package com.ibm.ws.security.web;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.WebTrustAssociationUserException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.audit.AuditHandlerImpl;
import com.ibm.ws.security.auth.AuthCache;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityConfig;
import com.ibm.ws.security.util.Base64Coder;
import com.ibm.ws.security.util.Constants;
import com.ibm.ws.security.util.StringUtil;
import com.ibm.ws.util.Base64;
import com.ibm.ws.webcontainer.session.IHttpSession;
import com.ibm.ws.webcontainer.srt.SRTServletRequest;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.audit.J2EEAuditEventFactory;
import com.ibm.wsspi.security.tai.TAIResult;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.cert.CertPath;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpUtils;
import org.eclipse.jst.j2ee.internal.web.operations.IWebToolingConstants;

/* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/security/web/WebAuthenticator.class */
public class WebAuthenticator {
    private static final TraceComponent tc;
    private static WebAuthenticator webAuthInstance;
    private ContextManager contextManager = ContextManagerFactory.getInstance();
    private static final String nullString = "";
    private static final String[] nullStringArray;
    private long cushion;
    private static AuthenticationResult AUTHN_FAILED_RESULT;
    private static AuthenticationResult CRED_FAILED_RESULT;
    protected static TrustAssociationManager taManager;
    public static final String FormUserName = "__WAS_FORM_USERNAME";
    public static final String FormPassword = "__WAS_FORM_PASSWORD";
    private static String authMech;
    private static final String providerName = "WebSphere";
    private static final boolean providerSuccess = true;
    private static final boolean providerFailure = false;
    private static String BasicAuthEncoding;
    public static final String INITIAL_URL = "INITIAL_URL";
    public static final String PARAM_NAMES = "PARAM_NAMES";
    public static final String PARAM_VALUES = "PARAM_VALUES";
    private static HashMap cookieStringCache;
    private static int MAX_COOKIE_STRING_ENTRIES;
    private static final String POSTPARAM_COOKIE = "WASPostParam";
    private static final String POSTPARAM_FAILED = "NO_PARAMETER";
    private static final String POSTPARAM_URL = "U";
    private static final String POSTPARAM_PARAM = "P";
    public static ContextManager ctxMgr;
    private static AuditHandlerImpl auditHandler;
    private static J2EEAuditEventFactory auditFactory;
    private static String default_realm;
    static Class class$com$ibm$ws$security$web$WebAuthenticator;
    static Class class$com$ibm$websphere$security$cred$WSCredential;

    public static WebAuthenticator create(String str, AuditHandlerImpl auditHandlerImpl, J2EEAuditEventFactory j2EEAuditEventFactory) {
        if (webAuthInstance == null) {
            webAuthInstance = new WebAuthenticator();
            authMech = str;
        }
        auditHandler = auditHandlerImpl;
        auditFactory = j2EEAuditEventFactory;
        default_realm = ContextManagerFactory.getInstance().getDefaultRealm();
        return webAuthInstance;
    }

    public static WebAuthenticator getInstance() {
        return webAuthInstance;
    }

    private WebAuthenticator() {
        initialize();
        TrustAssociationManager.create();
        taManager = TrustAssociationManager.getInstance();
    }

    private AuthenticationResult handleTrustAssociation(WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap hashMap, boolean z) throws Exception {
        String str = default_realm;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleTrustAssociation");
        }
        TAIWrapper interceptor = taManager.getInterceptor(httpServletRequest, z);
        if (interceptor == null) {
            return new AuthenticationResult(6, "TAI isn't available for this request.");
        }
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, new StringBuffer().append("TAI [").append(interceptor.getName()).append("] is available for this request.").toString());
        }
        try {
            TAIResult negotiateAndValidateEstablishedTrust = interceptor.negotiateAndValidateEstablishedTrust(httpServletRequest, httpServletResponse);
            int status = negotiateAndValidateEstablishedTrust.getStatus();
            if (status != 200) {
                if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 5)) {
                    auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.REDIRECT, AuditOutcome.TAI_CHALLENGE, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, "TAI", webAttributes.getChallengeType(), null, interceptor.getName(), true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.tai.challenge.audit", new Object[]{new Integer(status)});
                }
                return new AuthenticationResult(5, new StringBuffer().append("Challenge from TrustAssociation Interception: ").append(interceptor.getName()).toString(), status);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("TAI [").append(interceptor.getName()).append("] has been validated successfully.").toString());
            }
            Subject subject = negotiateAndValidateEstablishedTrust.getSubject();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Subject retrieved is [").append(subject).append("]").toString());
            }
            String authenticatedPrincipal = negotiateAndValidateEstablishedTrust.getAuthenticatedPrincipal();
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Username retrieved from TAI is [").append(authenticatedPrincipal).append("]").toString());
            }
            if (authenticatedPrincipal != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("Map credentials for ").append(authenticatedPrincipal).append(".").toString());
                }
                Subject subject2 = null;
                if (subject != null) {
                    try {
                        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                        if (wSCredentialFromSubject != null && wSCredentialFromSubject.isCurrent()) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Subject is already authenticated from TAI.");
                            }
                            subject2 = subject;
                        } else if (wSCredentialFromSubject != null && !wSCredentialFromSubject.isCurrent()) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, new StringBuffer().append("Subject from TAI is expired for user: ").append(authenticatedPrincipal).toString());
                            }
                            AuthenticationResult authenticationResult = AUTHN_FAILED_RESULT;
                            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, AuditOutcome.TAI_MAPPING_FAILED, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, "TAI", webAttributes.getChallengeType(), authenticatedPrincipal, interceptor.getName(), true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.tai.mapping.audit", null);
                            }
                            if (tc.isEntryEnabled()) {
                                Tr.exit(tc, "handleTrustAssociation: Subject in TAIResult is expired.");
                            }
                            return authenticationResult;
                        }
                    } catch (Exception e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation", "429", this);
                        if (tc.isEntryEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("Error in mapping credential for Trust Association:").append(authenticatedPrincipal).toString());
                        }
                        AuthenticationResult authenticationResult2 = AUTHN_FAILED_RESULT;
                        if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                            auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, AuditOutcome.TAI_MAPPING_FAILED, httpServletRequest.getSession().getId(), e, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, "TAI", webAttributes.getChallengeType(), authenticatedPrincipal, interceptor.getName(), true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.tai.mapping.audit", null);
                        }
                    }
                }
                if (subject2 == null) {
                    subject2 = this.contextManager.login(str, authenticatedPrincipal, authMech, httpServletRequest, httpServletResponse, hashMap, subject);
                }
                AuthenticationResult authenticationResult3 = new AuthenticationResult(1, subject2);
                if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 0)) {
                    auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, "TAI", webAttributes.getChallengeType(), authenticatedPrincipal, interceptor.getName(), true, subject2, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.tai.success.audit", null);
                }
                WebCollaborator.setPrivateAttributes(httpServletRequest, "AUTH_TYPE", webAttributes.getChallengeType());
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "Mapped credential for TrustAssociation was validated successfully.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "handleTrustAssociation: OK");
                }
                return authenticationResult3;
            }
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "handleTrustAssociation: (null user)");
            return null;
        } catch (WebTrustAssociationFailedException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation", "304", this);
            Tr.error(tc, "security.web.ta.validationfailed", new Object[]{e2});
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, AuditOutcome.TAI_VALIDATION_FAILED, httpServletRequest.getSession().getId(), e2, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, "TAI", webAttributes.getChallengeType(), null, interceptor.getName(), true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.web.ta.validationfailed", new Object[]{e2});
            }
            return new AuthenticationResult(2, e2.getMessage());
        } catch (WebTrustAssociationUserException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation", "316", this);
            Tr.error(tc, "security.web.ta.userex");
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 6)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.FAILURE, AuditOutcome.PROVIDER_FAILURE, httpServletRequest.getSession().getId(), e3, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, "TAI", webAttributes.getChallengeType(), null, interceptor.getName(), false, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.web.ta.userex", null);
            }
            return new AuthenticationResult(2, e3.getMessage());
        } catch (Exception e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation", "337", this);
            Tr.error(tc, "security.web.ta.genexc", new Object[]{e4});
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 6)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.FAILURE, AuditOutcome.PROVIDER_FAILURE, httpServletRequest.getSession().getId(), e4, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, "TAI", webAttributes.getChallengeType(), null, interceptor.getName(), false, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.web.ta.genexc", null);
            }
            return new AuthenticationResult(2, e4.getMessage());
        }
    }

    private AuthenticationResult handleSSO(WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String preferredLTPACookieName = webAttributes.getPreferredLTPACookieName();
        String lTPACookieName = webAttributes.getLTPACookieName();
        Cookie[] cookies = httpServletRequest.getCookies();
        AuthenticationResult authenticationResult = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleSSO");
        }
        boolean booleanValue = ((Boolean) SecurityConfig.getConfig().getValue(CommonConstants.LOGOUT_ON_HTTPSESSION_EXPIRE)).booleanValue();
        String challengeType = webAttributes.getChallengeType();
        if (booleanValue && httpServletRequest.getRequestedSessionId() != null && !httpServletRequest.isRequestedSessionIdValid() && challengeType.equalsIgnoreCase("FORM")) {
            WebAttributes.createLogoutCookiesStatic(httpServletRequest, httpServletResponse);
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "handleSSO:HTTPSession expired, logging out.");
            return null;
        }
        if (cookies == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "handleSSO: no cookies present in the request.");
            return null;
        }
        boolean z = false;
        boolean z2 = false;
        for (int i = 0; i < cookies.length; i++) {
            if (preferredLTPACookieName.equals(cookies[i].getName())) {
                z = true;
            }
            if (lTPACookieName.equals(cookies[i].getName())) {
                z2 = true;
            }
        }
        if (z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Attempting primary cookie validation for: ").append(preferredLTPACookieName).toString());
            }
            authenticationResult = validateCookie(cookies, preferredLTPACookieName, webAttributes, httpServletRequest, httpServletResponse);
        } else if (z2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Attempting secondary cookie validation for: ").append(lTPACookieName).toString());
            }
            authenticationResult = validateCookie(cookies, lTPACookieName, webAttributes, httpServletRequest, httpServletResponse);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Could not find LTPA cookie(s) in request.");
        }
        if (authenticationResult != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "handleSSO: found cookie");
            }
            return authenticationResult;
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "handleSSO: (null)");
        return null;
    }

    private AuthenticationResult validateCookie(Cookie[] cookieArr, String str, WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticationResult = null;
        String[] cookieValues = getCookieValues(cookieArr, str);
        if (cookieValues == null) {
            return null;
        }
        String str2 = null;
        for (int i = 0; i < cookieValues.length; i++) {
            str2 = cookieValues[i];
            if (str2.length() > 0) {
                byte[] bArr = null;
                try {
                    bArr = (byte[]) cookieStringCache.get(str2);
                    if (bArr == null) {
                        bArr = StringUtil.getBytes(Base64Coder.base64Decode(str2));
                        synchronized (cookieStringCache) {
                            if (cookieStringCache.size() > MAX_COOKIE_STRING_ENTRIES) {
                                cookieStringCache.clear();
                            }
                            if (bArr != null) {
                                cookieStringCache.put(str2, bArr);
                            }
                        }
                    }
                    authenticationResult = validate(default_realm, bArr, webAttributes, httpServletRequest, httpServletResponse);
                    if (authenticationResult.getStatus() == 1) {
                        break;
                    }
                } catch (Exception e) {
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "Exception validating SSO token: ", new Object[]{e});
                    }
                    FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.handleSSO", "596", this);
                    authenticationResult = AUTHN_FAILED_RESULT;
                    if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                        auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, AuditOutcome.SSOTOKEN_VALIDATION_FAILED, httpServletRequest.getSession().getId(), e, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), null, null, webAttributes.getChallengeType(), null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.sso.exception.audit", new Object[]{new String(bArr)});
                    }
                }
            }
        }
        if (authenticationResult == null || authenticationResult.getStatus() != 1) {
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The LTPA token was valid.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "handleSSO", new StringBuffer().append("successful ltpa token validation of ").append(str2).toString());
        }
        WebCollaborator.setPrivateAttributes(httpServletRequest, "AUTH_TYPE", webAttributes.getChallengeType());
        return authenticationResult;
    }

    private AuthenticationResult handleCustomLogin(WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str = default_realm;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleCustomLogin");
        }
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, "Form based login is configured for the resource");
        }
        StringBuffer requestURL = HttpUtils.getRequestURL(httpServletRequest);
        String stringBuffer = requestURL.toString();
        String contextPath = httpServletRequest.getContextPath();
        if (contextPath.equals("/")) {
            contextPath = "";
        }
        int indexOf = stringBuffer.indexOf("/", stringBuffer.indexOf("//") + 2);
        int length = stringBuffer.length();
        String loginURL = webAttributes.getLoginURL();
        if (!loginURL.startsWith("/")) {
            loginURL = new StringBuffer().append("/").append(loginURL).toString();
        }
        requestURL.replace(indexOf, length, new StringBuffer().append(contextPath).append(loginURL).toString());
        String stringBuffer2 = requestURL.toString();
        String reloginURL = webAttributes.getReloginURL();
        int length2 = stringBuffer2.length();
        if (!reloginURL.startsWith("/")) {
            reloginURL = new StringBuffer().append("/").append(reloginURL).toString();
        }
        requestURL.replace(indexOf, length2, new StringBuffer().append(contextPath).append(reloginURL).toString());
        String stringBuffer3 = requestURL.toString();
        String str2 = (String) SecurityConfig.getConfig().getValue("security.activeAuthMechanism");
        IHttpSession iHttpSession = null;
        FormLoginInfo formLoginInfo = null;
        if (str2.equals(SecurityConfig.AUTH_MECHANISM_SWAM)) {
            iHttpSession = httpServletRequest.getSession(true);
            formLoginInfo = (FormLoginInfo) iHttpSession.getSecurityInfo();
            if (formLoginInfo != null) {
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "Form based login: Using HTTP Sessions");
                }
                String username = formLoginInfo.getUsername();
                String password = formLoginInfo.getPassword();
                if (username != null && password != null) {
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "Form based login: Userid/password present in the session");
                    }
                    AuthenticationResult basicAuthenticate = basicAuthenticate(str, username, password, webAttributes, httpServletRequest, httpServletResponse);
                    int status = basicAuthenticate.getStatus();
                    if (status == 2) {
                        basicAuthenticate = new AuthenticationResult(4, stringBuffer3);
                        if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 5)) {
                            auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.REDIRECT, AuditOutcome.INVALID_UIDPSWD, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, str2, webAttributes.getChallengeType(), username, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.form.login.failed.audit", new Object[]{stringBuffer3});
                        }
                    } else {
                        iHttpSession.removeAttribute(Constants.REFERER_URL_COOKIENAME);
                    }
                    WebCollaborator.setPrivateAttributes(httpServletRequest, "AUTH_TYPE", "FORM");
                    if (status != 2) {
                        restorePostParams(httpServletRequest, httpServletResponse);
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "handleCustomLogin");
                    }
                    return basicAuthenticate;
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "Form based login: No HTTP Session");
            }
        } else {
            AuthenticationResult handleSSO = handleSSO(webAttributes, httpServletRequest, httpServletResponse);
            if (handleSSO != null) {
                if (handleSSO.getStatus() != 2) {
                    restorePostParams(httpServletRequest, httpServletResponse);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "handleCustomLogin");
                }
                return handleSSO;
            }
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "Form based login: No or Bad ltpa cookie ");
            }
        }
        StringBuffer requestURL2 = HttpUtils.getRequestURL(httpServletRequest);
        if (httpServletRequest.getQueryString() != null) {
            requestURL2.append(IWebToolingConstants.HTTP_PARAMETER_SEPARATOR);
            requestURL2.append(httpServletRequest.getQueryString());
        }
        String stringBuffer4 = requestURL2.toString();
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, new StringBuffer().append("Form based login: Stored original request : ").append(stringBuffer4).toString());
        }
        AuthenticationResult authenticationResult = new AuthenticationResult(4, stringBuffer2);
        savePostParams(httpServletRequest, httpServletResponse, authenticationResult);
        if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 5)) {
            auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.REDIRECT, AuditOutcome.SEND_LOGIN_FORM, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, str2, webAttributes.getChallengeType(), null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.form.login.redirect.audit", new Object[]{stringBuffer2});
        }
        if (str2.equals(SecurityConfig.AUTH_MECHANISM_SWAM)) {
            if (formLoginInfo == null) {
                formLoginInfo = new FormLoginInfo();
            }
            formLoginInfo.setRefererURL(stringBuffer4);
            iHttpSession.putSecurityInfo(formLoginInfo);
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Form based login: Referer URL set  in session ").append(stringBuffer4).toString());
            }
        } else {
            Boolean bool = (Boolean) SecurityConfig.getConfig().getValue(SecurityConfig.PROP_WASREQURL_FQURL);
            if (bool == null || (bool != null && !bool.booleanValue())) {
                stringBuffer4 = stringBuffer4.substring(indexOf);
            }
            Cookie cookie = new Cookie(Constants.REFERER_URL_COOKIENAME, stringBuffer4);
            cookie.setPath("/");
            cookie.setMaxAge(-1);
            authenticationResult.setCookie(cookie);
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Form based login: Referer URL cookie set ").append(stringBuffer4).toString());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "handleCustomLogin", new StringBuffer().append("Redirecting to a login form").append(stringBuffer2).toString());
        }
        return authenticationResult;
    }

    private void savePostParams(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationResult authenticationResult) {
        HttpSession session;
        String requestURI = httpServletRequest.getRequestURI();
        String method = httpServletRequest.getMethod();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "savePostParams");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append(" method : ").append(method).append(" URL:").append(requestURI).toString());
        }
        if (!(httpServletRequest instanceof SRTServletRequest)) {
            Tr.exit(tc, "savePostParams-No SRTServletRequest");
            return;
        }
        if (method.equalsIgnoreCase("post")) {
            int intValue = ((Integer) SecurityConfig.getConfig().getValue(SecurityConfig.PROP_POSTPARAM_SAVE_METHOD)).intValue();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("prop:").append(intValue).toString());
            }
            if (intValue == 0) {
                Map parameterMap = httpServletRequest.getParameterMap();
                Hashtable hashtable = new Hashtable();
                if (parameterMap != null) {
                    hashtable.put(POSTPARAM_URL, requestURI);
                    hashtable.put(POSTPARAM_PARAM, parameterMap);
                    String str = null;
                    try {
                        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                        new ObjectOutputStream(byteArrayOutputStream).writeObject(hashtable);
                        byte[] byteArray = byteArrayOutputStream.toByteArray();
                        int intValue2 = ((Integer) SecurityConfig.getConfig().getValue(SecurityConfig.PROP_POSTPARAM_COOKIE_SIZE)).intValue();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("length:").append(byteArray != null ? byteArray.length : 0).append("  maximum length:").append(intValue2).toString());
                        }
                        if (byteArray == null || byteArray.length >= intValue2) {
                            Tr.warning(tc, "Post parameters are null or too large to store into a cookie.");
                        } else {
                            byte[] base64Encode = Base64Coder.base64Encode(byteArray);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, new StringBuffer().append("encoded length:").append(base64Encode.length).toString());
                            }
                            str = StringUtil.toString(base64Encode);
                        }
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception storing POST parameters onto a cookie: ", new Object[]{e});
                        }
                        FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.savePostParams", "865", this);
                    }
                    if (str != null) {
                        Cookie cookie = new Cookie(POSTPARAM_COOKIE, str);
                        cookie.setMaxAge(-1);
                        cookie.setPath(requestURI);
                        authenticationResult.setCookie(cookie);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("encoded POST parameters: ").append(str).toString());
                    }
                }
            } else if (intValue == 1 && (session = httpServletRequest.getSession(true)) != null && httpServletRequest.getParameterNames() != null) {
                Enumeration parameterNames = httpServletRequest.getParameterNames();
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                if (parameterNames != null) {
                    while (parameterNames.hasMoreElements()) {
                        String str2 = (String) parameterNames.nextElement();
                        arrayList.add(str2);
                        arrayList2.add(httpServletRequest.getParameterValues(str2));
                    }
                    session.setAttribute(INITIAL_URL, requestURI);
                    session.setAttribute(PARAM_NAMES, arrayList);
                    session.setAttribute(PARAM_VALUES, arrayList2);
                } else {
                    session.setAttribute(INITIAL_URL, requestURI);
                    session.setAttribute(PARAM_NAMES, null);
                    session.setAttribute(PARAM_VALUES, null);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("URL saved : ").append(requestURI.toString()).toString());
                    for (int i = 0; i < arrayList.size(); i++) {
                        String[] strArr = (String[]) arrayList2.get(i);
                        Tr.debug(tc, new StringBuffer().append("paramName = ").append(arrayList.get(i)).append(" paramValue = [").append(strArr[0]).append("] ").append(strArr).toString());
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "savePostParams");
        }
    }

    private void restorePostParams(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpSession session;
        String requestURI = httpServletRequest.getRequestURI();
        String method = httpServletRequest.getMethod();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "restorePostParams");
        }
        if (!(httpServletRequest instanceof SRTServletRequest)) {
            Tr.exit(tc, "restorePostParams-No SRTServletRequest");
            return;
        }
        SRTServletRequest sRTServletRequest = (SRTServletRequest) httpServletRequest;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append(" method : ").append(method).append(" URL:").append(requestURI).toString());
        }
        if (method.equalsIgnoreCase("get")) {
            int intValue = ((Integer) SecurityConfig.getConfig().getValue(SecurityConfig.PROP_POSTPARAM_SAVE_METHOD)).intValue();
            if (intValue == 0) {
                byte[] cookieValueAsBytes = sRTServletRequest.getCookieValueAsBytes(POSTPARAM_COOKIE);
                if (cookieValueAsBytes != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("Found the cookie, restoring POST parameters: ").append(new String(cookieValueAsBytes)).toString());
                    }
                    sRTServletRequest.setMethod("POST");
                    try {
                        Hashtable hashtable = (Hashtable) new ObjectInputStream(new ByteArrayInputStream(Base64Coder.base64Decode(cookieValueAsBytes))).readObject();
                        if (tc.isDebugEnabled() && hashtable != null) {
                            Tr.debug(tc, new StringBuffer().append("Original URL:").append(hashtable.get(POSTPARAM_URL)).toString());
                        }
                        if (hashtable != null && hashtable.get(POSTPARAM_URL).equals(requestURI)) {
                            sRTServletRequest.setRawParameters((Hashtable) hashtable.get(POSTPARAM_PARAM));
                            Tr.debug(tc, "restored POST paramameters");
                        }
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception restoring POST parameters from the cookie: ", new Object[]{e});
                        }
                        FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.restorePostParams", "966", this);
                    }
                    Cookie cookie = new Cookie(POSTPARAM_COOKIE, POSTPARAM_FAILED);
                    cookie.setPath(requestURI);
                    cookie.setMaxAge(0);
                    httpServletResponse.addCookie(cookie);
                }
            } else if (intValue == 1 && (session = httpServletRequest.getSession(false)) != null) {
                String str = (String) session.getAttribute(INITIAL_URL);
                if (str != null && str.equals(requestURI)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found the session, restoring POST parameters.");
                    }
                    sRTServletRequest.setMethod("POST");
                    ArrayList arrayList = (ArrayList) session.getAttribute(PARAM_NAMES);
                    ArrayList arrayList2 = (ArrayList) session.getAttribute(PARAM_VALUES);
                    if (arrayList != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("Restoring POST paramameters for URL : ").append(requestURI).toString());
                        }
                        for (int i = 0; i < arrayList.size(); i++) {
                            if (((String) arrayList.get(i)) != null && ((String[]) arrayList2.get(i)) != null) {
                                if (tc.isDebugEnabled()) {
                                    String[] strArr = (String[]) arrayList2.get(i);
                                    Tr.debug(tc, new StringBuffer().append("paramName = ").append(arrayList.get(i)).append(" paramValue = [").append(strArr[0]).append("] ").append(strArr).toString());
                                }
                                sRTServletRequest.addParameter((String) arrayList.get(i), (String[]) arrayList2.get(i));
                            }
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("No parameters to restore for URL : ").append(requestURI).toString());
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append("Parameters NOT restored. Original URL : ").append(str).append(" req. URL : ").append(requestURI).toString());
                }
                session.setAttribute(INITIAL_URL, null);
                session.setAttribute(PARAM_NAMES, null);
                session.setAttribute(PARAM_VALUES, null);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "restorePostParams");
        }
    }

    private AuthenticationResult handleCertificates(WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        Class cls;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleCertificates");
        }
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, "Challenge type used is CERT.");
        }
        String str = "CLIENT_CERT";
        AuthenticationResult authenticationResult = null;
        String str2 = default_realm;
        String str3 = (String) SecurityConfig.getConfig().getValue("security.activeAuthMechanism");
        try {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.net.ssl.peer_certificates");
            if (x509CertificateArr == null) {
                if (!webAttributes.isDefaultToBasic()) {
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "No certificate provided and default to basic is false.");
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "handleCertificates");
                    }
                    return new AuthenticationResult(2, "No Client Certificate Available", (Cookie) null);
                }
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "No certificate was provided but defaulting to BASIC.");
                }
                str = "BASIC";
            }
            if (!str.equalsIgnoreCase("BASIC")) {
                x509CertificateArr[0].getEncoded();
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "Map credential for this certificate.");
                }
                String webAppName = webAttributes.getWebAppName();
                String str4 = str;
                try {
                    HashMap hashMap = new HashMap(2);
                    hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.WEB_APP_NAME, webAppName);
                    hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.REDIRECT_URL, null);
                    Subject login = this.contextManager.login(str2, x509CertificateArr, authMech, httpServletRequest, httpServletResponse, hashMap);
                    if (login != null) {
                        authenticationResult = new AuthenticationResult(1, login);
                        if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 0)) {
                            auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str2, str3, str4, x509CertificateArr[0].getIssuerDN().getName(), providerName, true, login, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.cert.success.audit", null);
                        }
                    } else {
                        authenticationResult = AUTHN_FAILED_RESULT;
                        if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                            auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str2, str3, str4, x509CertificateArr[0].getIssuerDN().getName(), providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.cert.mapping.audit", null);
                        }
                    }
                    authenticationResult.clearCookieList();
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "Storing certificates in the credential");
                    }
                    ArrayList arrayList = new ArrayList(x509CertificateArr.length);
                    for (X509Certificate x509Certificate : x509CertificateArr) {
                        arrayList.add(x509Certificate);
                    }
                    CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(arrayList);
                    Subject subject = authenticationResult.getSubject();
                    if (class$com$ibm$websphere$security$cred$WSCredential == null) {
                        cls = class$("com.ibm.websphere.security.cred.WSCredential");
                        class$com$ibm$websphere$security$cred$WSCredential = cls;
                    } else {
                        cls = class$com$ibm$websphere$security$cred$WSCredential;
                    }
                    WSCredential wSCredential = (WSCredential) subject.getPublicCredentials(cls).iterator().next();
                    if (wSCredential != null) {
                        wSCredential.set("wssecurity.setAttributForIdentityAssertion", generateCertPath);
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.handleCertificates", "1104", this);
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "Credential Mapping for Certificate failed.");
                    }
                    AuthenticationResult authenticationResult2 = AUTHN_FAILED_RESULT;
                    if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                        auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", httpServletRequest.getSession().getId(), e, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str2, str3, str4, null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.cert.exception.audit", null);
                    }
                    throw e;
                }
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.web.WebAuthenticator.handleCertificates", "1146", this);
            if (!webAttributes.isDefaultToBasic()) {
                if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                    auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", httpServletRequest.getSession().getId(), e2, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str2, str3, str, null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.cert.exception.audit", null);
                }
                throw e2;
            }
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Exception occurred while processing certificate: ").append(e2.getMessage()).toString());
                Tr.debug(tc, "Defaulting to Basic");
            }
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", httpServletRequest.getSession().getId(), e2, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str2, str3, str, null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.cert.default.audit", null);
            }
        }
        WebCollaborator.setPrivateAttributes(httpServletRequest, "AUTH_TYPE", "CLIENT_CERT");
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "handleCertificates");
        }
        return authenticationResult;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final String getHeader(HttpServletRequest httpServletRequest, String str) {
        HttpServletRequest httpServletRequest2 = httpServletRequest;
        if (httpServletRequest2 instanceof HttpServletRequestWrapper) {
            ServletRequest request = ((HttpServletRequestWrapper) httpServletRequest2).getRequest();
            while (true) {
                httpServletRequest2 = (HttpServletRequest) request;
                if (httpServletRequest2 == null || !(httpServletRequest2 instanceof HttpServletRequestWrapper)) {
                    break;
                }
                request = ((HttpServletRequestWrapper) httpServletRequest2).getRequest();
            }
        }
        return (httpServletRequest2 == null || !(httpServletRequest2 instanceof SRTServletRequest)) ? httpServletRequest.getHeader(str) : ((SRTServletRequest) httpServletRequest2).getHeaderDirect(str);
    }

    private AuthenticationResult handleBasicAuth(WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleBasicAuth");
        }
        String str = default_realm;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Basic ")) {
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "basic 401");
            }
            AuthenticationResult authenticationResult = new AuthenticationResult(3, webAttributes.getRealm(), (Cookie) null);
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 5)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.REDIRECT, AuditOutcome.INVALID_UIDPSWD, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, null, webAttributes.getChallengeType(), null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.basic.challenge.audit", null);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "handleBasicAuth");
            }
            return authenticationResult;
        }
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, new StringBuffer().append("Authorization: ").append(header).toString());
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("BasicAuthEncoding:").append(BasicAuthEncoding).toString());
        }
        try {
            header = new String(Base64.decode(header.substring(6)));
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.handleBasicAuth", "1261", this);
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "Error in using character encoder");
            }
        }
        int indexOf = header.indexOf(58);
        if (indexOf < 0) {
            AuthenticationResult authenticationResult2 = new AuthenticationResult(3, webAttributes.getRealm(), (Cookie) null);
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 5)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.REDIRECT, AuditOutcome.INVALID_UIDPSWD, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, null, webAttributes.getChallengeType(), null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.basic.missing.audit", null);
            }
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "Failed to find username/password info -- Sending 401.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "handleBasicAuth");
            }
            return authenticationResult2;
        }
        AuthenticationResult basicAuthenticate = basicAuthenticate(str, header.substring(0, indexOf), header.substring(indexOf + 1), webAttributes, httpServletRequest, httpServletResponse);
        int status = basicAuthenticate.getStatus();
        if ((status == 3 || status == 2) && status == 2) {
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "Authentication failed after calling basicAuthenticate");
            }
            basicAuthenticate = new AuthenticationResult(3, webAttributes.getRealm(), (Cookie) null);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "handleBasicAuth");
        }
        return basicAuthenticate;
    }

    public AuthenticationResult authenticate(WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticationResult;
        ArrayList createCookies;
        AuthenticationResult handleCertificates;
        ArrayList createCookies2;
        AuthenticationResult handleCustomLogin;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate");
        }
        boolean z = false;
        try {
            Boolean bool = (Boolean) SecurityConfig.getConfig().getValue("security.authMechForwardCred");
            boolean z2 = bool.booleanValue() && webAttributes.isSSOEnabled() && (!webAttributes.isSecureSSO() || (webAttributes.isSecureSSO() && httpServletRequest.getScheme().equalsIgnoreCase("https")));
            String challengeType = webAttributes.getChallengeType();
            authenticationResult = null;
            HashMap hashMap = new HashMap(2);
            if (taManager.isTrustAssociationEnabled()) {
                String str = null;
                if (challengeType.equalsIgnoreCase("FORM")) {
                    String contextPath = httpServletRequest.getContextPath();
                    if (contextPath.equals("/")) {
                        contextPath = "";
                    }
                    String reloginURL = webAttributes.getReloginURL();
                    if (!reloginURL.startsWith("/")) {
                        reloginURL = new StringBuffer().append("/").append(reloginURL).toString();
                    }
                    str = new StringBuffer().append(contextPath).append(reloginURL).toString();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("Default redirect URL: ").append(str).toString());
                    }
                }
                hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.WEB_APP_NAME, webAttributes.getWebAppName());
                hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.REDIRECT_URL, str);
                authenticationResult = handleTrustAssociation(webAttributes, httpServletRequest, httpServletResponse, hashMap, true);
                if (authenticationResult != null && authenticationResult.getStatus() == 6) {
                    z = true;
                    authenticationResult = null;
                }
            }
            if (authenticationResult == null) {
                if (bool.booleanValue() && webAttributes.isSSOEnabled()) {
                    authenticationResult = handleSSO(webAttributes, httpServletRequest, httpServletResponse);
                    if (authenticationResult != null) {
                        if (authenticationResult.getStatus() != 2) {
                            restorePostParams(httpServletRequest, httpServletResponse);
                        }
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "authenticate");
                        }
                        return authenticationResult;
                    }
                }
                if (taManager.isTrustAssociationEnabled()) {
                    authenticationResult = handleTrustAssociation(webAttributes, httpServletRequest, httpServletResponse, hashMap, false);
                    if (authenticationResult != null && authenticationResult.getStatus() == 6) {
                        z = true;
                        authenticationResult = null;
                    }
                }
            }
            if (authenticationResult == null) {
                if (challengeType.equalsIgnoreCase("FORM")) {
                    if (!taManager.isTrustAssociationEnabled() || z) {
                        handleCustomLogin = handleCustomLogin(webAttributes, httpServletRequest, httpServletResponse);
                    } else {
                        String str2 = (String) hashMap.get(com.ibm.wsspi.security.auth.callback.Constants.REDIRECT_URL);
                        if (str2 != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, new StringBuffer().append("Redirect to the error page: ").append(str2).toString());
                            }
                            handleCustomLogin = new AuthenticationResult(4, str2);
                        } else {
                            handleCustomLogin = handleCustomLogin(webAttributes, httpServletRequest, httpServletResponse);
                        }
                    }
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "authenticate");
                    }
                    return handleCustomLogin;
                }
                if (challengeType.equalsIgnoreCase("CLIENT_CERT") && (handleCertificates = handleCertificates(webAttributes, httpServletRequest, httpServletResponse)) != null) {
                    if (z2 && (createCookies2 = WebAttributes.createCookies(httpServletRequest, handleCertificates.getSubject())) != null) {
                        handleCertificates.setCookieList(createCookies2);
                    }
                    return handleCertificates;
                }
                authenticationResult = handleBasicAuth(webAttributes, httpServletRequest, httpServletResponse);
            }
            if (authenticationResult.getStatus() == 1) {
                WebCollaborator.setPrivateAttributes(httpServletRequest, "AUTH_TYPE", "BASIC");
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "Successful authentication");
                }
                if (z2 && (createCookies = WebAttributes.createCookies(httpServletRequest, authenticationResult.getSubject())) != null) {
                    authenticationResult.setCookieList(createCookies);
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.authenticate", "1465", this);
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Exception occurred: ").append(e.getMessage()).toString());
                Tr.debug(tc, "Authentication failed.");
            }
            authenticationResult = new AuthenticationResult(2, e.getMessage());
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", httpServletRequest.getSession().getId(), e, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), null, null, webAttributes.getChallengeType(), null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.exception.audit", null);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "authenticate");
        }
        return authenticationResult;
    }

    public static String getCookieValue(Cookie[] cookieArr, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCookieValue", str);
        }
        String str2 = null;
        if (cookieArr != null) {
            int i = 0;
            while (true) {
                if (i >= cookieArr.length) {
                    break;
                }
                if (str.equals(cookieArr[i].getName())) {
                    str2 = cookieArr[i].getValue();
                    break;
                }
                i++;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCookieValue", str2);
        }
        return str2;
    }

    public static String[] getCookieValues(Cookie[] cookieArr, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCookieValues", str);
        }
        Vector vector = new Vector();
        int i = 0;
        if (cookieArr != null) {
            for (int i2 = 0; i2 < cookieArr.length; i2++) {
                if (str.equals(cookieArr[i2].getName())) {
                    vector.add(cookieArr[i2].getValue());
                    i++;
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, cookieArr[i2].getValue());
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCookieValues");
        }
        if (vector.size() > 0) {
            return (String[]) vector.toArray(new String[i]);
        }
        return null;
    }

    public AuthenticationResult validate(String str, byte[] bArr, WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticationResult;
        Subject login;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate");
        }
        try {
            HashMap hashMap = new HashMap(2);
            hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.WEB_APP_NAME, webAttributes.getWebAppName());
            hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.REDIRECT_URL, null);
            login = this.contextManager.login(str, bArr, authMech, httpServletRequest, httpServletResponse, hashMap);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.validate", "1596", this);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate", e);
            }
            authenticationResult = new AuthenticationResult(2, e.getMessage());
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", httpServletRequest.getSession().getId(), e, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, authMech, webAttributes.getChallengeType(), null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.sso.exception.audit", new Object[]{new String(bArr)});
            }
        }
        if (login == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validate: Subject is null.");
            }
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, AuditOutcome.SSOTOKEN_VALIDATION_FAILED, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, authMech, webAttributes.getChallengeType(), null, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.sso.invalid.audit", new Object[]{new String(bArr)});
            }
            return AUTHN_FAILED_RESULT;
        }
        authenticationResult = new AuthenticationResult(1, login);
        if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 0)) {
            auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, authMech, webAttributes.getChallengeType(), SubjectHelper.getWSCredentialFromSubject(login).getSecurityName(), providerName, true, login, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.sso.validate.audit", new Object[]{new String(bArr)});
        }
        authenticationResult.realm = str;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validate");
        }
        return authenticationResult;
    }

    private void initialize() {
        this.cushion = AuthCache.getInstance().getCushion();
    }

    public AuthenticationResult basicAuthenticate(String str, String str2, String str3) {
        return basicAuthenticate(str, str2, str3, null, null, null);
    }

    public AuthenticationResult basicAuthenticate(String str, String str2, String str3, WebAttributes webAttributes, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticationResult;
        Subject login;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "basicAuthenticate");
        }
        try {
            if (webAttributes != null) {
                HashMap hashMap = new HashMap(2);
                hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.WEB_APP_NAME, webAttributes.getWebAppName());
                hashMap.put(com.ibm.wsspi.security.auth.callback.Constants.REDIRECT_URL, null);
                login = this.contextManager.login(default_realm, str2, str3, authMech, httpServletRequest, httpServletResponse, hashMap);
            } else {
                login = this.contextManager.login(default_realm, str2, str3, authMech, (HttpServletRequest) null, (HttpServletResponse) null, (Map) null);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.web.WebAuthenticator.basicAuthenticate", "1698", this);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "basicAuthenticate", e);
            }
            authenticationResult = new AuthenticationResult(2, e.getMessage());
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, "DENIED", httpServletRequest.getSession().getId(), e, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, authMech, webAttributes.getChallengeType(), str2, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.basic.exception.audit", null);
            }
        }
        if (login == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "basicAuthenticate: authentication failed");
            }
            if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 4)) {
                auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.DENIED, AuditOutcome.INVALID_UIDPSWD, httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, authMech, webAttributes.getChallengeType(), str2, providerName, true, null, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.basic.error.audit", null);
            }
            return AUTHN_FAILED_RESULT;
        }
        authenticationResult = new AuthenticationResult(1, login);
        if (auditFactory != null && httpServletRequest != null && auditFactory.isActive(0, 0)) {
            auditFactory.sendAuthnAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", httpServletRequest.getSession().getId(), null, WebCollaborator.getURI(httpServletRequest), "WEB", httpServletRequest.getMethod(), str, authMech, webAttributes.getChallengeType(), str2, providerName, true, login, httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), httpServletRequest.getRemotePort(), "security.audit.basic.success.audit", null);
        }
        authenticationResult.realm = str;
        authenticationResult.userName = str2;
        authenticationResult.passWord = str3;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "basicAuthenticate");
        }
        return authenticationResult;
    }

    protected WSCredential setSasBasicAuth(String str, String str2, String str3) throws Exception {
        throw new RuntimeException("Not Implemented");
    }

    public Subject getPreferredSubject(Subject subject, Subject subject2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPreferredSubject");
        }
        return subject != null ? subject : subject2;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$web$WebAuthenticator == null) {
            cls = class$("com.ibm.ws.security.web.WebAuthenticator");
            class$com$ibm$ws$security$web$WebAuthenticator = cls;
        } else {
            cls = class$com$ibm$ws$security$web$WebAuthenticator;
        }
        tc = Tr.register(cls, (String) null, "com.ibm.ejs.resources.security");
        webAuthInstance = null;
        nullStringArray = new String[0];
        AUTHN_FAILED_RESULT = new AuthenticationResult(2, "Authentication Failed");
        CRED_FAILED_RESULT = new AuthenticationResult(2, "credential validation failure");
        taManager = null;
        authMech = null;
        BasicAuthEncoding = System.getProperty("com.ibm.websphere.security.BasicAuthEncoding");
        cookieStringCache = new HashMap(20);
        MAX_COOKIE_STRING_ENTRIES = 100;
        ctxMgr = ContextManagerFactory.getInstance();
        auditHandler = null;
        auditFactory = null;
        default_realm = null;
    }
}
