during getRealms(): ", new Object[]{e});
            }
            list = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRealms", list);
        }
        return list;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getRegionId() {
        return this.regionUserid;
    }

    public static UserRegistry getNewRegistryImpl() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getNewRegistryImpl");
        }
        UserRegistryImpl userRegistryImpl = null;
        try {
            userRegistryImpl = new UserRegistryImpl();
        } catch (Exception e) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getNewRegistryImpl", userRegistryImpl);
        }
        return userRegistryImpl;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public UserRegistry getNewRegistry() {
        return null;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public UserRegistry getRegistry(String str) {
        UserRegistry userRegistry;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRegistry", str);
        }
        try {
            userRegistry = getSecurityServer().getRegistry(str);
            if (userRegistry == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getRegistry is null (likely bootstrap), returning getRegistryImpl.");
                }
                userRegistry = SecurityServerImpl.getRegistryImpl(str);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getRegistry", "2028", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception during getRegistry(): ", new Object[]{e});
            }
            userRegistry = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRegistry", userRegistry);
        }
        return userRegistry;
    }

    private Object getRegistryObject() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRegistryObject");
        }
        if (this._registryObject == null) {
            try {
                this._registryObject = SecurityServerImpl.getRegistryImpl(getDefaultRealm());
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getRegistryObject", "2045");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting registry instance during bootstrap check.", e);
                }
                this._registryObject = null;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRegistryObject", this._registryObject);
        }
        return this._registryObject;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public long getReqTimeout() {
        return VaultImpl.getInstance().getORB().getRequestTimeout() - 5000;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Throwable getRootException() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRootException");
        }
        Throwable th = null;
        if (isCellSecurityEnabled()) {
            th = getThreadLocal().get_root_exception();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting root exception for new fix: ", th);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRootException");
        }
        return th;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SecurityServer getSecurityServer() throws AuthenticationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityServer");
        }
        if (this.securityServer == null) {
            try {
                this.securityServer = VaultImpl.getInstance().getSecurityServer();
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getSecurityServer", "2092");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "", e);
                }
                this.securityServer = null;
                throw new AuthenticationFailedException(e.getMessage());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSecurityServer", this.securityServer);
        }
        return this.securityServer;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getSecurityServerHost() {
        return isCellSecurityEnabled() ? SecurityObjectLocator.getCSIv2Config().getString("com.ibm.CORBA.securityServerHost") : "";
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getSecurityServerPort() {
        return isCellSecurityEnabled() ? SecurityObjectLocator.getCSIv2Config().getString("com.ibm.CORBA.securityServerPort") : "";
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public synchronized WSCredential getServerCredential() throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServerCredential");
        }
        if (processIsServer()) {
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(getServerSubject());
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getServerCredential", wSCredentialFromSubject);
            }
            return wSCredentialFromSubject;
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "getServerCredential, not on server");
        return null;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean getServerSecurityEnabled() {
        return this.serverSecurityEnabled;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void refreshServerSubject() throws WSSecurityException {
        refreshServerSubject(false);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void refreshServerSubject(boolean z) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "refreshServerSubject");
            }
            try {
                try {
                    this.refreshServerSubject = true;
                    getServerSubjectInternal(z);
                    this.refreshServerSubject = false;
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "refreshServerSubject");
                    }
                } catch (WSSecurityException e) {
                    throw e;
                }
            } catch (Throwable th) {
                this.refreshServerSubject = false;
                throw th;
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject getServerSubject() throws WSSecurityException {
        Subject serverSubjectInternal;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServerSubject");
        }
        if (!isCellSecurityEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getServerSubject cell security not enabled, returning null");
            return null;
        }
        if (tc.isDebugEnabled()) {
            if (this.serverSubject != null) {
                Tr.debug(tc, "AdminContext.peek() = " + AdminContext.peek() + " _domainId: " + this._domainId + " initialized: " + this.initialized + " serverSubject: " + this.serverSubject.toString());
            } else {
                Tr.debug(tc, "AdminContext.peek() = " + AdminContext.peek() + " _domainId: " + this._domainId + " initialized: " + this.initialized + " serverSubject is NULL");
            }
        }
        if (AdminContext.peek() == null && !this._domainId.equalsIgnoreCase("admin")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getServerSubject sending to admin ContextManager");
            }
            this.serverSubject = ContextManagerFactory.getInstance("admin").getServerSubject();
            return this.serverSubject;
        }
        if (tc.isDebugEnabled() && this.serverSubject != null) {
            Tr.debug(tc, "serverSubject again: " + this.serverSubject.toString());
        }
        if (this.serverSubject == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "BOOTSTRAP MODE");
            }
            if (AdminContext.peek() != null && this._domainId != null && this._domainId.startsWith("profile:")) {
                return ContextManagerFactory.getInstance("admin").getServerSubject();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "BOOTSTRAP MODE: Returning BasicAuth server subject");
            }
            serverSubjectInternal = this.serverBASubject;
            if (tc.isDebugEnabled()) {
                if (this.serverBASubject == null) {
                    Tr.debug(tc, "serverBASubject is null");
                } else {
                    Tr.debug(tc, "serverBASubject: " + this.serverBASubject.toString());
                }
            }
        } else {
            serverSubjectInternal = getServerSubjectInternal();
        }
        if (tc.isEntryEnabled()) {
            final Subject subject = serverSubjectInternal;
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.7
                @Override // java.security.PrivilegedAction
                public Object run() {
                    Tr.exit(ContextManagerImpl.tc, "getServerSubject", subject);
                    return null;
                }
            });
        }
        return serverSubjectInternal;
    }

    @Override // com.ibm.ws.security.internals.ContextManagerInternals
    public Subject getServerSubjectInternal() throws WSSecurityException {
        return getServerSubjectInternal(false);
    }

    public Subject getServerSubjectInternal(boolean z) throws WSSecurityException {
        Subject login;
        long expiration;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServerSubjectInternal");
        }
        if (!isCellSecurityEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getServerSubjectInternal cell security not enabled, returning null");
            return null;
        }
        if (!processIsServer()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getServerSubjectInternal", null);
            return null;
        }
        if (AdminContext.peek() == null && !this._domainId.equalsIgnoreCase("admin")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getServerSubjectInternal sending to admin ContextManager");
            }
            this.serverSubject = ContextManagerFactory.getInstance("admin").getServerSubject();
            return this.serverSubject;
        }
        if (getRegistryObject() == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "BOOTSTRAP MODE: Returning unauthenticated server subject.");
            }
            Subject createUnauthenticatedSubject = createUnauthenticatedSubject();
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getServerSubjectInternal", createUnauthenticatedSubject);
            }
            return createUnauthenticatedSubject;
        }
        final SecurityConfig securityConfig = getSecurityConfig();
        if (this.serverTokenCred != null && !this.serverTokenCred.isDestroyed()) {
            boolean z2 = true;
            long j = 0;
            try {
                synchronized (this) {
                    expiration = this.serverTokenCred.getExpiration();
                    if (this.serverKRBAuthnToken != null) {
                        j = this.serverKRBAuthnToken.getTokenExpiration();
                    }
                }
                if (expiration == -1 || expiration == 0) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server Subject does not expire.");
                    }
                    return this.serverSubject;
                }
                long currentTimeMillis = System.currentTimeMillis();
                long cushion = (expiration - currentTimeMillis) - this.cache.getCushion();
                if (cushion < 0) {
                    z2 = false;
                }
                if (this.serverKRBAuthnToken != null) {
                    long cushion2 = (j - currentTimeMillis) - this.cache.getCushion();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "current_time: " + currentTimeMillis);
                        Tr.debug(tc, "cushion: " + this.cache.getCushion());
                        Tr.debug(tc, "WSCredential time remaining:  " + cushion);
                        Tr.debug(tc, "KRBAuthnToken time remaining: " + cushion2);
                    }
                    if (cushion2 < 0) {
                        z2 = false;
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Is server subject valid? " + z2);
                }
                if (z2 && !this.refreshServerSubject) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "getServerSubjectInternal: Server Subject returned with sufficient time left.");
                    }
                    return this.serverSubject;
                }
                synchronized (this) {
                    long j2 = 0;
                    try {
                        long expiration2 = this.serverTokenCred.getExpiration();
                        if (this.serverKRBAuthnToken != null) {
                            j2 = this.serverKRBAuthnToken.getTokenExpiration();
                        }
                        long currentTimeMillis2 = System.currentTimeMillis();
                        if (expiration2 - (currentTimeMillis2 + this.cache.getCushion()) <= 0 || z) {
                            if (z) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "LTPA runtime keys being refreshed, forcing refresh of server subject");
                                }
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Server Subject expired, refreshing...");
                            }
                            z2 = false;
                        }
                        if (this.serverKRBAuthnToken != null && (j2 - currentTimeMillis2) - this.cache.getCushion() < 0) {
                            z2 = false;
                        }
                        if (!z2) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Server Subject expired, refreshing...");
                            }
                            try {
                                if (AdminContext.peek() == null && !this._domainId.equalsIgnoreCase("admin")) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "getServerSubject sending to admin ContextManager");
                                    }
                                    this.serverSubject = ContextManagerFactory.getInstance("admin").getServerSubject();
                                    return this.serverSubject;
                                }
                                if (this.serverAuthToken != null) {
                                    this.serverAuthToken = (AuthenticationToken) this.serverAuthToken.clone();
                                }
                                if (this.serverAuthzToken != null) {
                                    this.serverAuthzToken = (AuthorizationToken) this.serverAuthzToken.clone();
                                }
                                if (this.serverSSOToken != null) {
                                    this.serverSSOToken = (SingleSignonToken) this.serverSSOToken.clone();
                                }
                                try {
                                    final Subject subject = this.serverSubject;
                                    final AuthorizationToken authorizationToken = this.serverAuthzToken;
                                    final AuthenticationToken authenticationToken = this.serverAuthToken;
                                    final SingleSignonToken singleSignonToken = this.serverSSOToken;
                                    this.isKerberosServerSubject = false;
                                    AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.8
                                        @Override // java.security.PrivilegedExceptionAction
                                        public Object run() throws WSLoginFailedException, WSSecurityException {
                                            Iterator<Object> it = subject.getPrivateCredentials().iterator();
                                            while (it.hasNext()) {
                                                ContextManagerImpl.this.setCredToken(it.next(), authorizationToken, authenticationToken, singleSignonToken);
                                            }
                                            return null;
                                        }
                                    });
                                    if (this.serverAuthToken != null && this.serverAuthzToken != null) {
                                        WSCredential createWSCredentialFromTokens = getWSCredTokenMapper().createWSCredentialFromTokens(this.serverAuthToken.getBytes(), this.serverAuthzToken);
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Updating server Subject with new wsCred token.");
                                        }
                                        ((WSCredentialImpl) this.serverTokenCred).refreshCred(createWSCredentialFromTokens);
                                    }
                                    if (this.isKerberosServerSubject) {
                                        try {
                                            final Subject subject2 = this.serverSubject;
                                            AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.9
                                                @Override // java.security.PrivilegedExceptionAction
                                                public Object run() throws WSLoginFailedException, WSSecurityException {
                                                    KerberosTicket kerberosTicket = null;
                                                    for (Object obj : subject2.getPrivateCredentials()) {
                                                        if (obj instanceof KRBAuthnToken) {
                                                            try {
                                                                if ((obj instanceof KRBTicket) && ContextManagerImpl.this.isKrbAuthnTokenRenewable((KRBAuthnToken) obj)) {
                                                                    kerberosTicket = ((KRBTicket) obj).getKerberosTicket();
                                                                    r10 = kerberosTicket != null ? ContextManagerImpl.this.refreshKerberosTicket(kerberosTicket) : null;
                                                                    if (r10 != null && ContextManagerImpl.tc.isDebugEnabled()) {
                                                                        Tr.debug(ContextManagerImpl.tc, "Refresh Kerberos ticket successful");
                                                                    }
                                                                }
                                                                if ((kerberosTicket != null && r10 == null) || (kerberosTicket == null && securityConfig.getActiveAuthMechanism().getBoolean("enabledGssCredDelegate"))) {
                                                                    if (ContextManagerImpl.tc.isDebugEnabled()) {
                                                                        Tr.debug(ContextManagerImpl.tc, "Kerberos ticket is not renewed or failed to refresh or existed, get a new one.");
                                                                    }
                                                                    if (!securityConfig.getPropertyBool("com.ibm.websphere.security.krb.not.get.kerberos.ticket")) {
                                                                        r10 = ContextManagerImpl.this.getKerberosTicketFromKDC();
                                                                    }
                                                                }
                                                                if (kerberosTicket != null && r10 == null) {
                                                                    Tr.warning(ContextManagerImpl.tc, "Can not refresh nor get a new Kerberos ticket, so fallback to LTPA authentication until the next refresh");
                                                                }
                                                                ((KRBTicket) obj).setKerberosTicket(r10);
                                                                return null;
                                                            } catch (Exception e) {
                                                                if (!ContextManagerImpl.tc.isDebugEnabled()) {
                                                                    return null;
                                                                }
                                                                Tr.debug(ContextManagerImpl.tc, "Exception refreshing the KRBAuthnToken.", new Object[]{e.getMessage()});
                                                                return null;
                                                            }
                                                        }
                                                    }
                                                    return null;
                                                }
                                            });
                                        } catch (PrivilegedActionException e) {
                                            FFDCFilter.processException(e.getException(), "com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal", "2502", this);
                                            setRootException(e.getException());
                                            throw new WSSecurityException(e.getException().getMessage(), e.getException());
                                        }
                                    }
                                } catch (PrivilegedActionException e2) {
                                    FFDCFilter.processException(e2.getException(), "com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal", "2434", this);
                                    setRootException(e2.getException());
                                    throw new WSSecurityException(e2.getException().getMessage(), e2.getException());
                                }
                            } catch (Exception e3) {
                                FFDCFilter.processException(e3, "com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal", "2509");
                            }
                        }
                    } catch (Exception e4) {
                        FFDCFilter.processException(e4, "com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal", "2362");
                        Tr.error(tc, "security.SecurityContext.getActualCreds", new Object[]{e4});
                        throw new WSSecurityException(e4.getMessage(), e4);
                    }
                }
            } catch (Exception e5) {
                FFDCFilter.processException(e5, "com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal", "2339");
                Tr.error(tc, "security.SecurityContext.getActualCreds", new Object[]{e5});
                throw new WSSecurityException(e5.getMessage(), e5);
            }
        }
        if (this.serverTokenCred == null) {
            try {
                CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                boolean z3 = cSIv2Config.getBoolean(CSIv2Config.IS_USE_REGISTRY_SERVERID);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "useRegistryServerId", new Boolean(z3));
                }
                if (z3) {
                    String string = cSIv2Config.getString("com.ibm.CORBA.loginPassword");
                    if (string == null || string.equals("")) {
                        login = login(getAdminRealm(), cSIv2Config.getString("com.ibm.CORBA.loginUserid"));
                        this.cache.insert(login);
                    } else {
                        login = login(getAdminRealm(), cSIv2Config.getString("com.ibm.CORBA.loginUserid"), string);
                        this.cache.insert(login, string);
                    }
                } else {
                    String string2 = SecurityObjectLocator.getAdminData().getString("com.ibm.ws.security.internalServerId");
                    if (string2 == null) {
                        throw new WSSecurityException("Found null internalServerId.");
                    }
                    Hashtable hashtable = new Hashtable();
                    String str = "server:" + getDefaultRealm() + "/" + string2;
                    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, str);
                    hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, string2);
                    Subject subject3 = new Subject();
                    subject3.getPublicCredentials().add(hashtable);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "internal serverID's uniqueID = " + str + " and securityName = " + string2);
                    }
                    login = login(getAdminRealm(), string2, (String) null, (HttpServletRequest) null, (HttpServletResponse) null, (Map) null, subject3);
                    if (login.getPublicCredentials().contains(hashtable)) {
                        login.getPublicCredentials().remove(hashtable);
                    }
                    this.cache.insert(login);
                }
                if (login != null) {
                    this.serverKRBAuthnToken = SubjectHelper.getKerberosAuthnTokenFromSubject(login);
                    WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(login);
                    if (getPlatformHelper().isZOS()) {
                        wSCredentialFromSubject.set(CommonConstants.PLATFORM_CREDENTIAL, PlatformCredentialManager.instance().createServerCredential());
                    }
                    this.serverTokenCred = wSCredentialFromSubject;
                    this.serverSubject = login;
                    this.serverSubject.setReadOnly();
                    ((WSCredentialImpl) this.serverTokenCred).markServerCred(scs.getEncryptedServerSigner());
                    if (this.serverTokenCred.isForwardable()) {
                        this.serverAuthToken = getWSCredTokenMapper().createAuthTokenFromWSCredential(this.serverTokenCred);
                        this.serverAuthzToken = getWSCredTokenMapper().createAuthzTokenFromWSCredential(this.serverTokenCred);
                        this.serverSSOToken = getWSCredTokenMapper().createSSOTokenFromWSCredential(this.serverTokenCred);
                    }
                }
            } catch (Exception e6) {
                FFDCFilter.processException(e6, "com.ibm.ws.security.auth.ContextManagerImpl.getServerSubjectInternal", "2595");
                Tr.error(tc, "security.SecurityContext.getActualCreds", new Object[]{e6});
                throw new WSSecurityException(e6.getMessage(), e6);
            }
        }
        this.serverSubjectCreated = true;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getServerSubjectInternal: Server Subject created or refreshed.");
        }
        return this.serverSubject;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getSpecificSecurityServerHost() {
        return !isCellSecurityEnabled() ? "" : getThreadLocal().get_all_hosts();
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getSpecificSecurityServerPort() {
        return !isCellSecurityEnabled() ? "" : getThreadLocal().get_all_ports();
    }

    private Subject getSubjectFromHashtableCacheKey(Subject subject) throws Exception {
        Object cacheKeyFromHashtable;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubjectFromHashtableCacheKey", subject);
        }
        Subject subject2 = null;
        if (subject != null && (cacheKeyFromHashtable = getWSCredTokenMapper().getCacheKeyFromHashtable(subject)) != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Looking for Subject using cacheKey (" + cacheKeyFromHashtable + ") from hashtable.");
            }
            subject2 = cacheKeyFromHashtable instanceof byte[] ? this.cache.getSubject((byte[]) cacheKeyFromHashtable) : this.cache.getSubject(cacheKeyFromHashtable);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSubjectFromHashtableCacheKey", subject2);
        }
        return subject2;
    }

    private Object[] getSubjectFromTokenHolderCacheKey(byte[] bArr, List list) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubjectFromTokenHolderCacheKey", new Object[]{bArr, list});
        }
        Subject subject = null;
        String str = null;
        if (list != null) {
            for (int i = 0; i < list.size(); i++) {
                TokenHolder tokenHolder = (TokenHolder) list.get(i);
                if (tokenHolder.getName().equals(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY)) {
                    byte[] bytes = tokenHolder.getBytes();
                    if (bytes != null) {
                        str = StringBytesConversion.getConvertedString(bytes);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found cache key from token holder list: " + str);
                        }
                        if (str.startsWith("/UNAUTHENTICATED")) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Ignoring cache key because it starts with /UNAUTHENTICATED");
                            }
                            str = null;
                        } else {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Try to retrieve subject from cache using the cache key");
                            }
                            subject = this.cache.getSubject(str);
                        }
                    }
                    if (subject != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found Subject using cacheKey from prop token.");
                        }
                        if (bArr != null) {
                            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                            SingleSignonToken defaultSSOTokenFromSubject = SubjectHelper.getDefaultSSOTokenFromSubject(subject);
                            if (!((wSCredentialFromSubject != null && Arrays.equals(bArr, wSCredentialFromSubject.getCredentialToken())) || (defaultSSOTokenFromSubject != null && Arrays.equals(bArr, defaultSSOTokenFromSubject.getBytes())))) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Subject found from cacheKey does not have matching LTPA token.");
                                    Tr.debug(tc, "Purge the old subject from cache.");
                                }
                                subject = null;
                                this.cache.removeEntry(str);
                            }
                        }
                    }
                }
            }
        }
        Object[] objArr = (subject == null && str == null) ? null : new Object[]{subject, str};
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSubjectFromTokenHolderCacheKey", objArr);
        }
        return objArr;
    }

    @Override // com.ibm.ws.security.core.ContextManager, com.ibm.ws.security.internals.ContextManagerInternals
    public ThreadContextImpl getThreadLocal() {
        ThreadContextImpl threadContextImpl = (ThreadContextImpl) getThreadLocalStorage().get();
        if (threadContextImpl == null) {
            threadContextImpl = new ThreadContextImpl();
            getThreadLocalStorage().set(threadContextImpl);
        }
        return threadContextImpl;
    }

    private ThreadLocal getThreadLocalStorage() {
        return threadLocStorage;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential getUnauthenticatedCredential() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUnauthenticatedCredential");
        }
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(createUnauthenticatedSubject());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getUnauthenticatedCredential", wSCredentialFromSubject);
        }
        return wSCredentialFromSubject;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getUnauthenticatedString() {
        UserRegistryConfig activeUserRegistry;
        if (unauthenticatedId == null) {
            unauthenticatedId = WASPrincipal.UNAUTHENTICATED;
            SecurityConfig securityConfig = getSecurityConfig();
            if (RasHelper.isServer() && getPlatformHelper().isZOS() && securityConfig != null && (activeUserRegistry = securityConfig.getActiveUserRegistry()) != null && activeUserRegistry.getType().equals("LOCALOS")) {
                String property = getProperty("com.ibm.security.SAF.unauthenticated");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getUnauthenticatedString SAF Unauthenticated ID is ", property);
                }
                if (property != null) {
                    unauthenticatedId = property;
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getUnauthenticatedString Unauthenticated ID is ", unauthenticatedId);
            }
        }
        return unauthenticatedId;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredentialTokenMapperInterface getWSCredTokenMapper() throws WSSecurityException {
        if (this.wsCredTokenMapper == null) {
            this.wsCredTokenMapper = new WSCredentialTokenMapper();
        }
        return this.wsCredTokenMapper;
    }

    private void init() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init()");
        }
        this.isAuthenticateSpecialMethodsEnabled = SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.CSI.authenticateSpecialMethods");
        if (!processIsServer()) {
            this.isSecurityServiceStarted = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, CreateServletTemplateModel.INIT);
        }
    }

    private void initialize() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AdminSubsystemExtensionHandler.INITIALIZE);
        }
        if (!isCellSecurityEnabled()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "initialize(): Security not enabled, returning");
                return;
            }
            return;
        }
        if (this.initialized && RasHelper.isServer()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "initialize(): already initialized, returning");
                return;
            }
            return;
        }
        this.initialized = true;
        try {
            init();
            if (RasHelper.isServer()) {
                try {
                    CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                    if (getPlatformHelper().isZOS()) {
                        this._platformCredManager = PlatformCredentialManager.instance();
                    }
                    scs = ServerCredSigner.getInstance();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "init(): Server cred signer instance: ", scs);
                    }
                    SecurityService securityService = getSecurityService();
                    if (securityService == null) {
                        throw new WSSecurityException("Security Service not available");
                    }
                    securityService.addListener(this);
                    this.cache = AuthCache.getInstance();
                    try {
                        if (cSIv2Config.getBoolean(CSIv2Config.IS_USE_REGISTRY_SERVERID)) {
                            this.serverBASubject = SubjectHelper.createBasicAuthSubject(getDefaultRealm(), cSIv2Config.getString("com.ibm.CORBA.loginUserid"), cSIv2Config.getString("com.ibm.CORBA.loginPassword"));
                            this.serverBACred = SubjectHelper.getWSCredentialFromSubject(this.serverBASubject);
                            ((WSCredentialImpl) this.serverBACred).markServerCred(scs.getEncryptedServerSigner());
                        }
                        SecurityServerFactory.create();
                        Subject serverSubjectInternal = getServerSubjectInternal();
                        this.serverTokenCred = SubjectHelper.getWSCredentialFromSubject(serverSubjectInternal);
                        if (AdminContext.peek() == null || !SecurityObjectLocator.getSecurityConfigManager().isAdminAgent()) {
                            setOwnSubject(serverSubjectInternal);
                            setCallerSubject(serverSubjectInternal);
                            setInvocationSubject(serverSubjectInternal);
                        }
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, AdminSubsystemExtensionHandler.INITIALIZE);
                        }
                    } catch (Exception e) {
                        this.initialized = false;
                        FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.enable", "2897");
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "", e);
                        }
                        throw new WSSecurityException(e.getMessage(), e);
                    }
                } catch (WSSecurityException e2) {
                    this.initialized = false;
                    throw e2;
                } catch (Exception e3) {
                    this.initialized = false;
                    throw new WSSecurityException(e3.getMessage(), e3);
                }
            }
        } catch (Exception e4) {
            this.initialized = false;
            if (!(e4 instanceof WSSecurityException)) {
                throw new WSSecurityException(e4.getMessage(), e4);
            }
            throw ((WSSecurityException) e4);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void initialize(AuditService auditService) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AdminSubsystemExtensionHandler.INITIALIZE, new Object[]{auditService});
        }
        initialize();
        if (auditService != null && this._auditService == null) {
            this._auditService = auditService;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AdminSubsystemExtensionHandler.INITIALIZE);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void initializeCallerContext(Subject subject) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "initializeCallerContext");
            }
            if (tc.isDebugEnabled() && subject != null) {
                Tr.debug(tc, "received_subject: " + subject.toString());
            }
            StateofCurrObj stateofCurrObj = getThreadLocal().get_state_of_curr_obj();
            stateofCurrObj.setCallerSubject(subject);
            stateofCurrObj.setOwnSubject(null);
            stateofCurrObj.setInvocationSubject(subject);
            stateofCurrObj.setFirstAuthUser(null);
            stateofCurrObj.setAuthFlag(false);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "initializeCallerContext");
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void initializeCallerContext(WSCredential[] wSCredentialArr) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "initializeCallerContext");
            }
            StateofCurrObj stateofCurrObj = getThreadLocal().get_state_of_curr_obj();
            stateofCurrObj.setWSReceivedCreds(wSCredentialArr);
            stateofCurrObj.setWSOwnCred(null);
            if (wSCredentialArr != null) {
                stateofCurrObj.setWSInvocationCred(wSCredentialArr[0]);
            } else {
                stateofCurrObj.setWSInvocationCred(null);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "initializeCallerContext");
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void initializeSystemContext() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initializeSystemContext");
        }
        initializeCallerContext(getServerSubject());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initializeSystemContext");
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void clearListener(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "clearListener");
        }
        SecurityService securityService = getSecurityService();
        if (securityService != null) {
            securityService.clearListener(str);
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "clearListener");
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isCellSecurityEnabled() {
        if (this.isCellSecurityEnabledAlreadyChecked) {
            return this.cellSecurityEnabled;
        }
        if (!RasHelper.isServer()) {
            this.cellSecurityEnabled = SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.CORBA.securityEnabled");
            this.isCellSecurityEnabledAlreadyChecked = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isCellSecurityEnabled " + this.cellSecurityEnabled);
        }
        return this.cellSecurityEnabled;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isServerCred(WSCredential wSCredential) throws WSSecurityException {
        boolean isServerCred;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isServerCred", wSCredential);
        }
        if (scs == null) {
            isServerCred = true;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "isServerCred scs is null, returning true");
            }
        } else {
            isServerCred = scs.isServerCred(wSCredential);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isServerCred", new Boolean(isServerCred));
        }
        return isServerCred;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isServerSecurityEnabled() {
        if (this.isServerSecurityEnabledAlreadyChecked) {
            return this.isEnabled;
        }
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isServerSecurityEnabled");
        }
        String processType = SecurityObjectLocator.getAdminData().getProcessType();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "processType = " + processType);
        }
        if (processType != null) {
            if (processType.equals("ManagedProcess") || processType.equals(com.ibm.websphere.management.AdminConstants.STANDALONE_PROCESS)) {
                this.isEnabled = cSIv2Config.getBoolean("com.ibm.CORBA.securityEnabled") && cSIv2Config.getBoolean("com.ibm.CORBA.serverSecurityEnabled");
            } else {
                this.isEnabled = cSIv2Config.getBoolean("com.ibm.CORBA.securityEnabled");
            }
            this.isServerSecurityEnabledAlreadyChecked = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isServerSecurityEnabled", Boolean.valueOf(this.isEnabled));
        }
        return this.isEnabled;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isServerSubject(Subject subject) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isServerSubject", subject);
        }
        boolean isServerCred = isServerCred(SubjectHelper.getWSCredentialFromSubject(subject));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isServerSubject", new Boolean(isServerCred));
        }
        return isServerCred;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isWSCred(WSCredential wSCredential) throws WSSecurityException {
        return scs.isWSCred(wSCredential);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isWSSubject(Subject subject) throws WSSecurityException {
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        if (scs != null) {
            return scs.isWSCred(wSCredentialFromSubject);
        }
        return false;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, byte[] bArr) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.LOGIN, new Object[]{str, bArr});
        }
        String string = SecurityObjectLocator.getCSIv2Config().getString(CSIv2Config.AUTH_MECH_ALIAS);
        String str2 = null;
        if (bArr != null) {
            try {
                str2 = GSSFactory.getMechOIDFromGSSToken(bArr);
            } catch (Exception e) {
            }
        }
        Subject login = login(str, bArr, string, (HttpServletRequest) null, (HttpServletResponse) null, (Map) null, (Subject) null, str2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.LOGIN, login);
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, byte[] bArr, String str2) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.LOGIN, new Object[]{str, bArr, str2});
        }
        Subject login = login(str, bArr, SecurityObjectLocator.getCSIv2Config().getString(CSIv2Config.AUTH_MECH_ALIAS), (HttpServletRequest) null, (HttpServletResponse) null, (Map) null, (Subject) null, str2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.LOGIN, login);
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, byte[] bArr, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.LOGIN, new Object[]{str, bArr, str2, httpServletRequest, httpServletResponse, map});
        }
        Subject login = login(str, bArr, str2, httpServletRequest, httpServletResponse, map, (Subject) null, (String) null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.LOGIN, login);
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, byte[] bArr, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map, Subject subject) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.LOGIN, new Object[]{str, bArr, str2, httpServletRequest, httpServletResponse, map, subject});
        }
        Subject login = login(str, bArr, str2, httpServletRequest, httpServletResponse, map, subject, (String) null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.LOGIN, login);
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, byte[] bArr, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map, Subject subject, String str3) throws WSLoginFailedException {
        long j = 0;
        boolean z = false;
        try {
            if (StatsFactory.isPMIEnabled()) {
                j = System.currentTimeMillis();
                if (this.authModule != null) {
                    this.authModule.onTokenAuthCount();
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, AuditConstants.LOGIN, new Object[]{str, bArr, str2, httpServletRequest, httpServletResponse, map, subject, str3});
            }
            if (!isCellSecurityEnabled() || bArr == null || bArr.length == 0) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, token, authMech, . . .)");
                }
                if (StatsFactory.isPMIEnabled()) {
                    long currentTimeMillis = System.currentTimeMillis();
                    if (this.authModule != null) {
                        this.authModule.onTokenAuthTime(currentTimeMillis - j);
                    }
                }
                if (0 != 0) {
                    setAuthRetryForThread(true);
                }
                return null;
            }
            if (!processIsServer()) {
                if (StatsFactory.isPMIEnabled()) {
                    long currentTimeMillis2 = System.currentTimeMillis();
                    if (this.authModule != null) {
                        this.authModule.onTokenAuthTime(currentTimeMillis2 - j);
                    }
                }
                if (0 != 0) {
                    setAuthRetryForThread(true);
                }
                return null;
            }
            z = checkAuthRetryForThread();
            try {
                try {
                    if (!processIsServer()) {
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "login(realm, token, authMech, . . .)");
                        }
                        throw new WSLoginFailedException("Token can not be validated on a pure client or authentication target is basic authen");
                    }
                    List list = null;
                    String str4 = null;
                    Subject subject2 = null;
                    CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Web inbound login config: " + cSIv2Config.getString("com.ibm.ws.security.webInboundLoginConfig"));
                    }
                    if (cSIv2Config.getBoolean("com.ibm.CSI.rmiInboundPropagationEnabled") || cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundPropagationEnabled") || cSIv2Config.getBoolean("com.ibm.ws.security.webInboundPropagationEnabled")) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Looking for opaque token on the thread before Subject cache lookup.");
                        }
                        list = (ArrayList) get(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup());
                        Object[] subjectFromTokenHolderCacheKey = getSubjectFromTokenHolderCacheKey(bArr, list);
                        if (subjectFromTokenHolderCacheKey != null && (subjectFromTokenHolderCacheKey[0] != null || subjectFromTokenHolderCacheKey[1] != null)) {
                            subject2 = (Subject) subjectFromTokenHolderCacheKey[0];
                            str4 = (String) subjectFromTokenHolderCacheKey[1];
                        }
                    }
                    if (list == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Looking for subject from cache using token as lookup.");
                        }
                        subject2 = this.cache.getSubject(bArr);
                        if (subject2 != null && str2 != null && str2.startsWith(cSIv2Config.getString("com.ibm.ws.security.webInboundLoginConfig")) && !isTokenMatch(bArr, subject2)) {
                            try {
                                getWSCredTokenMapper().validateLTPAToken(bArr);
                            } catch (Exception e) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Token validation was failed. Most likely ltpatoken is expired. Removing cache entry.");
                                }
                                this.cache.removeEntry(new ByteArray(bArr));
                                subject2 = null;
                            }
                        }
                    }
                    if (subject2 == null && cSIv2Config.getBoolean("com.ibm.ws.security.webInboundPropagationEnabled") && str2 != null && str2.startsWith(cSIv2Config.getString("com.ibm.ws.security.webInboundLoginConfig"))) {
                        Object opaqueTokenFromCacheOrOriginatingServer = getOpaqueTokenFromCacheOrOriginatingServer(bArr);
                        if (opaqueTokenFromCacheOrOriginatingServer != null) {
                            if (opaqueTokenFromCacheOrOriginatingServer instanceof KRBAuthnToken) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Logging in with KRBAuthnToken.");
                                }
                                if (subject == null) {
                                    subject = new Subject();
                                    subject.getPrivateCredentials().add(opaqueTokenFromCacheOrOriginatingServer);
                                } else if (!subject.getPrivateCredentials().contains(opaqueTokenFromCacheOrOriginatingServer)) {
                                    subject.getPrivateCredentials().add(opaqueTokenFromCacheOrOriginatingServer);
                                }
                                Object gSSCredential = ((KRBAuthnToken) opaqueTokenFromCacheOrOriginatingServer).getGSSCredential();
                                if (gSSCredential != null && !subject.getPrivateCredentials().contains(GSSCredential.class)) {
                                    subject.getPrivateCredentials().add(gSSCredential);
                                }
                                subject2 = str2 == null ? getJaasLoginHelper().jaas_login(str, ((KRBAuthnToken) opaqueTokenFromCacheOrOriginatingServer).getTokenPrincipal(), (String) null, subject) : (httpServletRequest == null && httpServletResponse == null && map == null) ? getJaasLoginHelper().jaas_login(str, ((KRBAuthnToken) opaqueTokenFromCacheOrOriginatingServer).getTokenPrincipal(), (String) null, str2, subject) : getJaasLoginHelper().jaas_login(str, ((KRBAuthnToken) opaqueTokenFromCacheOrOriginatingServer).getTokenPrincipal(), (String) null, str2, httpServletRequest, httpServletResponse, map, subject);
                            } else if (opaqueTokenFromCacheOrOriginatingServer instanceof Subject) {
                                subject2 = (Subject) opaqueTokenFromCacheOrOriginatingServer;
                            } else if (opaqueTokenFromCacheOrOriginatingServer instanceof GSSCredential) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Logging in with GSSCredential in subject.");
                                }
                                if (subject == null) {
                                    subject = new Subject();
                                    subject.getPrivateCredentials().add(opaqueTokenFromCacheOrOriginatingServer);
                                } else if (!subject.getPrivateCredentials().contains(opaqueTokenFromCacheOrOriginatingServer)) {
                                    subject.getPrivateCredentials().add(opaqueTokenFromCacheOrOriginatingServer);
                                }
                            } else {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Logging in with initial context token.");
                                }
                                bArr = (byte[]) opaqueTokenFromCacheOrOriginatingServer;
                                str3 = KRB5MechOID.value;
                            }
                        }
                        if (subject2 == null) {
                            subject2 = getJaasLoginHelper().jaas_login(bArr, str2, httpServletRequest, httpServletResponse, subject, map, str3);
                        }
                        if (subject2 != null) {
                            processSubjectForPropagationAfterLogin(subject2, str2, bArr);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Adding propagation login Subject to cache.");
                            }
                            if (str4 != null) {
                                this.cache.insert(subject2, new Object[]{str4, bArr});
                            } else {
                                this.cache.insert(subject2, new Object[]{bArr});
                            }
                        }
                    }
                    if (subject2 != null) {
                        try {
                            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject2);
                            if (wSCredentialFromSubject != null) {
                                boolean isDestroyed = wSCredentialFromSubject.isDestroyed();
                                try {
                                    boolean checkValidityOfAllTokens = getWSCredTokenMapper().checkValidityOfAllTokens(subject2, httpServletRequest);
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "login(realm, token, . . .): is subject valid? " + checkValidityOfAllTokens);
                                    }
                                    if (!isDestroyed && checkValidityOfAllTokens) {
                                        if (tc.isEntryEnabled()) {
                                            Tr.exit(tc, "login(realm, token, authMech, . . .)");
                                        }
                                        Subject subject3 = subject2;
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "Clearing propagation token from thread.");
                                        }
                                        ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                                        if (StatsFactory.isPMIEnabled()) {
                                            long currentTimeMillis3 = System.currentTimeMillis();
                                            if (this.authModule != null) {
                                                this.authModule.onTokenAuthTime(currentTimeMillis3 - j);
                                            }
                                        }
                                        if (z) {
                                            setAuthRetryForThread(true);
                                        }
                                        return subject3;
                                    }
                                    boolean checkGSSCredExpired = getWSCredTokenMapper().checkGSSCredExpired(subject2);
                                    this.cache.removeEntry(wSCredentialFromSubject.getRealmName(), wSCredentialFromSubject.getSecurityName());
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Credential has expired or is destroyed, logging in again.");
                                    }
                                    if (checkGSSCredExpired) {
                                        GSSException gSSException = new GSSException(8, 0, "GSSCredential expired, must login again.");
                                        throw new WSLoginFailedException(gSSException.getMessage(), gSSException);
                                    }
                                    subject2 = null;
                                } catch (WSLoginFailedException e2) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "within cushion window, fail sso.");
                                    }
                                    throw e2;
                                }
                            } else {
                                subject2 = null;
                            }
                        } catch (CredentialDestroyedException e3) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Credential is destroyed.", new Object[]{e3});
                            }
                            subject2 = null;
                        } catch (CredentialExpiredException e4) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Credential has expired.", new Object[]{e4});
                            }
                            subject2 = null;
                        }
                    }
                    if (subject2 == null) {
                        subject2 = getJaasLoginHelper().jaas_login(bArr, str2, httpServletRequest, httpServletResponse, subject, map, str3);
                        if (subject2 != null) {
                            processSubjectForPropagationAfterLogin(subject2, str2, bArr);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Adding new Subject to cache.");
                            }
                            if (str4 != null) {
                                this.cache.insert(subject2, new Object[]{str4, bArr});
                            } else {
                                this.cache.insert(subject2, new Object[]{bArr});
                            }
                        }
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "login(realm, token, authMech, . . .)");
                    }
                    Subject subject4 = subject2;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Clearing propagation token from thread.");
                    }
                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                    if (StatsFactory.isPMIEnabled()) {
                        long currentTimeMillis4 = System.currentTimeMillis();
                        if (this.authModule != null) {
                            this.authModule.onTokenAuthTime(currentTimeMillis4 - j);
                        }
                    }
                    if (z) {
                        setAuthRetryForThread(true);
                    }
                    return subject4;
                } catch (Throwable th) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Clearing propagation token from thread.");
                    }
                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                    throw th;
                }
            } catch (WSLoginFailedException e5) {
                if (!SecurityMessages.suppressFFDCforKrbSkewError(e5)) {
                    FFDCFilter.processException(e5, "com.ibm.ws.security.auth.ContextManagerImpl.login", "3405", this);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "login failed: " + e5);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, token, authMech, . . .)");
                }
                throw e5;
            } catch (Exception e6) {
                FFDCFilter.processException(e6, "com.ibm.ws.security.auth.ContextManagerImpl.login", "3411", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "login failed: " + dump(e6));
                }
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException(e6.getMessage(), e6);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, token, authMech, . . .)");
                }
                throw wSLoginFailedException;
            }
        } catch (Throwable th2) {
            if (StatsFactory.isPMIEnabled()) {
                long currentTimeMillis5 = System.currentTimeMillis();
                if (this.authModule != null) {
                    this.authModule.onTokenAuthTime(currentTimeMillis5 - j);
                }
            }
            if (z) {
                setAuthRetryForThread(true);
            }
            throw th2;
        }
    }

    private void processSubjectForPropagationAfterLogin(Subject subject, String str) {
        processSubjectForPropagationAfterLogin(subject, str, null);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, Object obj, Subject subject) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(auth_mech, protocolPolicy, invocation_subject)");
        }
        if (!isCellSecurityEnabled() || obj == null || subject == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "login(auth_mech, protocolPolicy, invocation_subject)");
            return null;
        }
        if (!processIsServer()) {
            return null;
        }
        try {
            Subject jaas_login = getJaasLoginHelper().jaas_login(str, obj, subject);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "login(auth_mech, protocolPolicy, invocation_subject)");
            }
            return jaas_login;
        } catch (WSLoginFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.login", "3459", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "login failed: " + e);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "login(auth_mech, protocolPolicy, invocation_subject)");
            }
            throw e;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.ContextManagerImpl.login", "3465", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "login failed: " + dump(e2));
            }
            WSLoginFailedException wSLoginFailedException = new WSLoginFailedException(e2.getMessage(), e2);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "login(auth_mech, protocolPolicy, invocation_subject)");
            }
            throw wSLoginFailedException;
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, X509Certificate[] x509CertificateArr) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(realm, certChain) -> login(" + str + ", " + x509CertificateArr + ")");
        }
        Subject login = login(str, x509CertificateArr, (String) null, (HttpServletRequest) null, (HttpServletResponse) null, (Map) null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "login(realm, certChain)");
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, X509Certificate[] x509CertificateArr, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map) throws WSLoginFailedException {
        return login(str, x509CertificateArr, str2, httpServletRequest, httpServletResponse, map, (Subject) null);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, X509Certificate[] x509CertificateArr, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map, Subject subject) throws WSLoginFailedException {
        return login(str, (Object) x509CertificateArr, str2, httpServletRequest, httpServletResponse, map, subject);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, String str2) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(realm, user) -> login(" + str + ", " + str2 + ")");
        }
        Subject login = login(str, str2, (String) null, (HttpServletRequest) null, (HttpServletResponse) null, (Map) null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "login(realm, user)");
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, String str2, Map map) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(realm, user, ccacheMap) -> login(" + str + ", " + str2 + ", " + map + ")");
        }
        Subject login = login(str, str2, null, null, null, null, null, null, map);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "login(realm, user, ccacheMap)");
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, String str2, String str3) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(realm, user, password) -> login(" + str + ", " + str2 + ", " + ConfigUtils.mask(str3) + ")");
        }
        Subject login = login(str, str2, str3, SecurityObjectLocator.getCSIv2Config().getString(CSIv2Config.AUTH_MECH_ALIAS), (HttpServletRequest) null, (HttpServletResponse) null, (Map) null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "login(realm, user, password)");
        }
        return login;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, String str2, String str3, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map) throws WSLoginFailedException {
        return login(str, str2, str3, httpServletRequest, httpServletResponse, map, (Subject) null);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, String str2, String str3, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map, Subject subject) throws WSLoginFailedException {
        return login(str, (Object) str2, str3, httpServletRequest, httpServletResponse, map, subject);
    }

    /* JADX WARN: Finally extract failed */
    protected Subject login(String str, Object obj, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map, Subject subject) throws WSLoginFailedException {
        long j = 0;
        boolean z = false;
        try {
            if (StatsFactory.isPMIEnabled()) {
                j = System.currentTimeMillis();
                if (this.authModule != null) {
                    this.authModule.onIDAssertionCount();
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "login(realm, loginInfo, auth_mech) -> login(" + str + ", " + obj + ", " + str2 + ")");
            }
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                    Tr.debug(tc, "Expecting : " + MAP_CREDENTIAL.toString());
                }
                securityManager.checkPermission(MAP_CREDENTIAL);
            }
            if (!isCellSecurityEnabled()) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, loginInfo, . . .)");
                }
                if (StatsFactory.isPMIEnabled()) {
                    long currentTimeMillis = System.currentTimeMillis();
                    if (this.authModule != null) {
                        this.authModule.onIDAssertionTime(currentTimeMillis - j);
                    }
                }
                if (0 != 0) {
                    setAuthRetryForThread(true);
                }
                return null;
            }
            if (!processIsServer()) {
                if (StatsFactory.isPMIEnabled()) {
                    long currentTimeMillis2 = System.currentTimeMillis();
                    if (this.authModule != null) {
                        this.authModule.onIDAssertionTime(currentTimeMillis2 - j);
                    }
                }
                if (0 != 0) {
                    setAuthRetryForThread(true);
                }
                return null;
            }
            z = checkAuthRetryForThread();
            List list = null;
            String str3 = null;
            try {
                try {
                    Subject subjectFromHashtableCacheKey = getSubjectFromHashtableCacheKey(subject);
                    Object obj2 = null;
                    if (subjectFromHashtableCacheKey != null) {
                        obj2 = getWSCredTokenMapper().getCacheKeyFromHashtable(subject);
                        if (obj2 != null && (obj2 instanceof byte[])) {
                            obj2 = new ByteArray((byte[]) obj2);
                        }
                    }
                    CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                    if (subjectFromHashtableCacheKey == null && (cSIv2Config.getBoolean("com.ibm.CSI.rmiInboundPropagationEnabled") || cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundPropagationEnabled") || cSIv2Config.getBoolean("com.ibm.ws.security.webInboundPropagationEnabled"))) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Looking for opaque token in thread before doing Subject lookup.");
                        }
                        list = (ArrayList) get(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup());
                        Object[] subjectFromTokenHolderCacheKey = getSubjectFromTokenHolderCacheKey(null, list);
                        if (subjectFromTokenHolderCacheKey != null) {
                            subjectFromHashtableCacheKey = (Subject) subjectFromTokenHolderCacheKey[0];
                            str3 = (String) subjectFromTokenHolderCacheKey[1];
                        }
                    }
                    String str4 = null;
                    if (subject != null) {
                        str4 = Krb5Utils.getAltKRBAuthnTokenUniqueId(subject);
                    }
                    if (subjectFromHashtableCacheKey == null && list == null && !getWSCredTokenMapper().subjectContainsLoginHashtable(subject) && str4 != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Looking for Subject using krbAuthnToken uniqueId.");
                        }
                        subjectFromHashtableCacheKey = this.cache.getSubject(str4);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "cache return subject: " + subjectFromHashtableCacheKey);
                        }
                    }
                    if (subjectFromHashtableCacheKey == null && list == null && !getWSCredTokenMapper().subjectContainsLoginHashtable(subject) && str4 == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Looking for Subject using loginInfo(user or cert).");
                        }
                        subjectFromHashtableCacheKey = obj instanceof String ? this.cache.getSubject(str, (String) obj) : this.cache.getSubject(obj);
                    }
                    if (subjectFromHashtableCacheKey != null) {
                        try {
                            WSCredential publicCredential = getPublicCredential(subjectFromHashtableCacheKey);
                            if (publicCredential != null) {
                                boolean isDestroyed = publicCredential.isDestroyed();
                                boolean isForwardable = publicCredential.isForwardable();
                                boolean checkCushionValidityOfAllTokens = getWSCredTokenMapper().checkCushionValidityOfAllTokens(subjectFromHashtableCacheKey, this.cache.getCushion());
                                if (tc.isDebugEnabled()) {
                                    if (isForwardable) {
                                        Tr.debug(tc, "login(realm, loginInfo, . . .): is subject valid? " + checkCushionValidityOfAllTokens);
                                    } else {
                                        Tr.debug(tc, "login(realm, loginInfo, . . .): is subject valid? non-forwardable Subject");
                                    }
                                }
                                if (!isDestroyed && (!isForwardable || checkCushionValidityOfAllTokens)) {
                                    if (tc.isEntryEnabled()) {
                                        Tr.exit(tc, "login(realm, loginInfo, ...)");
                                    }
                                    Subject subject2 = subjectFromHashtableCacheKey;
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Clearing propagation token from thread.");
                                    }
                                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                                    if (StatsFactory.isPMIEnabled()) {
                                        long currentTimeMillis3 = System.currentTimeMillis();
                                        if (this.authModule != null) {
                                            this.authModule.onIDAssertionTime(currentTimeMillis3 - j);
                                        }
                                    }
                                    if (z) {
                                        setAuthRetryForThread(true);
                                    }
                                    return subject2;
                                }
                                if (obj2 != null) {
                                    this.cache.removeEntry(obj2);
                                } else if (obj instanceof String) {
                                    this.cache.removeEntry(str, (String) obj);
                                } else {
                                    this.cache.removeEntry(obj);
                                }
                                subjectFromHashtableCacheKey = null;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Credential has expired or is destroyed, logging in again.");
                                }
                            } else {
                                subjectFromHashtableCacheKey = null;
                            }
                        } catch (CredentialExpiredException e) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Credential has expired.", new Object[]{e});
                            }
                            subjectFromHashtableCacheKey = null;
                        } catch (CredentialDestroyedException e2) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Credential is destroyed.", new Object[]{e2});
                            }
                            subjectFromHashtableCacheKey = null;
                        }
                    }
                    if (subjectFromHashtableCacheKey == null) {
                        if (str2 == null) {
                            if (obj instanceof String) {
                                subjectFromHashtableCacheKey = getJaasLoginHelper().jaas_login(str, (String) obj, (String) null, subject);
                            } else {
                                if (!(obj instanceof X509Certificate[])) {
                                    throw new WSLoginFailedException("Unknown login data type: " + obj.getClass().getName());
                                }
                                subjectFromHashtableCacheKey = getJaasLoginHelper().jaas_login(str, (X509Certificate[]) obj, subject);
                            }
                        } else if (httpServletRequest == null && map == null) {
                            if (obj instanceof String) {
                                subjectFromHashtableCacheKey = getJaasLoginHelper().jaas_login(str, (String) obj, (String) null, str2, subject);
                            } else {
                                if (!(obj instanceof X509Certificate[])) {
                                    throw new WSLoginFailedException("Unknown login data type: " + obj.getClass().getName());
                                }
                                subjectFromHashtableCacheKey = getJaasLoginHelper().jaas_login(str, (X509Certificate[]) obj, str2, subject);
                            }
                        } else if (obj instanceof String) {
                            subjectFromHashtableCacheKey = getJaasLoginHelper().jaas_login(str, (String) obj, (String) null, str2, httpServletRequest, httpServletResponse, map, subject);
                        } else {
                            if (!(obj instanceof X509Certificate[])) {
                                throw new WSLoginFailedException("Unknown login data type: " + obj.getClass().getName());
                            }
                            subjectFromHashtableCacheKey = getJaasLoginHelper().jaas_login(str, (X509Certificate[]) obj, str2, httpServletRequest, httpServletResponse, map, subject);
                        }
                        processSubjectForPropagationAfterLogin(subjectFromHashtableCacheKey, str2);
                        if (str3 != null) {
                            this.cache.insert(subjectFromHashtableCacheKey, new Object[]{str3});
                        } else if (obj instanceof String) {
                            this.cache.insert(subjectFromHashtableCacheKey, (String) obj, null, (Object[]) null);
                        } else {
                            this.cache.insert(subjectFromHashtableCacheKey, (Object[]) null);
                        }
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "login(realm, loginInfo, . . .)");
                    }
                    Subject subject3 = subjectFromHashtableCacheKey;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Clearing propagation token from thread.");
                    }
                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                    if (StatsFactory.isPMIEnabled()) {
                        long currentTimeMillis4 = System.currentTimeMillis();
                        if (this.authModule != null) {
                            this.authModule.onIDAssertionTime(currentTimeMillis4 - j);
                        }
                    }
                    if (z) {
                        setAuthRetryForThread(true);
                    }
                    return subject3;
                } catch (Throwable th) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Clearing propagation token from thread.");
                    }
                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                    throw th;
                }
            } catch (WSLoginFailedException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.auth.ContextManagerImpl.login", "3724", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "login failed: " + e3);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, loginInfo, . . .)");
                }
                throw e3;
            } catch (Exception e4) {
                FFDCFilter.processException(e4, "com.ibm.ws.security.auth.ContextManagerImpl.login", "3730", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "login failed: " + dump(e4));
                }
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException(e4.getMessage(), e4);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, loginInfo, . . .)");
                }
                throw wSLoginFailedException;
            }
        } catch (Throwable th2) {
            if (StatsFactory.isPMIEnabled()) {
                long currentTimeMillis5 = System.currentTimeMillis();
                if (this.authModule != null) {
                    this.authModule.onIDAssertionTime(currentTimeMillis5 - j);
                }
            }
            if (z) {
                setAuthRetryForThread(true);
            }
            throw th2;
        }
    }

    protected WSCredential getPublicCredential(Subject subject) {
        Iterator it = subject.getPublicCredentials(WSCredential.class).iterator();
        if (it.hasNext()) {
            return (WSCredential) it.next();
        }
        return null;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map) throws WSLoginFailedException {
        return login(str, str2, str3, str4, httpServletRequest, httpServletResponse, map, (Subject) null);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map, Subject subject) throws WSLoginFailedException {
        return login(str, str2, str3, str4, httpServletRequest, httpServletResponse, map, subject, null);
    }

    /* JADX WARN: Finally extract failed */
    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(final String str, final String str2, final String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map map, Subject subject, Map map2) throws WSLoginFailedException {
        Subject createBasicAuthSubject;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(realm, user, password) -> login(" + str + ", " + str2 + ", " + ConfigUtils.mask(str3) + ", " + str4 + ")");
        }
        long j = 0;
        boolean z = false;
        boolean z2 = false;
        if (map2 != null && !map2.isEmpty()) {
            z2 = true;
        }
        if (isCellSecurityEnabled() && processIsServer()) {
            String defaultRealm = getDefaultRealm();
            boolean z3 = false;
            if (str != null && !str.equalsIgnoreCase("<default>") && ((getAdminSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS) == null || !str.equalsIgnoreCase(getAdminSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Realm"))) && !str.equalsIgnoreCase(defaultRealm) && SecurityObjectLocator.getSecurityConfigManager().isMultiDomainDefined() && SecurityObjectLocator.getSecurityConfig(PropertiesBasedConfigConstants.APPSECURITY_RESOURCE_TYPE) != null && SecurityObjectLocator.getSecurityConfig(PropertiesBasedConfigConstants.APPSECURITY_RESOURCE_TYPE).getActiveUserRegistry(false) != null && SecurityObjectLocator.getSecurityConfig(PropertiesBasedConfigConstants.APPSECURITY_RESOURCE_TYPE).getActiveUserRegistry(false).getString("realm") != null)) {
                if (tc.isEntryEnabled()) {
                    Tr.entry(tc, "in mutlti-domain case: realm is not null and is not default realm: about to validate realm");
                }
                try {
                    try {
                        if (str.equalsIgnoreCase(getAppRealm())) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "targeting app domain realm for: " + str);
                            }
                            z3 = SecurityObjectLocator.pushAppContext("");
                            createBasicAuthSubject = ContextManagerFactory.getInstance().login(str, str2, str3, str4, httpServletRequest, httpServletResponse, map, subject, map2);
                            if (tc.isEntryEnabled()) {
                                Tr.debug(tc, "got Subject based on app domain realm.");
                            }
                        } else if (str.equalsIgnoreCase(getAdminRealm())) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "realm equals admin domain realm.");
                            }
                            z3 = SecurityObjectLocator.pushAdminContext();
                            createBasicAuthSubject = ContextManagerFactory.getInstance().login(str, str2, str3, str4, httpServletRequest, httpServletResponse, map, subject, map2);
                            if (tc.isEntryEnabled()) {
                                Tr.debug(tc, "got Subject based on admin domain realm.");
                            }
                        } else {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "passed in realm is not app domain nor it is admin realm. Check if a trusted outbound realm");
                            }
                            TrustedAuthenticationRealm outboundTrustedAuthenticationRealm = getSecurityConfig().getOutboundTrustedAuthenticationRealm();
                            String realmList = outboundTrustedAuthenticationRealm.getRealmList();
                            boolean trustAllRealms = outboundTrustedAuthenticationRealm.getTrustAllRealms();
                            if (!trustAllRealms && realmList != null && !realmList.equals("")) {
                                StringTokenizer stringTokenizer = new StringTokenizer(realmList, "|");
                                while (stringTokenizer.hasMoreTokens() && !trustAllRealms) {
                                    String nextToken = stringTokenizer.nextToken();
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "realm: " + str);
                                    }
                                    if (str.equalsIgnoreCase(nextToken)) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "target realm matches a trusted outbound realm: " + nextToken);
                                        }
                                        trustAllRealms = true;
                                    }
                                }
                            }
                            if (!trustAllRealms) {
                                throw new WSLoginFailedException("passed in realm is invalid.");
                            }
                            createBasicAuthSubject = SubjectHelper.createBasicAuthSubject(str, str2, str3);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "created a basic auth subject");
                            }
                        }
                        z3 = z3;
                        return createBasicAuthSubject;
                    } catch (Exception e) {
                        if (tc.isEntryEnabled()) {
                            Tr.entry(tc, "caught exception validating passed in realm: " + e.getMessage());
                        }
                        throw new WSLoginFailedException(e.getMessage());
                    }
                } finally {
                    if (0 != 0) {
                        SecurityObjectLocator.popContext();
                    }
                }
            }
            if (str != null && !str.equalsIgnoreCase("<default>") && ((getAdminSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS) == null || !str.equalsIgnoreCase(getAdminSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Realm"))) && !str.equalsIgnoreCase(defaultRealm) && !SecurityObjectLocator.getSecurityConfigManager().isMultiDomainDefined())) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "caught exception: passed in realm is not valid: " + str);
                }
                throw new WSLoginFailedException("passed in realm is not valid: " + str);
            }
        }
        try {
            if (StatsFactory.isPMIEnabled()) {
                j = System.currentTimeMillis();
                if (this.authModule != null) {
                    this.authModule.onBasicAuthCount();
                }
            }
            if ((str2 == null || str2.length() == 0 || str3 == null || str3.length() == 0) && subject == null) {
                throw new WSLoginFailedException("Username and/or password is null.");
            }
            if (!isCellSecurityEnabled()) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, user, password, auth_mech, . . .)");
                }
                if (StatsFactory.isPMIEnabled()) {
                    long currentTimeMillis = System.currentTimeMillis();
                    if (this.authModule != null) {
                        this.authModule.onBasicAuthTime(currentTimeMillis - j);
                    }
                }
                if (0 != 0) {
                    setAuthRetryForThread(true);
                }
                return null;
            }
            z = checkAuthRetryForThread();
            try {
                try {
                    if (!processIsServer()) {
                        if (z2) {
                            if (str2 == null || str2.length() == 0) {
                                throw new WSLoginFailedException("Username is null.");
                            }
                            if (tc.isEntryEnabled()) {
                                Tr.debug(tc, "login(realm, user, credential ccache, . . .)");
                            }
                            Subject jaas_login = getJaasLoginHelper().jaas_login(str, str2, str3, str4, httpServletRequest, httpServletResponse, map, subject);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Clearing propagation token from thread.");
                            }
                            ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                            if (StatsFactory.isPMIEnabled()) {
                                long currentTimeMillis2 = System.currentTimeMillis();
                                if (this.authModule != null) {
                                    this.authModule.onBasicAuthTime(currentTimeMillis2 - j);
                                }
                            }
                            if (z) {
                                setAuthRetryForThread(true);
                            }
                            return jaas_login;
                        }
                        if (str2 == null || str2.length() == 0 || str3 == null || str3.length() == 0) {
                            throw new WSLoginFailedException("Username and/or password is null.");
                        }
                        WSCredential createBasicAuthCredential = createBasicAuthCredential(str, str2, str3);
                        if (!SecurityObjectLocator.getCSIv2Config().getBoolean("com.ibm.CORBA.validateBasicAuth")) {
                            Subject createSubjectFromWSCredential = SubjectHelper.createSubjectFromWSCredential(createBasicAuthCredential);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Clearing propagation token from thread.");
                            }
                            ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                            if (StatsFactory.isPMIEnabled()) {
                                long currentTimeMillis3 = System.currentTimeMillis();
                                if (this.authModule != null) {
                                    this.authModule.onBasicAuthTime(currentTimeMillis3 - j);
                                }
                            }
                            if (z) {
                                setAuthRetryForThread(true);
                            }
                            return createSubjectFromWSCredential;
                        }
                        try {
                            if (!((Boolean) runAsSpecified(SubjectHelper.createUnauthenticatedSubject(), new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.10
                                @Override // java.security.PrivilegedExceptionAction
                                public Object run() throws Exception {
                                    return new Boolean(ContextManagerImpl.this.getSecurityServer().simple_authenticate(new BasicAuthData(str2, str3, str)));
                                }
                            })).booleanValue()) {
                                if (tc.isEntryEnabled()) {
                                    Tr.exit(tc, "login(realm, user, password)");
                                }
                                throw new WSLoginFailedException("Failed to authenticate " + createBasicAuthCredential.getRealmSecurityName());
                            }
                            if (!getThreadLocal().get_server_security_enabled()) {
                                createBasicAuthCredential = null;
                            }
                            if (tc.isEntryEnabled()) {
                                Tr.exit(tc, "login(realm, user, password)");
                            }
                            Subject createSubjectFromWSCredential2 = SubjectHelper.createSubjectFromWSCredential(createBasicAuthCredential);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Clearing propagation token from thread.");
                            }
                            ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                            if (StatsFactory.isPMIEnabled()) {
                                long currentTimeMillis4 = System.currentTimeMillis();
                                if (this.authModule != null) {
                                    this.authModule.onBasicAuthTime(currentTimeMillis4 - j);
                                }
                            }
                            if (z) {
                                setAuthRetryForThread(true);
                            }
                            return createSubjectFromWSCredential2;
                        } catch (PrivilegedActionException e2) {
                            Exception exception = e2.getException();
                            FFDCFilter.processException(exception, "com.ibm.ws.security.auth.ContextManagerImpl.login", "3933", this);
                            if (tc.isEntryEnabled()) {
                                Tr.exit(tc, "login(realm, user, password)");
                            }
                            if (exception instanceof WSLoginFailedException) {
                                throw exception;
                            }
                            throw new WSLoginFailedException(exception.getMessage(), exception);
                        }
                    }
                    Subject subject2 = null;
                    List list = null;
                    String str5 = null;
                    String str6 = null;
                    CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                    if (cSIv2Config.getBoolean("com.ibm.CSI.rmiInboundMappingEnabled") && cSIv2Config.getString("com.ibm.CSI.rmiInboundMappingConfig") != null && cSIv2Config.getString("com.ibm.CSI.rmiInboundMappingConfig").length() > 0 && subject != null && map != null) {
                        WSSubjectWrapper wSSubjectWrapper = null;
                        String str7 = null;
                        String str8 = null;
                        try {
                            Iterator it = subject.getPrivateCredentials(WSSubjectWrapperImpl.class).iterator();
                            if (it.hasNext()) {
                                wSSubjectWrapper = (WSSubjectWrapper) it.next();
                            }
                            if (wSSubjectWrapper != null) {
                                str7 = (String) map.get(com.ibm.wsspi.security.auth.callback.Constants.WEB_APP_NAME);
                                str8 = getWSCredTokenMapper().createSubjectUniqueID(wSSubjectWrapper.getSubject());
                                if (str8 == null) {
                                    str8 = SubjectHelper.getWSCredentialFromSubject(wSSubjectWrapper.getSubject()).getAccessId();
                                }
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, " appName = " + str7 + " subjectId = " + str8);
                                }
                            }
                        } catch (Exception e3) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Exception caught " + e3.getMessage());
                                e3.printStackTrace();
                            }
                        }
                        if (str8 != null && str8.length() > 0 && str7 != null && str7.length() > 0) {
                            str6 = str8 + "__" + str7;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "appSubjectCacheKey = " + str6);
                            }
                            Hashtable hashtable = new Hashtable();
                            hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, str6);
                            subject.getPrivateCredentials().add(hashtable);
                        }
                    }
                    if (cSIv2Config.getBoolean("com.ibm.CSI.rmiInboundPropagationEnabled") || cSIv2Config.getBoolean("com.ibm.CSI.rmiOutboundPropagationEnabled") || cSIv2Config.getBoolean("com.ibm.ws.security.webInboundPropagationEnabled")) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Looking for opaque token on the thread before Subject cache lookup.");
                        }
                        list = (ArrayList) get(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup());
                        Object[] subjectFromTokenHolderCacheKey = getSubjectFromTokenHolderCacheKey(null, list);
                        if (subjectFromTokenHolderCacheKey != null && (subjectFromTokenHolderCacheKey[0] != null || subjectFromTokenHolderCacheKey[1] != null)) {
                            subject2 = (Subject) subjectFromTokenHolderCacheKey[0];
                            str5 = (String) subjectFromTokenHolderCacheKey[1];
                        }
                    }
                    String str9 = str;
                    if (str9 == null) {
                        str9 = getDefaultRealm();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "realm is null, set default realm for cache lookup:" + str9);
                        }
                    }
                    if (list == null) {
                        if (str2 != null && str2.length() > 0) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Looking for subject from cache using user name token as lookup.");
                            }
                            subject2 = this.cache.getSubject(str, str2, str3);
                        } else if (str6 != null) {
                            subject2 = this.cache.getSubject(str6);
                            if (tc.isDebugEnabled() && subject2 != null) {
                                Tr.debug(tc, "found subject in cache with key = " + str6);
                            }
                        }
                    }
                    if (subject2 != null) {
                        try {
                            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject2);
                            if (wSCredentialFromSubject != null) {
                                boolean isDestroyed = wSCredentialFromSubject.isDestroyed();
                                boolean isForwardable = wSCredentialFromSubject.isForwardable();
                                boolean checkCushionValidityOfAllTokens = getWSCredTokenMapper().checkCushionValidityOfAllTokens(subject2, this.cache.getCushion());
                                if (tc.isDebugEnabled()) {
                                    if (isForwardable) {
                                        Tr.debug(tc, "login(realm, user, password, . . .): is subject valid? " + checkCushionValidityOfAllTokens);
                                    } else {
                                        Tr.debug(tc, "login(realm, user, password, . . .): is subject valid? non-forwardable Subject");
                                    }
                                }
                                if (!isDestroyed && (!isForwardable || checkCushionValidityOfAllTokens)) {
                                    if (tc.isEntryEnabled()) {
                                        Tr.exit(tc, "login(realm, user, password, auth_mech, . . .)");
                                    }
                                    Subject subject3 = subject2;
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Clearing propagation token from thread.");
                                    }
                                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                                    if (StatsFactory.isPMIEnabled()) {
                                        long currentTimeMillis5 = System.currentTimeMillis();
                                        if (this.authModule != null) {
                                            this.authModule.onBasicAuthTime(currentTimeMillis5 - j);
                                        }
                                    }
                                    if (z) {
                                        setAuthRetryForThread(true);
                                    }
                                    return subject3;
                                }
                                this.cache.removeEntry(str9, str2);
                                subject2 = null;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Credential has expired or is destroyed, logging in again.");
                                }
                            } else {
                                subject2 = null;
                            }
                        } catch (CredentialExpiredException e4) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Credential has expired.", new Object[]{e4});
                            }
                            subject2 = null;
                        } catch (CredentialDestroyedException e5) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Credential is destroyed.", new Object[]{e5});
                            }
                            subject2 = null;
                        }
                    }
                    if (subject2 == null) {
                        subject2 = str4 == null ? getJaasLoginHelper().jaas_login(str, str2, str3, subject) : (httpServletRequest == null && map == null) ? getJaasLoginHelper().jaas_login(str, str2, str3, str4, subject) : getJaasLoginHelper().jaas_login(str, str2, str3, str4, httpServletRequest, httpServletResponse, map, subject);
                        processSubjectForPropagationAfterLogin(subject2, str4);
                        if (str6 == null) {
                            this.cache.insert(subject2, str2, str3, new Object[]{str5});
                        } else {
                            try {
                                str6 = (String) getWSCredTokenMapper().getCacheKeyFromHashtable(subject2);
                            } catch (Exception e6) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Exception caught " + e6.getMessage());
                                    e6.printStackTrace();
                                }
                            }
                            if (str6 != null && str6.length() > 0) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "insert cache: user = " + str2 + "  cache key = " + str6);
                                }
                                this.cache.insert(subject2, str2, str3, new Object[]{str6});
                            }
                        }
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "login(realm, user, password, auth_mech, . . .)");
                    }
                    Subject subject4 = subject2;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Clearing propagation token from thread.");
                    }
                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                    if (StatsFactory.isPMIEnabled()) {
                        long currentTimeMillis6 = System.currentTimeMillis();
                        if (this.authModule != null) {
                            this.authModule.onBasicAuthTime(currentTimeMillis6 - j);
                        }
                    }
                    if (z) {
                        setAuthRetryForThread(true);
                    }
                    return subject4;
                } catch (Throwable th) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Clearing propagation token from thread.");
                    }
                    ContextManagerFactory.getInstance().put(WSOpaqueTokenHelper.getInstance().getOpaqueTokenLookup(), null);
                    throw th;
                }
            } catch (WSLoginFailedException e7) {
                FFDCFilter.processException(e7, "com.ibm.ws.security.auth.ContextManagerImpl.login", "4112", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "login failed: " + e7);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, user, password, auth_mech, . . .)");
                }
                throw e7;
            } catch (Exception e8) {
                FFDCFilter.processException(e8, "com.ibm.ws.security.auth.ContextManagerImpl.login", "4120", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "login failed: " + dump(e8));
                }
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException(e8.getMessage(), e8);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(realm, user, password, auth_mech, . . .)");
                }
                throw wSLoginFailedException;
            }
        } catch (Throwable th2) {
            if (StatsFactory.isPMIEnabled()) {
                long currentTimeMillis7 = System.currentTimeMillis();
                if (this.authModule != null) {
                    this.authModule.onBasicAuthTime(currentTimeMillis7 - j);
                }
            }
            if (z) {
                setAuthRetryForThread(true);
            }
            throw th2;
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject login(WSCredential wSCredential) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(credential)");
        }
        if (!isCellSecurityEnabled() || wSCredential == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "login(credential)");
            return null;
        }
        boolean checkAuthRetryForThread = checkAuthRetryForThread();
        try {
            try {
                if (wSCredential.isBasicAuth()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "authenticating userid/password credential.");
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "login(credential)");
                    }
                    Subject login = login(wSCredential.getRealmName(), wSCredential.getSecurityName(), StringBytesConversion.getConvertedString(wSCredential.getCredentialToken()));
                    if (checkAuthRetryForThread) {
                        setAuthRetryForThread(true);
                    }
                    return login;
                }
                if (!wSCredential.isCurrent()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Credential is not current.");
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "login(credential)");
                    }
                    throw new WSLoginFailedException("Credential is not current.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(credential)");
                }
                Subject createSubjectFromWSCredential = SubjectHelper.createSubjectFromWSCredential(wSCredential);
                if (checkAuthRetryForThread) {
                    setAuthRetryForThread(true);
                }
                return createSubjectFromWSCredential;
            } catch (WSLoginFailedException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.login", "4186", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WSLoginFailedException occurred.", new Object[]{e});
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(credential)");
                }
                throw e;
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.auth.ContextManagerImpl.login", "4192", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "authenticate failed: ", dump(e2));
                }
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException(e2.getMessage(), e2);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(credential)");
                }
                throw wSLoginFailedException;
            }
        } catch (Throwable th) {
            if (checkAuthRetryForThread) {
                setAuthRetryForThread(true);
            }
            throw th;
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void popInvocationCredential(WSCredential wSCredential) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            try {
                setInvocationCredential(wSCredential);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.popInvocationCredential", "4220", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void popInvocationSubject(Subject subject) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            try {
                setInvocationSubject(subject);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.popInvocationSubject", "4234", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void popReceivedSubject(Subject subject) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            try {
                setCallerSubject(subject);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.popReceivedSubject", "4247", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean processIsServer() {
        return RasHelper.isServer();
    }

    private void processSubjectForPropagationAfterLogin(Subject subject, String str, byte[] bArr) {
        long expiration;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processSubjectForPropagationAfterLogin", new Object[]{str, new ByteArray(bArr)});
        }
        try {
            Object obj = null;
            CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
            if (cSIv2Config.getBoolean("com.ibm.ws.security.webInboundPropagationEnabled") && bArr != null) {
                obj = new ByteArray(bArr);
                if (((byte[]) getDistributedObject(obj)) != null) {
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "processSubjectForPropagationAfterLogin (token already exists in DRS).");
                        return;
                    }
                    return;
                }
            }
            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
            if (cSIv2Config.getBoolean("com.ibm.ws.security.webInboundPropagationEnabled") || KRB5MechOID.value.endsWith(wSCredentialFromSubject.getOID())) {
                if (wSCredentialFromSubject.isForwardable()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Getting SSO token from Subject.");
                    }
                    SingleSignonToken defaultSSOTokenFromSubject = SubjectHelper.getDefaultSSOTokenFromSubject(subject);
                    if (defaultSSOTokenFromSubject != null) {
                        Object byteArray = new ByteArray(defaultSSOTokenFromSubject.getBytes());
                        PropagationToken propagationToken = getPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1);
                        if (propagationToken != null) {
                            expiration = propagationToken.getExpiration() < wSCredentialFromSubject.getExpiration() ? propagationToken.getExpiration() : wSCredentialFromSubject.getExpiration();
                        } else {
                            expiration = wSCredentialFromSubject.getExpiration();
                        }
                        long currentTimeMillis = System.currentTimeMillis();
                        long j = expiration - currentTimeMillis;
                        int i = (int) (j / 1000);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "timeToLiveSeconds: " + i);
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "current_time: " + currentTimeMillis);
                            Tr.debug(tc, "expiration_time: " + expiration);
                            Tr.debug(tc, "timeToLiveMillis: " + j);
                            Tr.debug(tc, "timeToLiveSeconds: " + i);
                        }
                        if (cSIv2Config.getBoolean("com.ibm.ws.security.webInboundPropagationEnabled")) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Checking DRS using SSO token.");
                            }
                            Object obj2 = (byte[]) getDistributedObject(byteArray);
                            if (obj2 == null) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Creating new opaque token.");
                                }
                                obj2 = WSOpaqueTokenHelper.getInstance().createOpaqueTokenFromSubject(subject);
                                if (j > 0 && obj2 != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Adding opaque token to distributed cache with timeToLive " + i + " seconds.");
                                    }
                                    putDistributedObject(byteArray, obj2, i);
                                } else if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Opaque token was null.");
                                }
                            }
                            if (obj != null) {
                                if (j > 0 && obj2 != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Adding input token to distributed cache with timeToLive " + i + " seconds.");
                                    }
                                    putDistributedObject(obj, obj2, i);
                                }
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Input token was null, not adding to DRS.");
                            }
                        }
                        KRBAuthnToken kerberosAuthnTokenFromSubject = SubjectHelper.getKerberosAuthnTokenFromSubject(subject);
                        if (kerberosAuthnTokenFromSubject != null) {
                            int tokenExpiration = (int) ((kerberosAuthnTokenFromSubject.getTokenExpiration() - currentTimeMillis) / 1000);
                            if (tokenExpiration > 0) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Adding KRBAuthnToken to local cache with timeToLive " + tokenExpiration + " seconds.");
                                }
                                putDistributedObjectNotShared(byteArray, kerberosAuthnTokenFromSubject, tokenExpiration);
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "KRBAuthnToken time to live is " + tokenExpiration);
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "krbAuthnToken token was null, not adding to DRS.");
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Cannot find SSO token, not adding opaque token to distributed cache.");
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WSCredential is not forwardable, not adding to distributed cache.");
                }
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception adding opaque authz token to distributed cache.", new Object[]{e});
            }
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.processSubjectForPropagationAfterLogin", "4370", this);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processSubjectForPropagationAfterLogin");
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public WSCredential pushInvocationCredential(WSCredential wSCredential) throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        try {
            WSCredential invocationCredential = getInvocationCredential();
            setInvocationCredential(wSCredential);
            return invocationCredential;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.pushInvocationCredential", "4385", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject pushInvocationSubject(Subject subject) throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        try {
            Subject invocationSubject = getInvocationSubject();
            setInvocationSubject(subject);
            return invocationSubject;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.pushInvocationSubject", "4408", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject pushReceivedSubject(Subject subject) throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        try {
            Subject callerSubject = getCallerSubject();
            setCallerSubject(subject);
            return callerSubject;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.pushReceivedSubject", "4425", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object put(String str, Object obj) {
        if (isCellSecurityEnabled()) {
            return getThreadLocal().set_property(str, obj);
        }
        return null;
    }

    private Object putDistributedObject(Object obj, Object obj2, int i) {
        try {
            return getWSCredTokenMapper().putDistributedObject(obj, obj2, i);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.distContextManager.getDistributedObject", "4475");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Error setting distributed object.", new Object[]{e});
            return null;
        }
    }

    private Object putDistributedObject(Object obj, Object obj2, int i, int i2, int i3, Object[] objArr) {
        try {
            return getWSCredTokenMapper().putDistributedObject(obj, obj2, i, i2, i3, objArr);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.distContextManager.getDistributedObject", "4522");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Error setting distributed object.", new Object[]{e});
            return null;
        }
    }

    private Object putDistributedObjectNotShared(Object obj, Object obj2, int i) {
        try {
            return getWSCredTokenMapper().putDistributedObjectNotShared(obj, obj2, i);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.distContextManager.putDistributedObjectNotShared", "4562");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Error setting none shared distributed object.", new Object[]{e});
            return null;
        }
    }

    private void removeStateFromTable() {
        getThreadLocal().clearThreadContextImpl();
    }

    private Object runAs(Subject subject, PrivilegedExceptionAction privilegedExceptionAction, String str) throws PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "runAs", new Object[]{subject, privilegedExceptionAction, str});
        }
        Object obj = null;
        if (!this.initialized && RasHelper.isServer()) {
            try {
                return privilegedExceptionAction.run();
            } catch (Exception e) {
                throw new PrivilegedActionException(e);
            }
        }
        debugCallingMethod();
        Subject subject2 = null;
        Subject subject3 = null;
        boolean z = false;
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        if (cSIv2Config.getBoolean("com.ibm.CORBA.securityEnabled")) {
            try {
                Subject subject4 = null;
                if (str.equals("System")) {
                    subject4 = getServerSubject();
                } else if (str.equals(com.ibm.ws.webservices.engine.Constants.FAULT_CLIENT)) {
                    Subject callerSubject = getCallerSubject();
                    subject4 = callerSubject != null ? callerSubject : getInvocationSubject();
                } else if (str.equals("ReceivedClient")) {
                    Subject callerSubject2 = getCallerSubject();
                    if (callerSubject2 != null) {
                        subject4 = callerSubject2;
                    }
                } else if (str.equals("Specified")) {
                    subject4 = subject;
                }
                subject2 = pushInvocationSubject(subject4);
                subject3 = pushReceivedSubject(subject4);
                z = setSavedSubjects(subject2, subject3);
            } catch (Exception e2) {
                try {
                    popInvocationSubject(subject2);
                    popReceivedSubject(subject3);
                    subject3 = null;
                    FFDCFilter.processException(e2, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4665", this);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "runAs(" + str + ") -> Exception occurred.", new Object[]{e2});
                    }
                    throw new PrivilegedActionException(e2);
                } catch (Exception e3) {
                    try {
                        popReceivedSubject(subject3);
                        FFDCFilter.processException(e3, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4661", this);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "runAs(" + str + ") -> Exception occurred.", new Object[]{e3});
                        }
                        throw new PrivilegedActionException(e3);
                    } catch (Exception e4) {
                        FFDCFilter.processException(e4, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4657", this);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "runAs(" + str + ") -> Exception occurred.", new Object[]{e4});
                        }
                        throw new PrivilegedActionException(e4);
                    }
                }
            }
        }
        Exception exc = null;
        try {
            obj = privilegedExceptionAction.run();
            if (cSIv2Config.getBoolean("com.ibm.CORBA.securityEnabled")) {
                try {
                    popInvocationSubject(subject2);
                    subject2 = null;
                    popReceivedSubject(subject3);
                    subject3 = null;
                    if (z) {
                        clearSavedSubjects();
                    }
                } catch (Exception e5) {
                    try {
                        popInvocationSubject(subject2);
                        popReceivedSubject(subject3);
                        FFDCFilter.processException(e5, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4716", this);
                        exc = e5;
                    } catch (Exception e6) {
                        FFDCFilter.processException(e6, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4712", this);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "runAs(" + str + ") -> Exception occurred.", new Object[]{e6});
                        }
                        throw new PrivilegedActionException(e6);
                    }
                }
            }
        } catch (Exception e7) {
            exc = e7;
            if (cSIv2Config.getBoolean("com.ibm.CORBA.securityEnabled")) {
                try {
                    popInvocationSubject(subject2);
                    subject2 = null;
                    popReceivedSubject(subject3);
                    subject3 = null;
                    if (z) {
                        clearSavedSubjects();
                    }
                } catch (Exception e8) {
                    try {
                        popInvocationSubject(subject2);
                        popReceivedSubject(subject3);
                        FFDCFilter.processException(e8, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4716", this);
                        exc = e8;
                    } catch (Exception e9) {
                        FFDCFilter.processException(e9, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4712", this);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "runAs(" + str + ") -> Exception occurred.", new Object[]{e9});
                        }
                        throw new PrivilegedActionException(e9);
                    }
                }
            }
        } catch (Throwable th) {
            if (cSIv2Config.getBoolean("com.ibm.CORBA.securityEnabled")) {
                try {
                    popInvocationSubject(subject2);
                    subject2 = null;
                    popReceivedSubject(subject3);
                    subject3 = null;
                    if (z) {
                        clearSavedSubjects();
                    }
                } catch (Exception e10) {
                    try {
                        popInvocationSubject(subject2);
                        popReceivedSubject(subject3);
                        FFDCFilter.processException(e10, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4716", this);
                    } catch (Exception e11) {
                        FFDCFilter.processException(e11, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4712", this);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "runAs(" + str + ") -> Exception occurred.", new Object[]{e11});
                        }
                        throw new PrivilegedActionException(e11);
                    }
                }
            }
            throw th;
        }
        if (exc != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "runAs(" + str + ") -> Exception occurred.", new Object[]{exc});
            }
            throw new PrivilegedActionException(exc);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "runAs(" + str + ")");
        }
        return obj;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object runAsClient(PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        return runAs(null, privilegedExceptionAction, com.ibm.ws.webservices.engine.Constants.FAULT_CLIENT);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object runAsReceivedClient(PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        return runAs(null, privilegedExceptionAction, "ReceivedClient");
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object runAsSpecified(Subject subject, PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        return runAs(subject, privilegedExceptionAction, "Specified");
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object runAsSpecified(WSCredential wSCredential, PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        return runAs(SubjectHelper.createSubjectFromWSCredential(wSCredential), privilegedExceptionAction, "Specified");
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object runAsSystem(PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        if (processIsServer()) {
            return runAs(null, privilegedExceptionAction, "System");
        }
        try {
            debugCallingMethod();
            return privilegedExceptionAction.run();
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.runAs", "4812", this);
            if (e instanceof PrivilegedActionException) {
                throw ((PrivilegedActionException) e);
            }
            throw new PrivilegedActionException(e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Object runAsSystemOrSpecified(PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        String property;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "runAsSystemOrSpecified");
        }
        Object obj = null;
        boolean z = false;
        if (isCellSecurityEnabled() && PlatformHelperFactory.getPlatformHelper().isZOS()) {
            WSCredential wSCredential = null;
            try {
                getServerSubject();
            } catch (WSSecurityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.runAsSystemOrSpecified", "4849", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getServerSubject() failed", e);
                }
            }
            Iterator it = this.serverSubject.getPublicCredentials(WSCredential.class).iterator();
            if (it.hasNext()) {
                wSCredential = (WSCredential) it.next();
            }
            if (wSCredential != null && isInternalServerCredential(wSCredential) && (property = getSecurityConfig().getProperty(SecurityConfig.TRANSACTION_USE_SAF_ID)) != null && (property.equalsIgnoreCase("true") || property.equalsIgnoreCase("yes"))) {
                Subject localOSPlatformCredSubject = WSLoginLocalOSExtensionFactory.getInstance().getLocalOSPlatformCredSubject();
                try {
                    setInvocationSubject(localOSPlatformCredSubject);
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "failed to set the invocation subject.", e2);
                    }
                }
                obj = runAsSpecified(localOSPlatformCredSubject, privilegedExceptionAction);
                z = true;
            }
        }
        if (!z) {
            obj = runAsSystem(privilegedExceptionAction);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "runAsSystemOrSpecified");
        }
        return obj;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setCallerCredentials(WSCredential[] wSCredentialArr) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "setCallerCredentials");
            }
            try {
                if (tc.isDebugEnabled() && wSCredentialArr != null && wSCredentialArr[0] != null) {
                    Tr.debug(tc, "Setting WS received credential: " + wSCredentialArr[0].getRealmSecurityName());
                }
                getThreadLocal().get_state_of_curr_obj().setWSReceivedCreds(wSCredentialArr);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "setCallerCredentials");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.setCallerCredentials", "4915", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setCallerSubject(final Subject subject) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "setCallerSubject");
            }
            try {
                if (tc.isDebugEnabled()) {
                    if (subject != null) {
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.11
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                Tr.debug(ContextManagerImpl.tc, "Setting caller subject: " + subject);
                                return null;
                            }
                        });
                    } else {
                        Tr.debug(tc, "Setting caller subject to NULL.");
                    }
                }
                getThreadLocal().get_state_of_curr_obj().setCallerSubject(subject);
                if (RasHelper.isServer() && getPlatformHelper().isZOS() && (SmfJActivity.isServerActivityRecordingEnabled() || SmfJActivity.isServerIntervalRecordingEnabled())) {
                    setFirstAuthUser(subject);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "setCallerSubject");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.setCallerSubject", "4957", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setInvocationCredential(WSCredential wSCredential) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            try {
                if (tc.isEntryEnabled()) {
                    Tr.entry(tc, "setInvocationCredential");
                }
                if (tc.isDebugEnabled() && wSCredential != null) {
                    Tr.debug(tc, "Setting WS invocation credential: " + wSCredential.getRealmSecurityName());
                }
                getThreadLocal().get_state_of_curr_obj().setWSInvocationCred(wSCredential);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "setInvocationCredential");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.setInvocationCredential", "4982", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setInvocationSubject(final Subject subject) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            try {
                if (tc.isEntryEnabled()) {
                    Tr.entry(tc, "setInvocationSubject");
                }
                if (tc.isDebugEnabled()) {
                    if (subject != null) {
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.12
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                Tr.debug(ContextManagerImpl.tc, "Setting invocation subject: " + subject);
                                return null;
                            }
                        });
                    } else {
                        Tr.debug(tc, "Setting invocation subject to NULL.");
                    }
                }
                getThreadLocal().get_state_of_curr_obj().setInvocationSubject(subject);
                if (RasHelper.isServer() && getPlatformHelper().isZOS() && (SmfJActivity.isServerActivityRecordingEnabled() || SmfJActivity.isServerIntervalRecordingEnabled())) {
                    setFirstAuthUser(subject);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "setInvocationSubject");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.setInvocationSubject", "5024", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setOwnSubject(final Subject subject) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            try {
                if (tc.isEntryEnabled()) {
                    Tr.entry(tc, "setOwnSubject");
                }
                if (tc.isDebugEnabled()) {
                    if (subject != null) {
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.13
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                Tr.debug(ContextManagerImpl.tc, "Setting own subject: " + subject);
                                return null;
                            }
                        });
                    } else {
                        Tr.debug(tc, "Setting own subject to NULL.");
                    }
                }
                getThreadLocal().get_state_of_curr_obj().setOwnSubject(subject);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "setOwnSubject");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.setOwnSubject", "5060", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setPlatformHelper(PlatformHelper platformHelper) {
        PlatformHelperFactory.setPlatformHelper(platformHelper);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setPropagationTokens(Map map) throws WSSecurityException {
        if (isCellSecurityEnabled()) {
            getThreadLocal().set_propagation_tokens(map);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public PropagationToken setPropagationToken(String str, PropagationToken propagationToken) throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (str == null) {
            throw new WSSecurityException("Invalid null parameters.");
        }
        return getThreadLocal().set_propagation_token(str, propagationToken);
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setRootException(Throwable th) {
        if (isCellSecurityEnabled() && getThreadLocal().get_root_exception() == null) {
            getThreadLocal().set_root_exception(th);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setServerSecurityEnabled(boolean z) {
        this.serverSecurityEnabled = z;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isGrantedAdminRole(String[] strArr, Subject subject) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedAdminRole");
        }
        if (!isCellSecurityEnabled()) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "isGrantedAdminRole - return true");
            return true;
        }
        try {
            RoleBasedAuthorizer roleBasedAuthorizer = RoleBasedConfiguratorFactory.getConfigurator().getRoleBasedAuthorizer(com.ibm.ws.security.util.Constants.ADMIN_APP, "domain");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Got the RoleBasedAuthorizer object.");
            }
            boolean isGrantedRole = roleBasedAuthorizer.isGrantedRole(strArr, subject);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isGrantedAdminRole", new Boolean(isGrantedRole));
            }
            return isGrantedRole;
        } catch (Throwable th) {
            if (new String(getRegistryObject().toString()).indexOf(this.WIM_UR) == -1) {
                FFDCFilter.processException(th, "com.ibm.ws.security.auth.ContextManagerImpl.isGrantedAdminRole", "5149", this);
            }
            throw new WSSecurityException(th.getMessage(), th);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isServerSubjectCreated() {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "isServerSubjectCreated");
        }
        if (!processIsServer()) {
            this.serverSubjectCreated = true;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "process is not server, returning true");
            }
        } else if (AdminContext.peek() == null && !this._domainId.equalsIgnoreCase("admin")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "isServerSubjectCreated sending to admin ContextManager");
            }
            this.serverSubjectCreated = ContextManagerFactory.getInstance("admin").isServerSubjectCreated();
        }
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "isServerSubjectCreated:" + this.serverSubjectCreated);
        }
        return this.serverSubjectCreated;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isInternalServerCredential(WSCredential wSCredential) {
        boolean z;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isInternalServerCredential", wSCredential);
        }
        try {
            z = isInternalServerId(wSCredential.getAccessId());
        } catch (Exception e) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Unable to acquire access ID", e);
            }
            z = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isInternalServerCredential", new Boolean(z));
        }
        return z;
    }

    /* JADX WARN: Code restructure failed: missing block: B:11:0x0045, code lost:
    
        if (r7.startsWith(r0.toString()) != false) goto L12;
     */
    @Override // com.ibm.ws.security.core.ContextManager
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean isInternalServerId(java.lang.String r7) {
        /*
            r6 = this;
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            boolean r0 = r0.isEntryEnabled()
            if (r0 == 0) goto L13
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            java.lang.String r1 = "isInternalServerId"
            r2 = r7
            com.ibm.ejs.ras.Tr.entry(r0, r1, r2)
        L13:
            r0 = 0
            r8 = r0
            java.lang.StringBuffer r0 = new java.lang.StringBuffer     // Catch: java.lang.Exception -> L4d
            r1 = r0
            r2 = r6
            java.lang.String r2 = r2.getDefaultRealm()     // Catch: java.lang.Exception -> L4d
            r1.<init>(r2)     // Catch: java.lang.Exception -> L4d
            r9 = r0
            r0 = r9
            java.lang.String r1 = "/"
            java.lang.StringBuffer r0 = r0.append(r1)     // Catch: java.lang.Exception -> L4d
            java.lang.String r1 = "server"
            java.lang.StringBuffer r0 = r0.append(r1)     // Catch: java.lang.Exception -> L4d
            r0 = r7
            if (r0 == 0) goto L4a
            r0 = r7
            java.lang.String r1 = "server"
            boolean r0 = r0.startsWith(r1)     // Catch: java.lang.Exception -> L4d
            if (r0 != 0) goto L48
            r0 = r7
            r1 = r9
            java.lang.String r1 = r1.toString()     // Catch: java.lang.Exception -> L4d
            boolean r0 = r0.startsWith(r1)     // Catch: java.lang.Exception -> L4d
            if (r0 == 0) goto L4a
        L48:
            r0 = 1
            r8 = r0
        L4a:
            goto L63
        L4d:
            r9 = move-exception
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            boolean r0 = r0.isEventEnabled()
            if (r0 == 0) goto L61
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            java.lang.String r1 = "Unable to determine internal server ID"
            r2 = r9
            com.ibm.ejs.ras.Tr.event(r0, r1, r2)
        L61:
            r0 = 0
            r8 = r0
        L63:
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            boolean r0 = r0.isEntryEnabled()
            if (r0 == 0) goto L7d
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            java.lang.String r1 = "isInternalServerId"
            java.lang.Boolean r2 = new java.lang.Boolean
            r3 = r2
            r4 = r8
            r3.<init>(r4)
            com.ibm.ejs.ras.Tr.exit(r0, r1, r2)
        L7d:
            r0 = r8
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.auth.ContextManagerImpl.isInternalServerId(java.lang.String):boolean");
    }

    public String removePrefix(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "removePrefix", str);
        }
        int indexOf = str.indexOf(":");
        if (indexOf == 1) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "removePrefix: prefix not found", str);
            }
            return str;
        }
        String substring = str.substring(indexOf + 1);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "removePrefix", substring);
        }
        return substring;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getFirstAuthUser() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getFirstAuthUser");
        }
        String firstAuthUser = getThreadLocal().get_state_of_curr_obj().getFirstAuthUser();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getFirstAuthUser", firstAuthUser);
        }
        return firstAuthUser;
    }

    public void setFirstAuthUser(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setFirstAuthUser", subject);
        }
        StateofCurrObj stateofCurrObj = getThreadLocal().get_state_of_curr_obj();
        if (subject != null && !stateofCurrObj.getAuthFlag()) {
            try {
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                if (wSCredentialFromSubject != null && !wSCredentialFromSubject.isUnauthenticated() && !isServerSubject(subject)) {
                    stateofCurrObj.setAuthFlag(true);
                }
                PlatformCredential platformCredentialFromSubject = getPlatformCredentialFromSubject(subject);
                String str = null;
                if (platformCredentialFromSubject != null) {
                    str = platformCredentialFromSubject.getUserId();
                }
                stateofCurrObj.setFirstAuthUser(str);
            } catch (WSSecurityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.setFirstAuthUser", "5296", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error setting firstAuthUser");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setFirstAuthUser");
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getSAFUserFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSAFUserFromSubject", subject);
        }
        String str = null;
        PlatformCredential platformCredentialFromSubject = this._platformCredManager.getPlatformCredentialFromSubject(subject);
        if (platformCredentialFromSubject != null) {
            str = platformCredentialFromSubject.getUserId();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSAFUserFromSubject", str);
        }
        return str;
    }

    private PlatformCredential getPlatformCredentialFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPlatformCredentialFromSubject", subject);
        }
        PlatformCredential platformCredentialFromSubject = this._platformCredManager.getPlatformCredentialFromSubject(subject);
        if (platformCredentialFromSubject == null) {
            platformCredentialFromSubject = this._platformCredManager.createDefaultCredential();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPlatformCredentialFromSubject", platformCredentialFromSubject);
        }
        return platformCredentialFromSubject;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public ServiceWithContext getServiceWithContext() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServiceWithContext");
        }
        if (svc == null) {
            svc = new ServiceWithContextImpl();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getServiceWithContext", svc);
        }
        return svc;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Context getSerializableContext() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSerializableContext");
        }
        ContextImpl contextImpl = new ContextImpl();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSerializableContext", contextImpl);
        }
        return contextImpl;
    }

    private SecurityService getSecurityService() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityService");
        }
        SecurityService securityService = null;
        try {
            securityService = (SecurityService) WsServiceRegistry.getService(this, SecurityService.class);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception getting security service:", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSecurityService", securityService);
        }
        return securityService;
    }

    @Override // com.ibm.ws.security.service.SecurityServiceListener
    public void stateChanged(SecurityServiceEvent securityServiceEvent) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "stateChanged, current Security Service state: " + (this.isSecurityServiceStarted ? WsComponent.STARTED : WsComponent.STOPPED));
        }
        int state = securityServiceEvent.getState();
        if (state == 1) {
            this.isSecurityServiceStarted = true;
        } else if (state == 2) {
            this.isSecurityServiceStarted = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "stateChanged, new Security Service state: " + (this.isSecurityServiceStarted ? WsComponent.STARTED : WsComponent.STOPPED));
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isSecurityServiceStarted() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSecurityServiceStarted", new Boolean(this.isSecurityServiceStarted));
        }
        return this.isSecurityServiceStarted;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isAuthenticateSpecialMethodsEnabled() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isAuthenticateSpecialMethodsEnabled", new Boolean(this.isAuthenticateSpecialMethodsEnabled));
        }
        return this.isAuthenticateSpecialMethodsEnabled;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean isPMIEnabled() {
        return StatsFactory.isPMIEnabled();
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void pmiCountStatistic(String str) {
        if (str.equalsIgnoreCase("RMIAuthCount")) {
            if (this.authModule != null) {
                this.authModule.onRMIAuthCount();
            }
        } else if (str.equalsIgnoreCase("JAASIDAssertionCount")) {
            if (this.authModule != null) {
                this.authModule.onJAASIDAssertionCount();
            }
        } else if (str.equalsIgnoreCase("JAASBasicAuthCount")) {
            if (this.authModule != null) {
                this.authModule.onJAASBasicAuthCount();
            }
        } else {
            if (!str.equalsIgnoreCase("JAASTokenAuthCount") || this.authModule == null) {
                return;
            }
            this.authModule.onJAASTokenAuthCount();
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void pmiTimeStatistic(String str, long j) {
        if (str.equalsIgnoreCase("RMIAuthTime")) {
            if (this.authModule != null) {
                this.authModule.onRMIAuthTime(j);
            }
        } else if (str.equalsIgnoreCase("JAASIDAssertionTime")) {
            if (this.authModule != null) {
                this.authModule.onJAASIDAssertionTime(j);
            }
        } else if (str.equalsIgnoreCase("JAASBasicAuthTime")) {
            if (this.authModule != null) {
                this.authModule.onJAASBasicAuthTime(j);
            }
        } else {
            if (!str.equalsIgnoreCase("JAASTokenAuthTime") || this.authModule == null) {
                return;
            }
            this.authModule.onJAASTokenAuthTime(j);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public Subject getSubjectBeforeRunAs() throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubjectBeforeRunAs");
        }
        try {
            Subject[] savedSubjects = getThreadLocal().get_state_of_curr_obj().getSavedSubjects();
            Subject subject = savedSubjects[0] != null ? savedSubjects[0] : savedSubjects[1];
            if (subject == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There were no saved subjects.  Getting invocationSubject");
                }
                subject = getInvocationSubject();
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getSubjectBeforeRunAs - returning: " + subject);
            }
            return subject;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getSubjectBeforeRunAs", "5536", this);
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getUserBeforeRunAs() throws WSSecurityException {
        if (!isCellSecurityEnabled()) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUserBeforeRunAs");
        }
        String userBeforeRunAs = getThreadLocal().get_state_of_curr_obj().getUserBeforeRunAs();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "user from the state: " + userBeforeRunAs);
        }
        if (userBeforeRunAs == null || userBeforeRunAs.trim().isEmpty()) {
            try {
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(getSubjectBeforeRunAs());
                if (wSCredentialFromSubject != null) {
                    userBeforeRunAs = wSCredentialFromSubject.getRealmSecurityName();
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "user from the subject: " + userBeforeRunAs);
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getUserBeforeRunAs", "5572", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getUserBeforeRunAs - returning: " + userBeforeRunAs);
        }
        return userBeforeRunAs;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public boolean setSavedSubjects(final Subject subject, final Subject subject2) throws WSSecurityException {
        boolean z = false;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setSavedSubjects");
        }
        if (isCellSecurityEnabled()) {
            try {
                if (tc.isDebugEnabled()) {
                    java.security.AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.auth.ContextManagerImpl.14
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            if (subject == null) {
                                Tr.debug(ContextManagerImpl.tc, "Setting null for savedSubject");
                            } else {
                                Tr.debug(ContextManagerImpl.tc, "Setting savedSubject:" + subject);
                            }
                            if (subject2 == null) {
                                Tr.debug(ContextManagerImpl.tc, "Setting null for recSavedSubject");
                                return null;
                            }
                            Tr.debug(ContextManagerImpl.tc, "Setting recSavedSubject:" + subject2);
                            return null;
                        }
                    });
                }
                z = getThreadLocal().get_state_of_curr_obj().setSavedSubjects(subject, subject2);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.setAuditSubject", "5619", this);
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setSavedSubjects");
        }
        return z;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void clearSavedSubjects() {
        StateofCurrObj stateofCurrObj = getThreadLocal().get_state_of_curr_obj();
        stateofCurrObj.clearSavedSubjects();
        stateofCurrObj.clearUserBeforeRunAs();
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getObjectAdapterName(byte[] bArr) {
        String str = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getObjectAdapterName");
        }
        if (bArr != null) {
            try {
                str = new UserKey(bArr).getOAName();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "instantiated a UserKey with OA name:" + str);
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "create userKey failed: " + e.getMessage());
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "null userKeyBytes");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getObjectAdapterName");
        }
        return str;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public GSSCredential getServerSpnGSSCred() throws Exception, GSSException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServerSpnGSSCred");
        }
        if (!processIsServer()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getServerSpnGSSCred", null);
            return null;
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, "Expecting : " + GET_SERVER_CRED_PERM.toString());
            }
            securityManager.checkPermission(GET_SERVER_CRED_PERM);
        }
        String string = getSecurityConfig().getActiveAuthMechanism().getString(AuthMechanismConfig.OID);
        if (string == null || string.length() <= 0 || !KRB5MechOID.value.endsWith(string)) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getServerSpnGSSCred", null);
            return null;
        }
        if (this.serverSpnGSSCred != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getServerSpnGSSCred", this.serverSpnGSSCred);
            }
            return this.serverSpnGSSCred;
        }
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        String string2 = cSIv2Config.getString(CSIv2Config.KERBEROS_SPN);
        if (string2 != null) {
            String string3 = cSIv2Config.getString(CSIv2Config.KERBEROS_KEYTAB);
            if (string3 != null) {
                Krb5Utils.setKrbKeytabProp(string3);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Kerberos SPN " + string2);
                Tr.debug(tc, "Kerberos Keytab " + string3);
            }
            try {
                Oid oid = new Oid("1.2.840.113554.1.2.2");
                Oid oid2 = new Oid("1.3.6.1.5.5.2");
                Krb5Utils.setUseSubjectCredsOnly(false);
                GSSManager gSSManager = GSSManager.getInstance();
                GSSName createName = gSSManager.createName(string2.replace("/", "@"), GSSName.NT_HOSTBASED_SERVICE, oid);
                this.serverSpnGSSCred = gSSManager.createCredential(createName.canonicalize(oid), Integer.MAX_VALUE, oid, 2);
                this.serverSpnGSSCred.add(createName.canonicalize(oid2), Integer.MAX_VALUE, Integer.MAX_VALUE, oid2, 2);
                Krb5Utils.setUseSubjectCredsOnly(true);
            } catch (Exception e) {
                e.printStackTrace();
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getServerSpnGSSCred", "5746", this);
                if (tc.isDebugEnabled()) {
                    Tr.error(tc, "Unexpected Execption getting Server SPN GSSCredential ", new Object[]{e});
                }
                throw e;
            } catch (GSSException e2) {
                e2.printStackTrace();
                FFDCFilter.processException((Throwable) e2, "com.ibm.ws.security.auth.ContextManagerImpl.getServerSpnGSSCred", "5738", (Object) this);
                if (tc.isDebugEnabled()) {
                    Tr.error(tc, "Unexpected GSSExecption getting Server SPN GSSCredential ", new Object[]{e2});
                }
                throw e2;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getServerSpnGSSCred " + this.serverSpnGSSCred);
        }
        return this.serverSpnGSSCred;
    }

    public boolean isKrbAuthnTokenRenewable(KRBAuthnToken kRBAuthnToken) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKrbAuthnTokenRenewable");
        }
        boolean z = true;
        if (kRBAuthnToken.isTokenValid() && kRBAuthnToken.isRenewable()) {
            Date renewTill = kRBAuthnToken.getRenewTill();
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "renewTill: " + renewTill);
            }
            if (renewTill != null) {
                long time = (renewTill.getTime() - System.currentTimeMillis()) - this.cache.getCushion();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "timeleft: " + time);
                }
                if (time < 0) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Not much time left to refresh KRBAuthnToken.");
                    }
                    z = false;
                }
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Can not refresh KRBAuthnToken, isTokenValid? " + kRBAuthnToken.isTokenValid() + ", isTokenRenewable? " + kRBAuthnToken.isRenewable());
            }
            z = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isKrbAuthnTokenRenewable " + z);
        }
        return z;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public String getDomainId() {
        return this._domainId;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public void setDomainId(String str) {
        this._domainId = str;
    }

    public String toString() {
        return "ContextManagerImpl: " + hashCode() + " domainId: " + getDomainId();
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public SecurityCache getSecurityCache() {
        return this.cache;
    }

    public SecurityConfig getSecurityConfig() {
        if (this.domainSecurityConfig == null) {
            this.domainSecurityConfig = SecurityObjectLocator.getSecurityConfig();
        }
        return this.domainSecurityConfig;
    }

    public SecurityConfig getAdminSecurityConfig() {
        if (this.adminSecurityConfig == null) {
            if (SecurityObjectLocator.getSecurityConfigManager().isAdminAgent()) {
                this.adminSecurityConfig = SecurityObjectLocator.getSecurityConfig();
            } else {
                this.adminSecurityConfig = SecurityObjectLocator.getSecurityConfig("security");
            }
        }
        return this.adminSecurityConfig;
    }

    public static KerberosTicket cloneKerberosTicket(KerberosTicket kerberosTicket) {
        KerberosTicket kerberosTicket2 = null;
        if (kerberosTicket != null) {
            try {
                kerberosTicket2 = new KerberosTicket(kerberosTicket.getEncoded(), kerberosTicket.getClient(), kerberosTicket.getServer(), kerberosTicket.getSessionKey().getEncoded(), kerberosTicket.getSessionKeyType(), kerberosTicket.getFlags(), kerberosTicket.getAuthTime(), kerberosTicket.getStartTime(), kerberosTicket.getEndTime(), kerberosTicket.getRenewTill(), kerberosTicket.getClientAddresses());
            } catch (Throwable th) {
                throw new RuntimeException(th.getCause());
            }
        }
        return kerberosTicket2;
    }

    @Override // com.ibm.ws.security.core.ContextManager
    public KerberosTicket refreshKerberosTicket(KerberosTicket kerberosTicket) throws RefreshFailedException {
        KerberosTicket cloneKerberosTicket = cloneKerberosTicket(kerberosTicket);
        if (cloneKerberosTicket != null) {
            cloneKerberosTicket.refresh();
        }
        return cloneKerberosTicket;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KerberosTicket getKerberosTicketFromKDC() throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKerberosTicketFromKDC");
        }
        try {
            Hashtable hashtable = new Hashtable();
            Subject subject = null;
            if (this.serverTokenCred != null) {
                hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, this.serverTokenCred.getAccessId());
                subject = new Subject();
                subject.getPublicCredentials().add(hashtable);
                subject.getPublicCredentials().add(this.serverTokenCred);
            }
            CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
            KerberosTicket kerberosTicketFromSubject = SubjectHelper.getKerberosTicketFromSubject(login(getAdminRealm(), cSIv2Config.getString("com.ibm.CORBA.loginUserid"), cSIv2Config.getString("com.ibm.CORBA.loginPassword"), "system.KRB5", (HttpServletRequest) null, (HttpServletResponse) null, (Map) null, subject));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getKerberosTicketFromKDC " + kerberosTicketFromSubject);
            }
            return kerberosTicketFromSubject;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.ContextManagerImpl.getKerberosTicketFromKDC", "5926", this);
            if (tc.isDebugEnabled()) {
                Tr.error(tc, "Unexpected Execption getting a Kerberos ticket from a KDC ", new Object[]{e});
            }
            throw e;
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:12:0x0047, code lost:
    
        if (java.util.Arrays.equals(r5, r0.getCredentialToken()) != false) goto L16;
     */
    /* JADX WARN: Code restructure failed: missing block: B:13:0x004a, code lost:
    
        r0 = true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:23:0x0034, code lost:
    
        if (java.util.Arrays.equals(r5, r0.getBytes()) == false) goto L12;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean isTokenMatch(byte[] r5, javax.security.auth.Subject r6) {
        /*
            r4 = this;
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            boolean r0 = r0.isEntryEnabled()
            if (r0 == 0) goto L12
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            java.lang.String r1 = "isTokenMatch"
            com.ibm.ejs.ras.Tr.entry(r0, r1)
        L12:
            r0 = 0
            r7 = r0
            r0 = r6
            if (r0 == 0) goto L79
            r0 = r6
            com.ibm.websphere.security.cred.WSCredential r0 = com.ibm.ws.security.auth.SubjectHelper.getWSCredentialFromSubject(r0)
            r8 = r0
            r0 = r6
            com.ibm.wsspi.security.token.SingleSignonToken r0 = com.ibm.ws.security.auth.SubjectHelper.getDefaultSSOTokenFromSubject(r0)
            r9 = r0
            r0 = r9
            if (r0 == 0) goto L37
            r0 = r5
            r1 = r9
            byte[] r1 = r1.getBytes()     // Catch: java.lang.Exception -> L53
            boolean r0 = java.util.Arrays.equals(r0, r1)     // Catch: java.lang.Exception -> L53
            if (r0 != 0) goto L4a
        L37:
            r0 = r8
            if (r0 == 0) goto L4e
            r0 = r5
            r1 = r8
            byte[] r1 = r1.getCredentialToken()     // Catch: java.lang.Exception -> L53
            boolean r0 = java.util.Arrays.equals(r0, r1)     // Catch: java.lang.Exception -> L53
            if (r0 == 0) goto L4e
        L4a:
            r0 = 1
            goto L4f
        L4e:
            r0 = 0
        L4f:
            r7 = r0
            goto L79
        L53:
            r10 = move-exception
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            boolean r0 = r0.isDebugEnabled()
            if (r0 == 0) goto L79
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            java.lang.StringBuilder r1 = new java.lang.StringBuilder
            r2 = r1
            r2.<init>()
            java.lang.String r2 = "An exception caught:"
            java.lang.StringBuilder r1 = r1.append(r2)
            r2 = r10
            java.lang.StringBuilder r1 = r1.append(r2)
            java.lang.String r1 = r1.toString()
            com.ibm.ejs.ras.Tr.debug(r0, r1)
        L79:
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            boolean r0 = r0.isEntryEnabled()
            if (r0 == 0) goto L9c
            com.ibm.ejs.ras.TraceComponent r0 = com.ibm.ws.security.auth.ContextManagerImpl.tc
            java.lang.StringBuilder r1 = new java.lang.StringBuilder
            r2 = r1
            r2.<init>()
            java.lang.String r2 = "isTokenMatch: "
            java.lang.StringBuilder r1 = r1.append(r2)
            r2 = r7
            java.lang.StringBuilder r1 = r1.append(r2)
            java.lang.String r1 = r1.toString()
            com.ibm.ejs.ras.Tr.exit(r0, r1)
        L9c:
            r0 = r7
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.auth.ContextManagerImpl.isTokenMatch(byte[], javax.security.auth.Subject):boolean");
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected void setCredToken(Object obj, AuthorizationToken authorizationToken, AuthenticationToken authenticationToken, SingleSignonToken singleSignonToken) {
        if ((obj instanceof AuthorizationToken) && (obj instanceof AbstractTokenImpl)) {
            ((AbstractTokenImpl) obj).setToken(((AbstractTokenImpl) authorizationToken).getToken());
            return;
        }
        if (obj instanceof KRBAuthnToken) {
            this.isKerberosServerSubject = true;
            return;
        }
        if ((obj instanceof AuthenticationToken) && (obj instanceof AbstractTokenImpl)) {
            ((AbstractTokenImpl) obj).setToken(((AbstractTokenImpl) authenticationToken).getToken());
        } else if ((obj instanceof SingleSignonToken) && (obj instanceof AbstractTokenImpl)) {
            ((AbstractTokenImpl) obj).setToken(((AbstractTokenImpl) singleSignonToken).getToken());
        }
    }
}
