package com.ibm.ws.security.server.lm;

import com.ibm.CSIv2Security.LTPAMechOID;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSFactory;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.OID;
import com.ibm.ISecurityUtilityImpl.CSIUtil;
import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.ISecurityUtilityImpl.VaultConstants;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.TokenCreationFailedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.auth.callback.WSAuthMechOidCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSRealmNameCallbackImpl;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.audit.utils.AuditHelper;
import com.ibm.ws.security.auth.BasicAuthData;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.auth.util.CredentialsHelper;
import com.ibm.ws.security.common.auth.util.Util;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.ServerStatusHelper;
import com.ibm.ws.security.config.SingleSignonConfig;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.ltpa.LTPAServerObject;
import com.ibm.ws.security.registry.RegistryUtil;
import com.ibm.ws.security.server.LTPAConfigException;
import com.ibm.ws.security.server.SecurityServerImpl;
import com.ibm.ws.security.token.WSCredentialTokenMapper;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.ConfigUtils;
import com.ibm.wsspi.bootstrap.WSPreLauncher;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.security.auth.callback.WSAppContextCallback;
import com.ibm.wsspi.security.auth.callback.WSServletRequestCallback;
import com.ibm.wsspi.security.auth.callback.WSServletResponseCallback;
import com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback;
import com.ibm.wsspi.security.auth.callback.WSX509CertificateChainCallback;
import com.ibm.wsspi.security.ltpa.Token;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.AuthenticationToken;
import com.ibm.wsspi.security.token.AuthorizationToken;
import com.ibm.wsspi.security.token.SingleSignonToken;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.omg.CSI.KRB5MechOID;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.client_9.0.jar:com/ibm/ws/security/server/lm/ltpaLoginModule.class */
public class ltpaLoginModule implements LoginModule {
    private Subject subject;
    private CallbackHandler callbackHandler;
    private Map sharedState;
    private Map options;
    private WSPrincipal principal;
    private WSCredential credential;
    private UserRegistry registry;
    private LTPAServerObject ltpaServer;
    private static final WebSphereRuntimePermission MAP_CREDENTIAL = new WebSphereRuntimePermission("mapCredential");
    private static final TraceComponent tc = Tr.register((Class<?>) ltpaLoginModule.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private String LTPA_OID = LTPAMechOID.value;
    private String authMechOid = null;
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    protected boolean debug = false;
    private HashMap initialTokenAttributes = new HashMap();
    private String INITIAL_TOKEN_ATTRIBUTES = "INITIAL_TOKEN_ATTRIBUTES";

    public ltpaLoginModule() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "ltpaLoginModule()");
            Tr.exit(tc, "ltpaLoginModule()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(subject = \"" + subject.toString() + "\", callbackHandler = \"" + callbackHandler.toString() + "\", sharedState = \"" + ConfigUtils.maskSharedState(map).toString() + "\", options = \"" + map2.toString() + "\")");
        }
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = map;
        this.options = map2;
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (contextManagerFactory.isCellSecurityEnabled()) {
            try {
                this.ltpaServer = LTPAServerObject.getLTPAServer();
            } catch (LTPAConfigException e) {
                FFDCFilter.processException((Throwable) e, "com.ibm.ws.security.server.lm.ltpaLoginModule.initialize", "166", (Object) this);
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "ERROR: Failed to get the LTPA server object.");
                }
            }
            this.registry = SecurityServerImpl.getRegistryImpl(contextManagerFactory.getDefaultRealm());
            contextManagerFactory.clearRootException();
        }
        this.debug = "true".equalsIgnoreCase((String) this.options.get(WSPreLauncher.FELIX_SCR_DS_LOGLEVEL_DEBUG));
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "WSLoginModuleImpl initialized");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options)");
        }
    }

    public boolean login() throws LoginException {
        Callback[] callbackArr;
        byte[] credToken;
        char[] password;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (!contextManagerFactory.isCellSecurityEnabled()) {
            try {
                Tr.warning(tc, "security.disabled.during.login");
                if (tc.isDebugEnabled()) {
                    Thread.dumpStack();
                }
                this.credential = SubjectHelper.getWSCredentialFromSubject(SubjectHelper.createUnauthenticatedSubject());
                this.principal = SubjectHelper.createPrincipal(this.credential);
                this.sharedState.put(Constants.WSPRINCIPAL_KEY, this.principal);
                this.sharedState.put(Constants.WSCREDENTIAL_KEY, this.credential);
                this.succeeded = true;
                if (this.debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(security disabled)");
                }
                return this.succeeded;
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception creating principal.", new Object[]{e});
                }
                FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "264", this);
                throw new WSLoginFailedException(e.getMessage(), e);
            }
        }
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        this.succeeded = false;
        if (this.commitSucceeded) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "The login module is in funny state, cleanup before starting a new login process.");
            }
            cleanup();
        }
        Callback callback = null;
        PasswordCallback passwordCallback = null;
        WSCredTokenCallbackImpl wSCredTokenCallbackImpl = null;
        WSServletRequestCallback wSServletRequestCallback = null;
        WSTokenHolderCallback wSTokenHolderCallback = null;
        WSRealmNameCallbackImpl wSRealmNameCallbackImpl = null;
        WSX509CertificateChainCallback wSX509CertificateChainCallback = null;
        WSAuthMechOidCallbackImpl wSAuthMechOidCallbackImpl = null;
        if (this.sharedState.containsKey(Constants.CALLBACK_KEY)) {
            callbackArr = (Callback[]) this.sharedState.get(Constants.CALLBACK_KEY);
            for (int i = 0; i < callbackArr.length; i++) {
                if (callbackArr[i] != null) {
                    if (callbackArr[i] instanceof NameCallback) {
                        callback = (NameCallback) callbackArr[i];
                    } else if (callbackArr[i] instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) callbackArr[i];
                    } else if (callbackArr[i] instanceof WSCredTokenCallbackImpl) {
                        wSCredTokenCallbackImpl = (WSCredTokenCallbackImpl) callbackArr[i];
                    } else if (callbackArr[i] instanceof WSServletRequestCallback) {
                        wSServletRequestCallback = (WSServletRequestCallback) callbackArr[i];
                    } else if (callbackArr[i] instanceof WSServletResponseCallback) {
                    } else if (callbackArr[i] instanceof WSAppContextCallback) {
                    } else if (callbackArr[i] instanceof WSTokenHolderCallback) {
                        wSTokenHolderCallback = (WSTokenHolderCallback) callbackArr[i];
                    } else if (callbackArr[i] instanceof WSRealmNameCallbackImpl) {
                        wSRealmNameCallbackImpl = (WSRealmNameCallbackImpl) callbackArr[i];
                    } else if (callbackArr[i] instanceof WSX509CertificateChainCallback) {
                        wSX509CertificateChainCallback = (WSX509CertificateChainCallback) callbackArr[i];
                    } else if (callbackArr[i] instanceof WSAuthMechOidCallbackImpl) {
                        wSAuthMechOidCallbackImpl = (WSAuthMechOidCallbackImpl) callbackArr[i];
                    } else if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "The following callback was ignored: " + callbackArr[i].getClass().getName());
                    }
                }
            }
        } else {
            if (this.callbackHandler == null) {
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException("No CallbackHandler available to gather authentication information from the user.");
                contextManagerFactory.setRootException(wSLoginFailedException);
                throw wSLoginFailedException;
            }
            Callback nameCallback = new NameCallback("Username: ");
            callback = nameCallback;
            PasswordCallback passwordCallback2 = new PasswordCallback("Password: ", false);
            passwordCallback = passwordCallback2;
            WSCredTokenCallbackImpl wSCredTokenCallbackImpl2 = new WSCredTokenCallbackImpl("Credential Token: ");
            wSCredTokenCallbackImpl = wSCredTokenCallbackImpl2;
            WSServletRequestCallback wSServletRequestCallback2 = new WSServletRequestCallback("HttpServletRequest: ");
            wSServletRequestCallback = wSServletRequestCallback2;
            WSTokenHolderCallback wSTokenHolderCallback2 = new WSTokenHolderCallback("Authz Token List: ");
            wSTokenHolderCallback = wSTokenHolderCallback2;
            WSRealmNameCallbackImpl wSRealmNameCallbackImpl2 = new WSRealmNameCallbackImpl("Realm Name", contextManagerFactory.getDefaultRealm());
            wSRealmNameCallbackImpl = wSRealmNameCallbackImpl2;
            WSX509CertificateChainCallback wSX509CertificateChainCallback2 = new WSX509CertificateChainCallback("X509Certificate[]: ");
            wSX509CertificateChainCallback = wSX509CertificateChainCallback2;
            WSAuthMechOidCallbackImpl wSAuthMechOidCallbackImpl2 = new WSAuthMechOidCallbackImpl("AuthMechOid: ");
            wSAuthMechOidCallbackImpl = wSAuthMechOidCallbackImpl2;
            callbackArr = new Callback[]{nameCallback, passwordCallback2, wSCredTokenCallbackImpl2, wSServletRequestCallback2, new WSServletResponseCallback("HttpServletResponse: "), new WSAppContextCallback("ApplicationContextCallback: "), wSTokenHolderCallback2, wSRealmNameCallbackImpl2, wSX509CertificateChainCallback2, wSAuthMechOidCallbackImpl2};
            try {
                this.callbackHandler.handle(callbackArr);
                this.sharedState.put(Constants.CALLBACK_KEY, callbackArr);
            } catch (IOException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "235", this);
                Tr.error(tc, "security.jaas.callBackHandlerIOException", new Object[]{getClass().getName(), e2});
                contextManagerFactory.setRootException(e2);
                throw new WSLoginFailedException("IOException: " + e2.getMessage(), e2);
            } catch (UnsupportedCallbackException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "242", this);
                Tr.error(tc, "security.jaas.callBackHandlerException", new Object[]{getClass().getName(), e3.getCallback().toString(), e3});
                contextManagerFactory.setRootException(e3);
                throw new WSLoginFailedException(e3.getCallback().toString() + " not supported by CallbackHandler to gather authentication information from the user" + e3.getMessage(), e3);
            }
        }
        char[] cArr = null;
        byte[] bArr = null;
        String name = callback != null ? callback.getName() : null;
        String realmName = wSRealmNameCallbackImpl != null ? wSRealmNameCallbackImpl.getRealmName() : null;
        if (wSAuthMechOidCallbackImpl != null) {
            this.authMechOid = wSAuthMechOidCallbackImpl.getAuthMechOid();
        }
        if (realmName == null) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "realm from threadLocal is = " + realmName);
            }
            realmName = SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getString("realm");
        }
        this.registry = SecurityServerImpl.getRegistryImpl();
        if (passwordCallback != null && (password = passwordCallback.getPassword()) != null && password.length != 0) {
            cArr = new char[password.length];
            System.arraycopy(password, 0, cArr, 0, password.length);
        }
        if (wSCredTokenCallbackImpl != null && (credToken = wSCredTokenCallbackImpl.getCredToken()) != null) {
            bArr = CredentialsHelper.copyCredToken(credToken);
            if (this.authMechOid == null || this.authMechOid.length() == 0) {
                Tr.debug(tc, "authMechOid pass in is null, get authMechOid from the credToken");
                this.authMechOid = GSSFactory.getMechOIDFromGSSTokenNoException(bArr);
                Tr.debug(tc, "Returned authMechOid : " + this.authMechOid);
            }
        }
        if (this.authMechOid == null) {
            this.authMechOid = this.LTPA_OID;
        }
        List tokenHolderList = wSTokenHolderCallback != null ? wSTokenHolderCallback.getTokenHolderList() : null;
        boolean z = wSServletRequestCallback != null ? wSServletRequestCallback.getHttpServletRequest() != null : false;
        X509Certificate[] x509CertificateChain = wSX509CertificateChainCallback != null ? wSX509CertificateChainCallback.getX509CertificateChain() : null;
        Hashtable hashtable = (Hashtable) this.sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY);
        if (hashtable == null) {
            try {
                final Subject subject = this.subject;
                hashtable = (Hashtable) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.server.lm.ltpaLoginModule.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws CredentialDestroyedException, CredentialExpiredException {
                        Object[] array = subject.getPublicCredentials().toArray();
                        if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                            Tr.debug(ltpaLoginModule.tc, "Looking for custom properties in public cred list.");
                        }
                        for (int i2 = 0; i2 < array.length; i2++) {
                            if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(ltpaLoginModule.tc, "Object[" + i2 + "] in public list: " + array[i2]);
                            }
                            if ((array[i2] instanceof Hashtable) && (((Hashtable) array[i2]).get(AttributeNameConstants.WSCREDENTIAL_UNIQUEID) != null || ((Hashtable) array[i2]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null)) {
                                return array[i2];
                            }
                        }
                        Object[] array2 = subject.getPrivateCredentials().toArray();
                        if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                            Tr.debug(ltpaLoginModule.tc, "Looking for custom properties in private cred list.");
                        }
                        for (int i3 = 0; i3 < array2.length; i3++) {
                            if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(ltpaLoginModule.tc, "Object[" + i3 + "] in private list: " + array2[i3]);
                            }
                            if ((array2[i3] instanceof Hashtable) && (((Hashtable) array2[i3]).get(AttributeNameConstants.WSCREDENTIAL_UNIQUEID) != null || ((Hashtable) array2[i3]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null)) {
                                return array2[i3];
                            }
                        }
                        return null;
                    }
                });
                if (hashtable != null) {
                    this.sharedState.put(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY, hashtable);
                }
            } catch (PrivilegedActionException e4) {
                FFDCFilter.processException(e4.getException(), "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "334", this);
                contextManagerFactory.setRootException(e4.getException());
                throw new WSLoginFailedException(e4.getException().getMessage(), e4.getException());
            }
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "uid = " + name);
            Tr.debug(tc, "realm = " + realmName);
            Tr.debug(tc, "password = " + (cArr == null ? "<null>" : "XXXXXXXX"));
            Tr.debug(tc, "cred token = " + Util.toString(bArr));
            Tr.debug(tc, "X509 cert chain = " + x509CertificateChain);
            Tr.debug(tc, "authz token list = " + tokenHolderList);
            Tr.debug(tc, "custom properties = " + ConfigUtils.maskPasswords((Hashtable<String, String>) hashtable));
            Tr.debug(tc, "isHTTPRequest = " + z);
            Tr.debug(tc, "authMechOid = " + this.authMechOid);
        }
        if (bArr != null && !OID.compareOIDs(this.authMechOid, this.LTPA_OID)) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Authentication mechanism OID passing in is not LTPA.  Handling login outside this login module.");
                Tr.exit(tc, "login()");
            }
            this.succeeded = true;
            return this.succeeded;
        }
        KerberosPrincipal kerberosPrincipal = (KerberosPrincipal) this.sharedState.get(AttributeNameConstants.KERBEROS_PRINCIPAL);
        KerberosTicket kerberosTicket = (KerberosTicket) this.sharedState.get(AttributeNameConstants.KERBEROS_TICKET);
        boolean containsKerberosCredential = SubjectHelper.containsKerberosCredential(this.subject);
        if ((kerberosPrincipal != null && kerberosTicket != null) || (containsKerberosCredential && OID.compareOIDs(securityConfig.getActiveAuthMechanism().getString(AuthMechanismConfig.OID), KRB5MechOID.value))) {
            this.succeeded = true;
            if (this.debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Found Kerberos principal/ticket or KrbAuthnToken in a shared state. Handling login outside this login module.");
                Tr.exit(tc, "login()");
            }
            return this.succeeded;
        }
        if (hashtable != null && hashtable.get(AttributeNameConstants.WSCREDENTIAL_UNIQUEID) != null && hashtable.get(AttributeNameConstants.WSCREDENTIAL_USERID) == null) {
            this.succeeded = true;
            if (this.debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Custom login module passing in credential properties.  Handling login outside this login module.");
                Tr.exit(tc, "login()");
            }
            return this.succeeded;
        }
        if (hashtable != null && hashtable.get(AttributeNameConstants.WSCREDENTIAL_USERID) != null) {
            if (this.debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Setting uid and/or password from hashtable.");
            }
            name = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_USERID);
            String str = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_PASSWORD);
            if (str != null) {
                cArr = str.toCharArray();
            }
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "uid = " + name);
                Tr.debug(tc, "password = " + (cArr == null ? "<null>" : "XXXXXXXX"));
            }
        }
        if (WSCredentialTokenMapper.isAnyPropagationEnabled() && tokenHolderList != null && (bArr != null || ((name != null || x509CertificateChain != null) && cArr == null))) {
            this.succeeded = true;
            if (this.debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Security attribute propagation data has been received.  Handling login outside this login module.");
                Tr.exit(tc, "login()");
            }
            return this.succeeded;
        }
        if (x509CertificateChain == null && name == null && cArr == null && bArr == null) {
            WSLoginFailedException wSLoginFailedException2 = new WSLoginFailedException("No authentication data.");
            contextManagerFactory.setRootException(wSLoginFailedException2);
            throw wSLoginFailedException2;
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Successfully gathered authentication information");
        }
        if (name != null && cArr != null) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Using uid and password for authentication");
                StringBuffer stringBuffer = new StringBuffer("Authenticating \"");
                stringBuffer.append(realmName).append('/').append(name).append("\"");
                Tr.debug(tc, stringBuffer.toString());
            }
            try {
                this.credential = this.ltpaServer.authenticate(new BasicAuthData(name, new String(cArr)));
            } catch (WSLoginFailedException e5) {
                if (ServerStatusHelper.isServer() && SecurityObjectLocator.getAuditConfig() != null && Boolean.valueOf(SecurityObjectLocator.getAuditConfig().getBoolean("com.ibm.websphere.security.commoncriteria.audit")).booleanValue()) {
                    AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.LOGIN, "FAILURE", null, name, name, "authnFailure", null, null, null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                }
                FFDCFilter.processException(e5, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "452", this);
                if (this.debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "login()", new Object[]{e5});
                }
                contextManagerFactory.setRootException(e5);
                throw e5;
            } catch (Exception e6) {
                if (ServerStatusHelper.isServer() && SecurityObjectLocator.getAuditConfig() != null && Boolean.valueOf(SecurityObjectLocator.getAuditConfig().getBoolean("com.ibm.websphere.security.commoncriteria.audit")).booleanValue()) {
                    AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.LOGIN, "FAILURE", null, name, name, "authnFailure", null, null, null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                }
                FFDCFilter.processException(e6, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "459", this);
                if (this.debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "login()", new Object[]{e6});
                }
                contextManagerFactory.setRootException(e6);
                throw new WSLoginFailedException(e6.getMessage(), e6);
            }
        } else if (name == null && x509CertificateChain == null) {
            if (bArr == null) {
                WSLoginFailedException wSLoginFailedException3 = new WSLoginFailedException("ltpaLoginModule: No authentication data");
                contextManagerFactory.setRootException(wSLoginFailedException3);
                throw wSLoginFailedException3;
            }
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Using credential token for authentication");
            }
            if (z) {
                try {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Converting SSO token to authentication token.");
                    }
                    Token validateToken = this.ltpaServer.validateToken(bArr);
                    String[] attributes = validateToken.getAttributes("u");
                    saveAttributesFromOriginalToken(validateToken);
                    if (attributes != null && attributes[0] != null) {
                        this.credential = this.ltpaServer.validate(this.ltpaServer.createLTPAToken(attributes[0], securityConfig.getProperty("com.ibm.wsspi.security.token.authenticationTokenFactory")));
                    }
                } catch (WSLoginFailedException e7) {
                    if (ServerStatusHelper.isServer() && SecurityObjectLocator.getAuditConfig() != null && Boolean.valueOf(SecurityObjectLocator.getAuditConfig().getBoolean("com.ibm.websphere.security.commoncriteria.audit")).booleanValue()) {
                        AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.LOGIN, "FAILURE", null, "invalid token", "invalid token", "authnFailure", null, null, null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                    }
                    FFDCFilter.processException(e7, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "578", this);
                    contextManagerFactory.setRootException(e7);
                    throw e7;
                } catch (Exception e8) {
                    if (ServerStatusHelper.isServer() && SecurityObjectLocator.getAuditConfig() != null && Boolean.valueOf(SecurityObjectLocator.getAuditConfig().getBoolean("com.ibm.websphere.security.commoncriteria.audit")).booleanValue()) {
                        AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.LOGIN, "FAILURE", null, "invalid token", "invalid token", "authnFailure", null, null, null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                    }
                    FFDCFilter.processException(e8, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "584", this);
                    contextManagerFactory.setRootException(e8);
                    throw new WSLoginFailedException(e8.getMessage(), e8);
                }
            }
            boolean z2 = false;
            if (this.credential == null) {
                if (callbackArr[5] instanceof WSAppContextCallback) {
                    Map context = ((WSAppContextCallback) callbackArr[5]).getContext();
                    if (isAsyncLogin(context) && refreshIfExpired(context, this.options)) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "This is a DESERIALIZE_ASYNCH_LOGIN and we will renew the token if expired");
                        }
                        Token validateToken2 = this.ltpaServer.validateToken(bArr, true);
                        if (validateToken2 != null) {
                            this.credential = this.ltpaServer.validate(validateToken2);
                            z2 = true;
                        }
                    }
                }
                if (!z2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Validate token and do not renew");
                    }
                    this.credential = this.ltpaServer.validate(bArr);
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "DESERIALIZE_ASYNCH_LOGIN token processing complete.");
                }
            }
        } else {
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                    Tr.debug(tc, "Expecting : " + MAP_CREDENTIAL.toString());
                }
                securityManager.checkPermission(MAP_CREDENTIAL);
            }
            if (x509CertificateChain != null) {
                final X509Certificate[] x509CertificateArr = x509CertificateChain;
                try {
                    name = (String) contextManagerFactory.runAsSystem(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.server.lm.ltpaLoginModule.2
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            try {
                                if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                                    Tr.debug(ltpaLoginModule.tc, "Mapping X509Certificate[] to uid.");
                                }
                                return CSIUtil.getInstance().parseTransportLayerCertificate(x509CertificateArr);
                            } catch (Exception e9) {
                                throw e9;
                            }
                        }
                    });
                    if (name == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Client certificate did not map to uid.");
                        }
                        throw new WSLoginFailedException("Client certificate did not map to uid.");
                    }
                } catch (PrivilegedActionException e9) {
                    FFDCFilter.processException(e9.getException(), "com.ibm.ws.security.server.ltpa.ltpaLoginModule.login", "675", this);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception parsing client certificate.", new Object[]{e9.getException()});
                    }
                    throw new WSLoginFailedException(e9.getException().getMessage(), e9.getException());
                }
            }
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Using uid to mapCredential");
                StringBuffer stringBuffer2 = new StringBuffer("Authenticating \"");
                stringBuffer2.append(realmName).append('/').append(name).append("\"");
                Tr.debug(tc, stringBuffer2.toString());
            }
            try {
                if (SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getBoolean("com.ibm.websphere.security.registry.UseTAM") && !RegistryUtil.checkValidUserifTAM(name, this.registry)) {
                    throw new WSLoginFailedException("User is not valid in Access Manager");
                }
                if (SecurityObjectLocator.getAdminData().getString("com.ibm.ws.security.internalServerId") == null || !contextManagerFactory.isInternalServerId(name)) {
                    this.credential = this.ltpaServer.createLTPAToken(this.registry.createCredential(name));
                } else {
                    this.credential = contextManagerFactory.getServerCredential();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Got credential from ContextManager: " + this.credential);
                    }
                }
            } catch (TokenCreationFailedException e10) {
                if (ServerStatusHelper.isServer() && SecurityObjectLocator.getAuditConfig() != null && Boolean.valueOf(SecurityObjectLocator.getAuditConfig().getBoolean("com.ibm.websphere.security.commoncriteria.audit")).booleanValue()) {
                    AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.LOGIN, "FAILURE", null, name, name, "authnFailure", null, null, null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                }
                FFDCFilter.processException(e10, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "532", this);
                Tr.debug(tc, "Using uid to mapCredential");
                contextManagerFactory.setRootException(e10);
                throw new WSLoginFailedException(e10.getMessage(), e10);
            } catch (Exception e11) {
                if (ServerStatusHelper.isServer() && SecurityObjectLocator.getAuditConfig() != null && Boolean.valueOf(SecurityObjectLocator.getAuditConfig().getBoolean("com.ibm.websphere.security.commoncriteria.audit")).booleanValue()) {
                    AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.LOGIN, "FAILURE", null, name, name, "authnFailure", null, null, null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                }
                FFDCFilter.processException(e11, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "539", this);
                contextManagerFactory.setRootException(e11);
                throw new WSLoginFailedException(e11.getMessage(), e11);
            }
        }
        if (this.credential == null) {
            WSLoginFailedException wSLoginFailedException4 = new WSLoginFailedException("ltpaLoginModule: Credential returned from SAS authentication is null");
            contextManagerFactory.setRootException(wSLoginFailedException4);
            throw wSLoginFailedException4;
        }
        try {
            this.principal = SubjectHelper.createPrincipal(this.credential);
            this.sharedState.put(Constants.WSPRINCIPAL_KEY, this.principal);
            this.sharedState.put(Constants.WSCREDENTIAL_KEY, this.credential);
            this.succeeded = true;
            if (this.debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "login()");
            }
            if (ServerStatusHelper.isServer() && SecurityObjectLocator.getAuditConfig() != null && Boolean.valueOf(SecurityObjectLocator.getAuditConfig().getBoolean("com.ibm.websphere.security.commoncriteria.audit")).booleanValue()) {
                AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.LOGIN, "SUCCESS", null, this.principal.getName(), this.principal.getName(), "authnSuccess", null, null, null, "providerSuccess", AuditOutcome.SUCCESSFUL, 5L);
            }
            return this.succeeded;
        } catch (WSSecurityException e12) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Problem creating principal.", new Object[]{e12});
            }
            FFDCFilter.processException(e12, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "616", this);
            contextManagerFactory.setRootException(e12);
            throw new WSLoginFailedException(e12.getMessage(), e12);
        } catch (Exception e13) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception creating principal.", new Object[]{e13});
            }
            FFDCFilter.processException(e13, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "623", this);
            contextManagerFactory.setRootException(e13);
            throw new WSLoginFailedException(e13.getMessage(), e13);
        }
    }

    public boolean commit() throws LoginException {
        boolean z;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (this.succeeded) {
            if (!this.commitSucceeded) {
                Tr.debug(tc, "shared state contains: " + this.sharedState.keySet());
                ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
                this.principal = (WSPrincipal) this.sharedState.get(Constants.WSPRINCIPAL_KEY);
                if (this.principal == null) {
                    WSLoginFailedException wSLoginFailedException = new WSLoginFailedException("ltpaLoginModule: WSPrincipal is null in commit (phase 2) stage");
                    contextManagerFactory.setRootException(wSLoginFailedException);
                    throw wSLoginFailedException;
                }
                this.credential = (WSCredential) this.sharedState.get(Constants.WSCREDENTIAL_KEY);
                if (this.credential == null) {
                    WSLoginFailedException wSLoginFailedException2 = new WSLoginFailedException("ltpaLoginModule: WSCredential is null in commit (phase 2) stage");
                    contextManagerFactory.setRootException(wSLoginFailedException2);
                    throw wSLoginFailedException2;
                }
                try {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Start committing the changes to the Subject ...");
                    }
                    try {
                        AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.server.lm.ltpaLoginModule.3
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws CredentialDestroyedException, CredentialExpiredException, WSLoginFailedException {
                                if (!ltpaLoginModule.this.subject.getPrincipals().contains(ltpaLoginModule.this.principal)) {
                                    ltpaLoginModule.this.subject.getPrincipals().add(ltpaLoginModule.this.principal);
                                }
                                if (!ltpaLoginModule.this.subject.getPublicCredentials().contains(ltpaLoginModule.this.credential)) {
                                    if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                                        Tr.debug(ltpaLoginModule.tc, "Credential: " + ltpaLoginModule.this.credential);
                                    }
                                    ltpaLoginModule.this.credential.set("wssecurity.identity_name", VaultConstants.ClientAuthToken);
                                    ltpaLoginModule.this.credential.set("wssecurity.identity_value", StringBytesConversion.getConvertedBytes(ltpaLoginModule.this.credential.getRealmSecurityName()));
                                    ltpaLoginModule.this.subject.getPublicCredentials().add(ltpaLoginModule.this.credential);
                                }
                                if (WSCredentialTokenMapper.isAnyPropagationEnabled()) {
                                    return null;
                                }
                                AuthenticationToken authenticationToken = (AuthenticationToken) ltpaLoginModule.this.sharedState.get(Constants.WSAUTHTOKEN_KEY);
                                AuthorizationToken authorizationToken = (AuthorizationToken) ltpaLoginModule.this.sharedState.get(Constants.WSAUTHZTOKEN_KEY);
                                if (ltpaLoginModule.this.credential == null || authenticationToken != null || authorizationToken != null) {
                                    return null;
                                }
                                SingleSignonConfig singleSignon = SecurityObjectLocator.getSecurityConfig().getActiveAuthMechanism().getSingleSignon();
                                Boolean bool = false;
                                if (singleSignon != null) {
                                    bool = Boolean.valueOf(singleSignon.getBoolean("enabled"));
                                }
                                if (bool == null || !bool.booleanValue()) {
                                    return null;
                                }
                                AuthorizationToken createAuthzTokenFromWSCredential = WSCredentialTokenMapper.getInstance().createAuthzTokenFromWSCredential(ltpaLoginModule.this.credential);
                                AuthenticationToken createAuthTokenFromWSCredential = WSCredentialTokenMapper.getInstance().createAuthTokenFromWSCredential(ltpaLoginModule.this.credential);
                                SingleSignonToken singleSignonToken = null;
                                Boolean valueOf = Boolean.valueOf(bool.booleanValue());
                                KerberosTicket kerberosTicket = (KerberosTicket) ltpaLoginModule.this.sharedState.get(AttributeNameConstants.KERBEROS_TICKET);
                                if (valueOf != null && valueOf.booleanValue()) {
                                    singleSignonToken = WSCredentialTokenMapper.getInstance().createSSOTokenAndSetAttributes(ltpaLoginModule.this.credential, kerberosTicket != null, false);
                                }
                                if (createAuthzTokenFromWSCredential != null) {
                                    if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                                        Tr.debug(ltpaLoginModule.tc, "Adding AuthorizationToken to Subject.");
                                    }
                                    ltpaLoginModule.this.subject.getPrivateCredentials().add(createAuthzTokenFromWSCredential);
                                }
                                if (createAuthTokenFromWSCredential != null) {
                                    if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                                        Tr.debug(ltpaLoginModule.tc, "Adding AuthenticationToken to Subject.");
                                    }
                                    ltpaLoginModule.this.subject.getPrivateCredentials().add(createAuthTokenFromWSCredential);
                                }
                                if (singleSignonToken == null) {
                                    return null;
                                }
                                if (ltpaLoginModule.this.debug || ltpaLoginModule.tc.isDebugEnabled()) {
                                    Tr.debug(ltpaLoginModule.tc, "Adding SingleSignonToken to Subject.");
                                }
                                ltpaLoginModule.this.subject.getPrivateCredentials().add(singleSignonToken);
                                return null;
                            }
                        });
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Change committed!");
                        }
                        this.commitSucceeded = true;
                    } catch (PrivilegedActionException e) {
                        FFDCFilter.processException(e.getException(), "com.ibm.ws.security.server.lm.ltpaLoginModule.commit", "725", this);
                        contextManagerFactory.setRootException(e.getException());
                        throw new WSLoginFailedException(e.getException().getMessage(), e.getException());
                    }
                } catch (Exception e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.security.server.lm.ltpaLoginModule.commit", "736", this);
                    Tr.error(tc, "security.jaas.LoginModuleCommitError", new Object[]{getClass().getName(), e2});
                    cleanup();
                    this.commitSucceeded = false;
                }
            } else if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "It has been committed prior this call, nothing is done.");
            }
            z = this.commitSucceeded;
        } else {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Do not commit because of authentication failed.");
            }
            z = false;
        }
        cleanupSharedState();
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "commit()");
        }
        return z;
    }

    void saveAttributesFromOriginalToken(Token token) {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "saveAttributesFromOriginalToken");
        }
        Enumeration attributeNames = token.getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            String str = (String) attributeNames.nextElement();
            this.initialTokenAttributes.put(str, token.getAttributes(str));
            if (this.debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Found key=" + str + " value=" + token.getAttributes(str)[0] + " in the incoming token");
            }
        }
        this.sharedState.put(this.INITIAL_TOKEN_ATTRIBUTES, this.initialTokenAttributes);
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "saveAttributesFromOriginalToken " + this.initialTokenAttributes);
        }
    }

    public boolean abort() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes WSPrincipal and WSCredential from the Subject, reset all internal variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "abort()");
        return true;
    }

    public boolean logout() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes WSPrincipal and WSCredential from the Subject, reset all internal variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "logout()");
        return true;
    }

    private void cleanup() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup()");
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing WSPrinciapl, WSCredential, and CORBA Credentials from the Subject.");
            Tr.debug(tc, "Start removing ...");
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.server.lm.ltpaLoginModule.4
            @Override // java.security.PrivilegedAction
            public Object run() {
                try {
                    if (ltpaLoginModule.this.principal != null && ltpaLoginModule.this.subject.getPrincipals().contains(ltpaLoginModule.this.principal)) {
                        ltpaLoginModule.this.subject.getPrincipals().remove(ltpaLoginModule.this.principal);
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.server.lm.ltpaLoginModule.run", "847", this);
                    Tr.error(ltpaLoginModule.tc, "security.jaas.removeCredException", new Object[]{getClass().getName(), e});
                }
                try {
                    if (ltpaLoginModule.this.credential != null && ltpaLoginModule.this.subject.getPublicCredentials().contains(ltpaLoginModule.this.credential)) {
                        ltpaLoginModule.this.subject.getPublicCredentials().remove(ltpaLoginModule.this.credential);
                    }
                } catch (Exception e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.security.server.lm.ltpaLoginModule.run", "858", this);
                    Tr.error(ltpaLoginModule.tc, "security.jaas.removeCredException", new Object[]{getClass().getName(), e2});
                }
                if (ltpaLoginModule.this.credential != null) {
                }
                return null;
            }
        });
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        this.principal = null;
        this.credential = null;
        cleanupSharedState();
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanup()");
        }
    }

    private void cleanupSharedState() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanupSharedState()");
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing Callbacks, WSPrincipal, and WSCredential from the shared state.");
        }
        Callback[] callbackArr = (Callback[]) this.sharedState.get(Constants.CALLBACK_KEY);
        if (callbackArr != null) {
            for (int i = 0; i < callbackArr.length; i++) {
                if ((callbackArr[i] instanceof PasswordCallback) && ((PasswordCallback) callbackArr[i]).getPassword() != null) {
                    ((PasswordCallback) callbackArr[i]).clearPassword();
                }
            }
        }
        if (callbackArr != null) {
            this.sharedState.remove(Constants.CALLBACK_KEY);
        }
        if (((WSCredential) this.sharedState.get(Constants.WSCREDENTIAL_KEY)) != null) {
            this.sharedState.remove(Constants.WSCREDENTIAL_KEY);
        }
        if (((WSPrincipal) this.sharedState.get(Constants.WSPRINCIPAL_KEY)) != null) {
            this.sharedState.remove(Constants.WSPRINCIPAL_KEY);
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanupSharedState()");
        }
    }

    private boolean refreshIfExpired(Map map, Map map2) {
        boolean z;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkForRefreshIfExpired ", new Object[]{map, map2});
        }
        boolean z2 = false;
        if (map != null && map.containsKey(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW) && map2 != null && map2.containsKey(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW)) {
            if (map.get(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW) instanceof Boolean) {
                z = ((Boolean) map.get(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW)).booleanValue();
            } else {
                String str = (String) map.get(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW);
                z = str != null && (str.equalsIgnoreCase("true") || str.equalsIgnoreCase("yes"));
            }
            Tr.debug(tc, "Is token refresh behavior enabled via AppContext login properties? " + z);
            String str2 = (String) map2.get(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN_RENEW);
            z2 = z && "true".equalsIgnoreCase(str2);
            Tr.debug(tc, "Is token refresh behavior enabled via JAAS config options? " + str2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "refreshIfExpired " + z2);
        }
        return z2;
    }

    private boolean isAsyncLogin(Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isAsyncLogin", new Object[]{map});
        }
        boolean z = false;
        if (map != null && map.containsKey(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN)) {
            if (map.get(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN) instanceof Boolean) {
                z = ((Boolean) map.get(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN)).booleanValue();
            } else {
                String str = (String) map.get(com.ibm.wsspi.security.context.ContextManager.DESERIALIZE_ASYNCH_LOGIN);
                z = str != null && (str.equalsIgnoreCase("true") || str.equalsIgnoreCase("yes"));
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isAsyncLogin " + z);
        }
        return z;
    }
}
