package com.ibm.ws.security.auth;

import com.ibm.CSIv2Security.LTPAMechOID;
import com.ibm.ISecurityLocalObjectBaseL13Impl.VaultImpl;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.OID;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.common.auth.WSPrincipalImpl;
import com.ibm.ws.security.config.AdminData;
import com.ibm.ws.security.config.SecurityConfigObject;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.AuthenticationToken;
import com.ibm.wsspi.security.token.AuthorizationToken;
import com.ibm.wsspi.security.token.KerberosToken;
import com.ibm.wsspi.security.token.PropagationToken;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Date;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.CredentialExpiredException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;
import org.omg.CSI.KRB5MechOID;

/* loaded from: input_file:wasJars/sas.jar:com/ibm/ws/security/auth/SubjectHelper.class */
public class SubjectHelper {
    private static final String KRB5_OID = "1.2.840.113554.1.2.2";
    private static Subject unauthenticatedSubject = null;
    private static final TraceComponent tc = Tr.register(SubjectHelper.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private static Integer maxSizeValue = null;
    private static String currentHost = null;
    private static Oid krb5MechOid = null;
    private static final Class thisClass = SubjectHelper.class;
    private static String propagateFirstCallerOnlyProperty = null;
    private static boolean propagateFirstCallerOnly = false;
    private static String disableCallerListProperty = null;
    private static boolean disableCallerList = false;

    public static Subject createSubjectFromWSCredential(WSCredential wSCredential) {
        return createSubjectFromWSCredential(wSCredential, null);
    }

    public static Subject createSubjectFromWSCredential(final WSCredential wSCredential, WSPrincipal wSPrincipal) {
        if (wSCredential == null) {
            return null;
        }
        if (wSPrincipal == null) {
            try {
                wSPrincipal = createPrincipal(wSCredential);
            } catch (Exception e) {
                Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.createSubjectFromWSCredential", "168");
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(tc, "Exception creating principal from WSCredential.", new Object[]{e});
                return null;
            }
        }
        try {
            final Subject subject = new Subject();
            final WSPrincipal wSPrincipal2 = wSPrincipal;
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (!subject.getPrincipals().contains(wSPrincipal2)) {
                        subject.getPrincipals().add(wSPrincipal2);
                    }
                    if (subject.getPublicCredentials().contains(wSCredential)) {
                        return null;
                    }
                    subject.getPublicCredentials().add(wSCredential);
                    return null;
                }
            });
            return subject;
        } catch (Exception e2) {
            Manager.Ffdc.log(e2, thisClass, "com.ibm.ws.security.auth.SubjectHelper.createSubjectFromWSCredential", "200");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception creating Subject from WSCredential.", new Object[]{e2});
            return null;
        }
    }

    public static boolean subjectContainsCredential(Subject subject) {
        if (subject == null) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Subject passed in is null. Returning false");
            return false;
        }
        Set<Object> publicCredentials = subject.getPublicCredentials();
        if (publicCredentials == null || publicCredentials.size() <= 0) {
            return false;
        }
        if (!tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "Subject passed has publicCreds. Returning true");
        return true;
    }

    public static WSCredential getWSCredentialFromSubject(Subject subject) {
        if (subject == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Subject passed in is null.");
            return null;
        }
        Set<Object> publicCredentials = subject.getPublicCredentials();
        if (publicCredentials != null && publicCredentials.size() > 0) {
            for (Object obj : publicCredentials) {
                if (obj != null && (obj instanceof WSCredential)) {
                    return (WSCredential) obj;
                }
            }
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "WSCredential not present in Subject.");
        return null;
    }

    public static GSSCredential getGSSCredentialFromSubject(final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getGSSCredentialFromSubject");
        }
        if (subject == null) {
            return null;
        }
        try {
            GSSCredential gSSCredential = (GSSCredential) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.2
                @Override // java.security.PrivilegedAction
                public Object run() {
                    Set<GSSCredential> privateCredentials;
                    try {
                        r8 = null;
                        Set privateCredentials2 = subject.getPrivateCredentials(KRBAuthnToken.class);
                        if (privateCredentials2 != null) {
                            KRBAuthnToken kRBAuthnToken = null;
                            Iterator it = privateCredentials2.iterator();
                            while (it.hasNext() && kRBAuthnToken == null) {
                                kRBAuthnToken = (KRBAuthnToken) it.next();
                            }
                            if (kRBAuthnToken != null) {
                                r8 = kRBAuthnToken.getGSSCredential();
                            }
                        }
                        if (r8 == null && (privateCredentials = subject.getPrivateCredentials(GSSCredential.class)) != null) {
                            for (GSSCredential gSSCredential2 : privateCredentials) {
                            }
                        }
                        return gSSCredential2;
                    } catch (Throwable th) {
                        if (!SubjectHelper.tc.isDebugEnabled()) {
                            return null;
                        }
                        Tr.debug(SubjectHelper.tc, "Exception getting GSSCredential from krbAuthnToken or subject.", new Object[]{th});
                        return null;
                    }
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found default GSSCredential? " + (gSSCredential != null));
            }
            return gSSCredential;
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getGSSCredentialFromSubject", "335");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting GSSCredential from Subject.", new Object[]{e});
            return null;
        }
    }

    public static boolean putGSSCredentialInSubject(final GSSCredential gSSCredential, final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "putGSSCredentialInSubject");
        }
        if (subject == null || gSSCredential == null) {
            return false;
        }
        try {
            return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.3
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (subject.getPrivateCredentials().contains(GSSCredential.class)) {
                        return false;
                    }
                    try {
                        Principal kerberosPrincipal = new KerberosPrincipal(gSSCredential.getName().toString());
                        if (!subject.getPrincipals().contains(kerberosPrincipal)) {
                            subject.getPrincipals().add(kerberosPrincipal);
                        }
                    } catch (GSSException e) {
                        Manager.Ffdc.log(e, this, "com.ibm.ws.security.auth.SubjectHelper.putGSSCredentialInSubject", "370");
                        if (SubjectHelper.tc.isDebugEnabled()) {
                            Tr.debug(SubjectHelper.tc, "Exception adding Kerberos principal to Subject.", new Object[]{e});
                        }
                    }
                    subject.getPrivateCredentials().add(gSSCredential);
                    return true;
                }
            })).booleanValue();
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.putGSSCredentialInSubject", "385");
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Exception adding GSSCredential to Subject.", new Object[]{e});
            return false;
        }
    }

    public static boolean isKerberosTicketRenewable(KerberosTicket kerberosTicket) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKerberosTicketRenewable");
        }
        boolean z = false;
        if (kerberosTicket != null) {
            if (!kerberosTicket.isRenewable() && tc.isEntryEnabled()) {
                Tr.debug(tc, "Kerberos ticket is not renewable");
                Tr.exit(tc, "isKerberosTicketRenewable: " + new Object[]{kerberosTicket});
                return false;
            }
            if (!kerberosTicket.isCurrent() && tc.isEntryEnabled()) {
                Tr.debug(tc, "Kerberos ticket is not current");
                Tr.exit(tc, "isKerberosTicketRenewable: " + new Object[]{kerberosTicket});
                return false;
            }
            Date renewTill = kerberosTicket.getRenewTill();
            if (tc.isEntryEnabled()) {
                Tr.debug(tc, "renewTill: " + renewTill);
            }
            if (renewTill != null) {
                long time = renewTill.getTime();
                long currentTimeMillis = System.currentTimeMillis();
                long j = (time - currentTimeMillis) - 300000;
                if (tc.isEntryEnabled()) {
                    Tr.debug(tc, "renewTillInSeconds: " + time);
                    Tr.debug(tc, "currentTime: " + currentTimeMillis);
                    Tr.debug(tc, "timeleft: " + j);
                    Tr.debug(tc, "Kerberos tickets: " + new Object[]{kerberosTicket});
                }
                if (j > 0) {
                    z = true;
                }
            }
        } else if (tc.isEntryEnabled()) {
            Tr.debug(tc, "Kerberos ticket is null");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isKerberosTicketRenewable " + z);
        }
        return z;
    }

    public static SingleSignonToken getDefaultSSOTokenFromSubject(final Subject subject) {
        if (subject == null) {
            return null;
        }
        try {
            return (SingleSignonToken) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.4
                @Override // java.security.PrivilegedAction
                public Object run() {
                    for (SingleSignonToken singleSignonToken : subject.getPrivateCredentials(SingleSignonToken.class)) {
                        if (SubjectHelper.tc.isDebugEnabled()) {
                            Tr.debug(SubjectHelper.tc, "Processing SSO token with name: " + singleSignonToken.getName());
                        }
                        if (singleSignonToken.getName().equals("LtpaToken")) {
                            if (SubjectHelper.tc.isDebugEnabled()) {
                                Tr.debug(SubjectHelper.tc, "Found default SSO token.");
                            }
                            return singleSignonToken;
                        }
                    }
                    if (!SubjectHelper.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(SubjectHelper.tc, "Could not find default SSO token.");
                    return null;
                }
            });
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getDefaultSSOTokenFromSubject", "489");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting SingleSignonToken from Subject.", new Object[]{e});
            return null;
        }
    }

    public static AuthorizationToken getDefaultAuthzTokenFromSubject(Subject subject) {
        if (subject == null) {
            return null;
        }
        try {
            for (AuthorizationToken authorizationToken : subject.getPrivateCredentials(AuthorizationToken.class)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing AUTHZ token with name: " + authorizationToken.getName());
                }
                if (authorizationToken.getName().equals(AttributeNameConstants.WSAUTHZTOKEN_NAME)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found default AuthorizationToken.");
                    }
                    return authorizationToken;
                }
            }
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Could not find default Authorization token.");
            return null;
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getDefaultAuthzTokenFromSubject", "530");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting AuthorizationToken from Subject.", new Object[]{e});
            return null;
        }
    }

    public static AuthenticationToken getDefaultAuthTokenFromSubject(Subject subject) {
        if (subject == null) {
            return null;
        }
        try {
            Iterator it = subject.getPrivateCredentials(AuthenticationToken.class).iterator();
            if (it.hasNext()) {
                AuthenticationToken authenticationToken = (AuthenticationToken) it.next();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing AUTH token with name: " + authenticationToken.getName());
                }
                return authenticationToken;
            }
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Could not find default AuthenticationToken.");
            return null;
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getDefaultAuthzTokenFromSubject", "565");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting AuthenticationToken from Subject.", new Object[]{e});
            return null;
        }
    }

    public static KerberosToken getDefaultKerberosTokenFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultKerberosTokenFromSubject");
        }
        if (subject == null) {
            return null;
        }
        try {
            for (KerberosToken kerberosToken : subject.getPrivateCredentials(KerberosToken.class)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing Kerberos token with name: " + kerberosToken.getName());
                }
                if (kerberosToken.getName().equals(AttributeNameConstants.WSKERBEROSTOKEN_NAME)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found default KerberosToken.");
                    }
                    return kerberosToken;
                }
            }
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Could not find default Kerberos token.");
            return null;
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getDefaultKerberosTokenFromSubject", "531");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting KerberosToken from Subject.", new Object[]{e});
            return null;
        }
    }

    public static KerberosToken getDefaultKerberosServiceTicketFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultKerberosTokenFromSubject");
        }
        if (subject == null) {
            return null;
        }
        try {
            for (KerberosToken kerberosToken : subject.getPrivateCredentials(KerberosToken.class)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Processing Kerberos ticket with name: " + kerberosToken.getName());
                }
                if (kerberosToken.getName().equals(AttributeNameConstants.WSKERBEROSTICKET_NAME)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found default KerberosServiceTicket.");
                    }
                    return kerberosToken;
                }
            }
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Could not find default Kerberos Service Ticket.");
            return null;
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getDefaultKerberosServiceTicketFromSubject", "573");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting KerberosServiceTicket from Subject.", new Object[]{e});
            return null;
        }
    }

    public static long getKerberosTicketExpirationTime(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKerberosTicketExpirationTime", subject);
        }
        long j = 0;
        KerberosTicket kerberosTicketFromSubject = getKerberosTicketFromSubject(subject);
        if (kerberosTicketFromSubject != null) {
            j = kerberosTicketFromSubject.getEndTime().getTime();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKerberosTicketExpirationTime " + j);
        }
        return j;
    }

    public static long getKerberosTicketExpirationTime(KerberosTicket kerberosTicket) {
        if (kerberosTicket != null) {
            return kerberosTicket.getEndTime().getTime();
        }
        return 0L;
    }

    public static KerberosTicket getKerberosTicketFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKerberosTicketFromSubject", subject);
        }
        if (subject != null) {
            KRBAuthnToken kerberosAuthnTokenFromSubject = getKerberosAuthnTokenFromSubject(subject);
            if (kerberosAuthnTokenFromSubject != null && (kerberosAuthnTokenFromSubject instanceof KRBTicket)) {
                KerberosTicket kerberosTicket = ((KRBTicket) kerberosAuthnTokenFromSubject).getKerberosTicket();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found default Kerberos Ticket");
                }
                return kerberosTicket;
            }
            try {
                Set privateCredentials = subject.getPrivateCredentials(KerberosTicket.class);
                if (privateCredentials.size() > 1) {
                    Tr.warning(tc, "Multiple Kerberos tickets found");
                }
                for (Object obj : privateCredentials) {
                    if (obj instanceof KerberosTicket) {
                        KerberosTicket kerberosTicket2 = (KerberosTicket) obj;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found default Kerberos Ticket");
                        }
                        return kerberosTicket2;
                    }
                }
            } catch (Exception e) {
                Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getKerberosTicketFromSubject", "647");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting Kerberos ticket from Subject.", new Object[]{e});
                }
            }
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "Could not find default Kerberos Ticket.");
        return null;
    }

    public static String getKerberosRealmNameFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKerberosRealmNameFromSubject", subject);
        }
        String str = null;
        if (subject != null) {
            GSSCredential gSSCredentialFromSubject = getGSSCredentialFromSubject(subject);
            if (gSSCredentialFromSubject != null) {
                try {
                    String obj = gSSCredentialFromSubject.getName(getKrb5MechOid()).toString();
                    int indexOf = obj.indexOf("@");
                    if (obj != null && indexOf != -1) {
                        str = obj.substring(indexOf + 1, obj.length());
                    }
                } catch (GSSException e) {
                    String str2 = "Caught an exception trying to get the mechanism name from the GSS credential: " + e + ", codes: " + e.getMajor() + e.getMinor() + e.getMinorString();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, str2);
                    }
                    Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getKerberosRealmNameFromSubject", "684", thisClass);
                    if (!tc.isEntryEnabled()) {
                        return null;
                    }
                    Tr.exit(tc, "getKerberosRealmNameFromSubject", "false");
                    return null;
                }
            } else {
                KRBAuthnToken kerberosAuthnTokenFromSubject = getKerberosAuthnTokenFromSubject(subject);
                if (kerberosAuthnTokenFromSubject != null) {
                    str = kerberosAuthnTokenFromSubject.getTokenRealm();
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKerberosRealmNameFromSubject", str);
        }
        return str;
    }

    public static boolean putKerberosTicketToSubject(final KerberosTicket kerberosTicket, final Subject subject) {
        if (subject == null || kerberosTicket == null) {
            return false;
        }
        try {
            return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.5
                @Override // java.security.PrivilegedAction
                public Object run() {
                    try {
                        Set privateCredentials = subject.getPrivateCredentials(KerberosTicket.class);
                        if (privateCredentials.size() > 0) {
                            subject.getPrivateCredentials().remove(privateCredentials);
                        }
                        subject.getPrivateCredentials().add(kerberosTicket);
                        return true;
                    } catch (Exception e) {
                        Manager.Ffdc.log(e, SubjectHelper.thisClass, "com.ibm.ws.security.auth.SubjectHelper.putKerberosTicketToSubject", "674");
                        if (SubjectHelper.tc.isDebugEnabled()) {
                            Tr.debug(SubjectHelper.tc, "Exception putting Kerberos tickets to a Subject.", new Object[]{e});
                        }
                        return false;
                    }
                }
            })).booleanValue();
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.putKerberosTicketToSubject", "684");
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Exception adding Kerberos ticket to Subject.", new Object[]{e});
            return false;
        }
    }

    public static boolean isKerberosTicketExist(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKerberosTicketExist");
        }
        boolean z = false;
        if (getKerberosTicketFromSubject(subject) != null) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isKerberosTicketExist -> " + z);
        }
        return z;
    }

    public static boolean isWSCredentialValid(Subject subject) {
        return isWSCredentialValid(subject, false);
    }

    public static boolean isWSCredentialValid(final Subject subject, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isWSCredentialValid");
        }
        if (subject == null) {
            return false;
        }
        try {
            WSCredential wSCredential = (WSCredential) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.6
                @Override // java.security.PrivilegedAction
                public Object run() {
                    for (Object obj : subject.getPublicCredentials()) {
                        if (obj instanceof WSCredential) {
                            return (WSCredential) obj;
                        }
                    }
                    return null;
                }
            });
            if (!z) {
                boolean isCurrent = wSCredential.isCurrent();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Is credential valid? " + isCurrent);
                }
                return isCurrent;
            }
            long expiration = wSCredential.getExpiration();
            long reqTimeout = ContextManagerFactory.getInstance().getReqTimeout();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Cushion in use is " + reqTimeout + " millis.");
            }
            if (expiration == -1 || expiration == 0) {
                return true;
            }
            long currentTimeMillis = expiration - (System.currentTimeMillis() + reqTimeout);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Time remaining is: " + currentTimeMillis + " millis.");
            }
            return currentTimeMillis > 0 || ServerCredSigner.getInstance().isServerCred(wSCredential);
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getWSCredentialFromSubject", "792");
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Exception getting WSCredential from Subject.", new Object[]{e});
            return false;
        }
    }

    public static WSPrincipal getPrincipalFromSubject(final Subject subject) {
        if (subject == null) {
            return null;
        }
        try {
            return (WSPrincipal) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.7
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return subject.getPrincipals(WSPrincipal.class).iterator().next();
                }
            });
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getPrincipalFromSubject", "826");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting WSPrincipal from Subject.", new Object[]{e});
            return null;
        }
    }

    public static WSPrincipal createPrincipal(WSCredential wSCredential) throws WSSecurityException {
        WSPrincipal wSPrincipal = null;
        if (wSCredential != null) {
            try {
                String realmSecurityName = wSCredential.getRealmSecurityName();
                if (realmSecurityName == null || realmSecurityName.length() == 0) {
                    StringBuffer stringBuffer = new StringBuffer(ContextManagerFactory.getInstance().getDefaultRealm());
                    stringBuffer.append("/").append(wSCredential.getSecurityName());
                    realmSecurityName = stringBuffer.toString();
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Principal name: " + realmSecurityName);
                }
                final String str = realmSecurityName;
                wSPrincipal = (WSPrincipal) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.8
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return new WSPrincipalImpl(str);
                    }
                });
            } catch (CredentialExpiredException e) {
                throw new WSSecurityException(e.getMessage(), e);
            }
        }
        return wSPrincipal;
    }

    public static Subject createBasicAuthSubject(String str, String str2, String str3) {
        return createSubjectFromWSCredential((str == null || str.length() == 0) ? new WSCredentialImpl(ContextManagerFactory.getInstance().getDefaultRealm(), str2, str3) : new WSCredentialImpl(str, str2, str3));
    }

    public static Subject createUnauthenticatedSubject() {
        if (unauthenticatedSubject == null) {
            try {
                unauthenticatedSubject = createSubjectFromWSCredential(new WSCredentialImpl("", ContextManagerFactory.getInstance().getUnauthenticatedString(), ""));
            } catch (Exception e) {
                Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.createUnauthenticatedSubject", "298");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting real unauthenticated subject, use constant UNAUTHENTICATED", new Object[]{e});
                }
            }
        }
        return unauthenticatedSubject;
    }

    public static Subject createNewSubjectFromExisting(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createNewSubjectFromExisting");
        }
        if (subject == null) {
            return null;
        }
        Subject subject2 = new Subject();
        try {
            Set<Object> publicCredentials = subject.getPublicCredentials();
            Set<Object> privateCredentials = subject.getPrivateCredentials();
            Set<Principal> principals = subject.getPrincipals();
            if (publicCredentials.size() > 0) {
                Iterator<Object> it = publicCredentials.iterator();
                while (it.hasNext()) {
                    subject2.getPublicCredentials().add(it.next());
                }
            }
            if (privateCredentials.size() > 0) {
                Iterator<Object> it2 = privateCredentials.iterator();
                while (it2.hasNext()) {
                    subject2.getPrivateCredentials().add(it2.next());
                }
            }
            if (principals.size() > 0) {
                Iterator<Principal> it3 = principals.iterator();
                while (it3.hasNext()) {
                    subject2.getPrincipals().add(it3.next());
                }
            }
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.createNewSubjectFromExisting", "970");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error copying existing Subject.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createNewSubjectFromExisting");
        }
        return subject2;
    }

    public static Subject createNewSubjectFromExisting(Subject subject, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createNewSubjectFromExisting", new Object[]{cSIv2EffectivePerformPolicy});
        }
        if (subject == null) {
            return null;
        }
        Subject subject2 = new Subject();
        try {
            Set<Object> publicCredentials = subject.getPublicCredentials();
            Set<Object> privateCredentials = subject.getPrivateCredentials();
            Set<Principal> principals = subject.getPrincipals();
            WSCredentialImpl wSCredentialImpl = null;
            boolean z = false;
            boolean z2 = false;
            boolean z3 = false;
            boolean z4 = false;
            boolean z5 = false;
            String performClientAuthMechOID = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOID();
            if (publicCredentials.size() > 0) {
                for (Object obj : publicCredentials) {
                    if (!OID.compareOIDs(performClientAuthMechOID, LTPAMechOID.value)) {
                        subject2.getPublicCredentials().add(obj);
                    } else if (z2 || !(obj instanceof WSCredential)) {
                        subject2.getPublicCredentials().add(obj);
                    } else {
                        z2 = true;
                        WSCredential wSCredential = (WSCredential) obj;
                        String oid = wSCredential.getOID();
                        if (OID.compareOIDs(oid, KRB5MechOID.value)) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "The OID of the effective perform policy [" + performClientAuthMechOID + "] does not match the OID of the WSCredential [" + oid + "]. Will create new WSCred, auth, authz token using the OID of the effective perform policy.");
                            }
                            Hashtable table = ((WSCredentialImpl) wSCredential).getTable();
                            wSCredentialImpl = new WSCredentialImpl(new WSCredentialImpl(wSCredential.getRealmName(), wSCredential.getSecurityName(), wSCredential.getUniqueSecurityName(), wSCredential.getPrimaryGroupId(), wSCredential.getAccessId(), wSCredential.getRoles(), wSCredential.getGroupIds()), performClientAuthMechOID, wSCredential.getCredentialToken(), wSCredential.isForwardable(), wSCredential.getExpiration());
                            wSCredentialImpl.setTable(table);
                            subject2.getPublicCredentials().add(wSCredentialImpl);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Updating Subject with new wsCred token.");
                            }
                            ((WSCredentialImpl) wSCredential).refreshCred(wSCredentialImpl);
                            z = true;
                        } else {
                            subject2.getPublicCredentials().add(obj);
                        }
                    }
                }
            }
            if (privateCredentials.size() > 0) {
                for (Object obj2 : privateCredentials) {
                    if (!z) {
                        subject2.getPrivateCredentials().add(obj2);
                    } else if (obj2 instanceof AuthenticationToken) {
                        if (z4 || !(obj2 instanceof KRBAuthnToken)) {
                            z3 = true;
                        } else {
                            z4 = true;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Updating Subject with KRBAuthnToken.");
                            }
                            subject2.getPrivateCredentials().add(obj2);
                        }
                    } else if (z5 || !(obj2 instanceof AuthorizationToken)) {
                        subject2.getPrivateCredentials().add(obj2);
                    } else {
                        z5 = true;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Updating Subject with new authz token.");
                        }
                        AuthorizationToken createAuthzTokenFromWSCredential = ContextManagerFactory.getInstance().getWSCredTokenMapper().createAuthzTokenFromWSCredential(wSCredentialImpl);
                        subject2.getPrivateCredentials().remove(obj2);
                        subject2.getPrivateCredentials().add(createAuthzTokenFromWSCredential);
                    }
                }
            }
            if (z4 && !z3) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Updating Subject with new authn token.");
                }
                subject2.getPrivateCredentials().add(ContextManagerFactory.getInstance().getWSCredTokenMapper().createAuthTokenFromWSCredential(wSCredentialImpl));
            }
            if (principals.size() > 0) {
                Iterator<Principal> it = principals.iterator();
                while (it.hasNext()) {
                    subject2.getPrincipals().add(it.next());
                }
            }
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.createNewSubjectFromExisting", "970");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error copying existing Subject.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createNewSubjectFromExisting", subject2);
        }
        return subject2;
    }

    public static Subject createSubjectFromKRBAuthnToken(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createSubjectFromKRBAuthnToken");
        }
        if (subject == null) {
            return null;
        }
        KRBAuthnToken kRBAuthnToken = null;
        GSSCredential gSSCredential = null;
        KerberosTicket kerberosTicket = null;
        Subject subject2 = new Subject();
        try {
            Set<Object> publicCredentials = subject.getPublicCredentials();
            Set<Object> privateCredentials = subject.getPrivateCredentials();
            Set<Principal> principals = subject.getPrincipals();
            if (publicCredentials.size() > 0) {
                Iterator<Object> it = publicCredentials.iterator();
                while (it.hasNext()) {
                    subject2.getPublicCredentials().add(it.next());
                }
            }
            if (privateCredentials.size() > 0) {
                for (Object obj : privateCredentials) {
                    if (obj instanceof KerberosTicket) {
                        kerberosTicket = (KerberosTicket) obj;
                    } else if (obj instanceof GSSCredential) {
                        gSSCredential = (GSSCredential) obj;
                    } else if (obj instanceof KRBAuthnToken) {
                        kRBAuthnToken = (KRBAuthnToken) obj;
                    } else {
                        subject2.getPrivateCredentials().add(obj);
                    }
                }
                if (kRBAuthnToken != null) {
                    GSSCredential gSSCredential2 = kRBAuthnToken.getGSSCredential();
                    if (gSSCredential2 != null) {
                        subject2.getPrivateCredentials().add(gSSCredential2);
                    }
                } else {
                    if (gSSCredential != null) {
                        subject2.getPrivateCredentials().add(gSSCredential);
                    }
                    if (kerberosTicket != null) {
                        subject2.getPrivateCredentials().add(kerberosTicket);
                    }
                }
            }
            if (principals.size() > 0) {
                Iterator<Principal> it2 = principals.iterator();
                while (it2.hasNext()) {
                    subject2.getPrincipals().add(it2.next());
                }
            }
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.createSubjectFromKRBAuthnToken", "1358");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error copying existing Subject with GSSCredential.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createSubjectFromKRBAuthnToken");
        }
        return subject2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void initializePropagateFirstCaller() {
        SecurityConfigObject object;
        propagateFirstCallerOnlyProperty = System.getProperty("com.ibm.CSI.propagateFirstCallerOnly");
        if (propagateFirstCallerOnlyProperty == null && (object = SecurityObjectLocator.getSecurityConfigManager().getObject("security")) != null) {
            propagateFirstCallerOnlyProperty = object.getProperties().getProperty("com.ibm.CSI.propagateFirstCallerOnly");
        }
        if (propagateFirstCallerOnlyProperty == null) {
            propagateFirstCallerOnlyProperty = "false";
        }
        propagateFirstCallerOnly = propagateFirstCallerOnlyProperty.equalsIgnoreCase("true") || propagateFirstCallerOnlyProperty.equalsIgnoreCase("yes");
    }

    private static void initializeDisableCallerList() {
        SecurityConfigObject object;
        disableCallerListProperty = System.getProperty("com.ibm.CSI.disablePropagationCallerList");
        if (disableCallerListProperty == null && (object = SecurityObjectLocator.getSecurityConfigManager().getObject("security")) != null) {
            disableCallerListProperty = object.getProperties().getProperty("com.ibm.CSI.disablePropagationCallerList");
        }
        if (disableCallerListProperty == null) {
            disableCallerListProperty = "false";
        }
        disableCallerList = disableCallerListProperty.equalsIgnoreCase("true") || disableCallerListProperty.equalsIgnoreCase("yes");
    }

    public static PropagationToken updatePropagationTokenWithSubjectChange(final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "updatePropagationTokenWithSubjectChange");
        }
        final ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (contextManagerFactory.getThreadLocal().get_update_to_caller_list_disabled_during_login()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "updatePropagationTokenWithSubjectChange: Disabled during login.");
            return null;
        }
        if (contextManagerFactory.getThreadLocal().get_update_to_caller_list_disabled_during_login()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "updatePropagationTokenWithSubjectChange: Disabled during login.");
            return null;
        }
        if (subject == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "updatePropagationTokenWithSubjectChange: Subject is null.");
            return null;
        }
        if (disableCallerListProperty == null) {
            initializeDisableCallerList();
        }
        if (disableCallerList) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "updatePropagationTokenWithSubjectChange: Caller list is disabled.");
            return null;
        }
        PropagationToken propagationToken = null;
        try {
            propagationToken = (PropagationToken) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.9
                /* JADX WARN: Removed duplicated region for block: B:111:0x05d2 A[Catch: Exception -> 0x05f8, TryCatch #6 {Exception -> 0x05f8, blocks: (B:5:0x0014, B:7:0x0024, B:9:0x002a, B:10:0x002d, B:12:0x0033, B:14:0x003c, B:18:0x0046, B:22:0x0056, B:24:0x0083, B:26:0x0089, B:28:0x0099, B:30:0x00a2, B:31:0x00be, B:33:0x00c7, B:34:0x00b1, B:192:0x00e9, B:193:0x0150, B:195:0x0159, B:41:0x0169, B:42:0x01a3, B:44:0x01cd, B:46:0x01d2, B:48:0x01e3, B:49:0x01fd, B:51:0x0206, B:52:0x0220, B:54:0x0229, B:55:0x0243, B:59:0x0251, B:61:0x025b, B:63:0x0264, B:66:0x026f, B:69:0x0282, B:71:0x029c, B:73:0x02ee, B:157:0x02f7, B:158:0x0333, B:159:0x0347, B:163:0x0353, B:165:0x035b, B:168:0x036b, B:77:0x0379, B:80:0x03bc, B:82:0x03c2, B:84:0x03d5, B:85:0x03ef, B:87:0x03f8, B:88:0x0413, B:90:0x041c, B:93:0x043c, B:95:0x0447, B:97:0x0450, B:100:0x045c, B:103:0x0470, B:105:0x0488, B:107:0x04d9, B:127:0x04e2, B:128:0x051a, B:129:0x052e, B:133:0x053b, B:135:0x0543, B:138:0x0554, B:117:0x0564, B:118:0x05be, B:120:0x05c7, B:111:0x05d2, B:113:0x05db, B:123:0x0595, B:125:0x05ad, B:141:0x04f1, B:143:0x0509, B:145:0x049c, B:148:0x04b0, B:150:0x04c8, B:153:0x038b, B:155:0x03a3, B:171:0x0308, B:173:0x0322, B:175:0x02b0, B:178:0x02c3, B:180:0x02dd, B:183:0x017a, B:185:0x0192, B:186:0x05e5, B:188:0x05ee, B:200:0x0127, B:202:0x0140, B:203:0x005f, B:205:0x0068, B:206:0x0070, B:208:0x0079), top: B:4:0x0014, inners: #0, #1, #2, #3, #4, #5, #7, #8, #9, #10 }] */
                /* JADX WARN: Removed duplicated region for block: B:116:0x0564 A[EXC_TOP_SPLITTER, SYNTHETIC] */
                /* JADX WARN: Removed duplicated region for block: B:126:0x04e2 A[EXC_TOP_SPLITTER, SYNTHETIC] */
                /* JADX WARN: Removed duplicated region for block: B:156:0x02f7 A[EXC_TOP_SPLITTER, SYNTHETIC] */
                /* JADX WARN: Removed duplicated region for block: B:214:0x0602  */
                /* JADX WARN: Removed duplicated region for block: B:217:0x0629  */
                /* JADX WARN: Removed duplicated region for block: B:219:? A[RETURN, SYNTHETIC] */
                @Override // java.security.PrivilegedExceptionAction
                /*
                    Code decompiled incorrectly, please refer to instructions dump.
                    To view partially-correct add '--show-bad-code' argument
                */
                public java.lang.Object run() throws com.ibm.websphere.security.WSSecurityException {
                    /*
                        Method dump skipped, instructions count: 1587
                        To view this dump add '--comments-level debug' option
                    */
                    throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.auth.SubjectHelper.AnonymousClass9.run():java.lang.Object");
                }
            });
        } catch (PrivilegedActionException e) {
            Manager.Ffdc.log(e.getException(), thisClass, "com.ibm.ws.security.auth.SubjectHelper.updatePropagationTokenWithSubjectChange", "1339");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception updating propagation token.", new Object[]{e.getException()});
            }
        }
        return propagationToken;
    }

    public static boolean containsKerberosCredential(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "containsKerberosCredential");
        }
        if (subject != null) {
            try {
                if (getGSSCredentialFromSubject(subject) == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "containsKerberosCredential: no GSSCredential in subject private creds");
                    }
                    if (!tc.isEntryEnabled()) {
                        return false;
                    }
                    Tr.exit(tc, "containsKerberosCredential (false)");
                    return false;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "containsKerberosCredential: found GSSCredential in subject private creds");
                }
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "containsKerberosCredential (true)");
                return true;
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception looking for Kerberos credential.", e.getMessage() != null ? e.getMessage() : e.getClass().getName());
                }
            }
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "containsKerberosCredential (false, no Subject or exception)");
        return false;
    }

    public static Oid getKrb5MechOid() {
        if (krb5MechOid != null) {
            return krb5MechOid;
        }
        try {
            krb5MechOid = new Oid("1.2.840.113554.1.2.2");
        } catch (GSSException e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getKrb5MechOid", "1805");
            Tr.debug(tc, "krb5MechOid is null", new Object[]{Oid.class, "Oid(\"1.2.840.113554.1.2.2\")", e});
            krb5MechOid = null;
        }
        return krb5MechOid;
    }

    public static KRBAuthnToken getKerberosAuthnTokenFromSubject(Subject subject) {
        Set privateCredentials;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKerberosAuthnTokenFromSubject", subject);
        }
        if (subject != null && (privateCredentials = subject.getPrivateCredentials(KRBAuthnToken.class)) != null && privateCredentials.size() > 0) {
            Iterator it = privateCredentials.iterator();
            if (it.hasNext() && 0 == 0) {
                KRBAuthnToken kRBAuthnToken = (KRBAuthnToken) it.next();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found default KRBAuthnToken.");
                }
                return kRBAuthnToken;
            }
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "Could not find default KRBAuthnToken.");
        return null;
    }

    public static KerberosPrincipal getKerberosPrincipalFromSubject(final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKerberosPrincipalFromSubject");
        }
        if (subject == null) {
            return null;
        }
        try {
            KerberosPrincipal kerberosPrincipal = (KerberosPrincipal) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.10
                @Override // java.security.PrivilegedAction
                public Object run() {
                    Set<KerberosPrincipal> privateCredentials;
                    try {
                        r8 = null;
                        Set privateCredentials2 = subject.getPrivateCredentials(KRBAuthnToken.class);
                        if (privateCredentials2 != null) {
                            KRBAuthnToken kRBAuthnToken = null;
                            Iterator it = privateCredentials2.iterator();
                            while (it.hasNext() && kRBAuthnToken == null) {
                                kRBAuthnToken = (KRBAuthnToken) it.next();
                            }
                            if (kRBAuthnToken != null) {
                                r8 = new KerberosPrincipal(kRBAuthnToken.getTokenPrincipal() + "@" + kRBAuthnToken.getTokenRealm());
                            }
                        }
                        if (r8 == null && (privateCredentials = subject.getPrivateCredentials(KerberosPrincipal.class)) != null) {
                            for (KerberosPrincipal kerberosPrincipal2 : privateCredentials) {
                            }
                        }
                        return kerberosPrincipal2;
                    } catch (Throwable th) {
                        if (!SubjectHelper.tc.isDebugEnabled()) {
                            return null;
                        }
                        Tr.debug(SubjectHelper.tc, "Exception getting KerberosPrincipal from krbAuthnToken or subject.", new Object[]{th});
                        return null;
                    }
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "get default Kerberos principal name: " + kerberosPrincipal);
            }
            return kerberosPrincipal;
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.getKerberosPrincipalFromSubject", "1909");
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Exception getting KerberosPrincipal from Subject.", new Object[]{e});
            return null;
        }
    }

    public static boolean putKerberosAuthnTokenToSubject(final KRBAuthnToken kRBAuthnToken, final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "putKerberosAuthnTokenToSubject", subject);
        }
        if (subject == null || kRBAuthnToken == null) {
            return false;
        }
        try {
            return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.SubjectHelper.11
                @Override // java.security.PrivilegedAction
                public Object run() {
                    try {
                        KRBAuthnToken kRBAuthnToken2 = null;
                        Iterator it = subject.getPrivateCredentials(KRBAuthnToken.class).iterator();
                        while (it.hasNext() && kRBAuthnToken2 == null) {
                            kRBAuthnToken2 = (KRBAuthnToken) it.next();
                        }
                        if (kRBAuthnToken2 != null) {
                            subject.getPrivateCredentials().remove(kRBAuthnToken2);
                        }
                        subject.getPrivateCredentials().add(kRBAuthnToken);
                        return true;
                    } catch (Exception e) {
                        Manager.Ffdc.log(e, SubjectHelper.thisClass, "com.ibm.ws.security.auth.SubjectHelper.putKerberosAuthnTokenToSubject", "1947");
                        if (SubjectHelper.tc.isDebugEnabled()) {
                            Tr.debug(SubjectHelper.tc, "Exception putting Kerberos authentication token to a Subject.", new Object[]{e});
                        }
                        return false;
                    }
                }
            })).booleanValue();
        } catch (Exception e) {
            Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.SubjectHelper.putKerberosAuthnTokenToSubject", "1959");
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Exception adding Kerberos authentication token to Subject.", new Object[]{e});
            return false;
        }
    }

    public static void setClientDefaultSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setClientDefaultSubject", subject);
        }
        if (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS)) {
            VaultImpl.getInstance().set_default_subject(subject);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "setClientDefaultSubject invoked on a server");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setClientDefaultSubject");
        }
    }
}
