package com.ibm.ws.security.delegation;

import com.ibm.ejs.models.base.bindings.applicationbnd.RunAsMap;
import com.ibm.ejs.models.base.bindings.commonbnd.BasicAuthData;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.csi.CSIException;
import com.ibm.websphere.csi.EJBKey;
import com.ibm.websphere.csi.EJBMethodInfo;
import com.ibm.ws.security.ejb.RunAsMapTable;
import com.ibm.ws.security.ejb.SecurityBeanCookie;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.WCCMHelper;
import com.ibm.ws.security.web.AuthenticationResult;
import com.ibm.ws.security.web.JaspiCollaborator;
import com.ibm.ws.security.web.JaspiServletRequestWrapper;
import com.ibm.ws.security.web.WebAccessContext;
import com.ibm.ws.security.web.WebRequest;
import com.ibm.ws.security.web.WebSecurityException;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.config.AuthConfigProvider;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.client_9.0.jar:com/ibm/ws/security/delegation/JaspiMethodDelegation.class */
public class JaspiMethodDelegation extends MethodDelegation implements Delegation {
    private static final TraceComponent tc = Tr.register((Class<?>) JaspiMethodDelegation.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static final String BASIC = "BASIC";
    protected static final String IS_MANDATORY_POLICY = "javax.security.auth.message.MessagePolicy.isMandatory";
    private WebRequest webRequest;
    private JaspiCollaborator jaspiCollaborator;

    public JaspiMethodDelegation(JaspiCollaborator jaspiCollaborator, WebRequest webRequest) {
        this.webRequest = webRequest;
        this.jaspiCollaborator = jaspiCollaborator;
    }

    @Override // com.ibm.ws.security.delegation.MethodDelegation
    protected Subject getRunAsSpecifiedUserSubject(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRunAsSpecifiedUserSubject", "role=" + str + ", appName=" + str2);
        }
        Subject subject = null;
        RunAsMap runAsMap = RunAsMapTable.getRunAsMap(str2);
        if (runAsMap != null) {
            subject = createClientSubject(str, runAsMap);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No RunAsMap available");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRunAsSpecifiedUserSubject", subject);
        }
        return subject;
    }

    protected Subject createClientSubject(String str, RunAsMap runAsMap) {
        Subject subject = null;
        BasicAuthData basicAuthData = (BasicAuthData) runAsMap.getAuthData(WCCMHelper.createSecurityRole((String) null, str));
        if (basicAuthData != null) {
            String userId = basicAuthData.getUserId();
            String password = basicAuthData.getPassword();
            if (userId != null) {
                subject = invokeJaspiAuthentication(userId, password);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "null RunAs userid");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No AuthData");
        }
        return subject;
    }

    protected Subject invokeJaspiAuthentication(String str, String str2) {
        Subject subject = null;
        AuthConfigProvider authConfigProvider = this.jaspiCollaborator.getAuthConfigProvider(this.webRequest.getAppContext());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Authenticate RunAs user=" + str + " using Jaspi provider=" + authConfigProvider);
        }
        JaspiServletRequestWrapper jaspiServletRequestWrapper = new JaspiServletRequestWrapper(this.webRequest.getHttpServletRequest(), str, str2);
        MessageInfo messageInfo = this.webRequest.getMessageInfo();
        messageInfo.setRequestMessage(jaspiServletRequestWrapper);
        Map map = messageInfo.getMap();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Properties Map in MessageInfo=" + map);
        }
        String str3 = (String) map.get(IS_MANDATORY_POLICY);
        map.put(IS_MANDATORY_POLICY, "true");
        try {
            try {
                AuthenticationResult authenticate = this.jaspiCollaborator.authenticate("BASIC", this.webRequest, authConfigProvider);
                int status = authenticate.getStatus();
                if (status == 1) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "RunAs user " + str + " was successfully authenticated using Jaspi provider " + authConfigProvider);
                    }
                    subject = authenticate.getSubject();
                    super.clearPropagationTokenIfCallerSubjectNullOrUnauthenticated();
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Jaspi authentication failed, status = " + status);
                }
                map.put(IS_MANDATORY_POLICY, str3);
            } catch (WebSecurityException e) {
                Manager.Ffdc.log(e, this, "com.ibm.ws.security.delegation.JaspiMethodDelegation.invokeJaspiAuthentication", "118");
                map.put(IS_MANDATORY_POLICY, str3);
            }
            return subject;
        } catch (Throwable th) {
            map.put(IS_MANDATORY_POLICY, str3);
            throw th;
        }
    }

    @Override // com.ibm.ws.security.delegation.MethodDelegation, com.ibm.ws.security.delegation.Delegation
    public /* bridge */ /* synthetic */ Subject delegate(Subject subject, String str, WebAccessContext webAccessContext, String str2) throws CSIException {
        return super.delegate(subject, str, webAccessContext, str2);
    }

    @Override // com.ibm.ws.security.delegation.MethodDelegation, com.ibm.ws.security.delegation.Delegation
    public /* bridge */ /* synthetic */ Subject delegate(EJBKey eJBKey, EJBMethodInfo eJBMethodInfo, Subject subject, Subject subject2, SecurityBeanCookie securityBeanCookie, String str) throws CSIException {
        return super.delegate(eJBKey, eJBMethodInfo, subject, subject2, securityBeanCookie, str);
    }
}
