package weblogic.servlet.security.internal;

import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.servlet.jsp.PageContext;
import weblogic.diagnostics.debug.DebugLogger;
import weblogic.jndi.internal.JNDIImageSourceConstants;
import weblogic.management.configuration.WebAppContainerMBean;
import weblogic.management.provider.ManagementService;
import weblogic.security.Salt;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.auth.login.PasswordCredential;
import weblogic.security.service.PrincipalAuthenticator;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityService;
import weblogic.security.service.SecurityServiceManager;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ErrorMessages;
import weblogic.servlet.internal.HttpServer;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.WebAppConfigManager;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.internal.session.HTTPSessionLogger;
import weblogic.servlet.internal.session.RSID;
import weblogic.servlet.internal.session.SessionConstants;
import weblogic.servlet.internal.session.SessionContext;
import weblogic.servlet.internal.session.SessionData;
import weblogic.servlet.internal.session.SessionInternal;
import weblogic.utils.NestedRuntimeException;
import weblogic.utils.StringUtils;
import weblogic.utils.encoders.BASE64Encoder;

/* loaded from: input_file:weblogic/servlet/security/internal/SecurityModule.class */
public abstract class SecurityModule {
    public static final String SESSION_AUTH_USER = "weblogic.authuser";
    public static final String SESSION_FORM_URL = "weblogic.formauth.targeturl";
    public static final String SESSION_FORM_URI = "weblogic.formauth.targeturi";
    public static final int AUTHENTICATED = 0;
    public static final int FAILED_AUTHENTICATION = 1;
    public static final int NEEDS_CREDENTIALS = 2;
    static final String SESSION_FORM_METHOD = "weblogic.formauth.method";
    static final String SESSION_FORM_QUERY = "weblogic.formauth.queryparams";
    static final String SESSION_FORM_BYTEARRAY = "weblogic.formauth.bytearray";
    static final String SESSION_FORM_REQHEADNAMES = "weblogic.formauth.reqheadernames";
    static final String SESSION_FORM_REQHEADVALUES = "weblogic.formauth.reqheadervalues";
    static final String SESSION_POST_COOKIE = "weblogic.formauth.postcookie";
    static final String SESSION_FORM_IMMEDIATE = "weblogic.formauth.immediate";
    public static final String REQUEST_AUTH_RESULT = "weblogic.auth.result";
    public static final int REQUEST_PRE_AUTH = -1;
    public static final String ASSERTION_AUTH = "ASSERTION";
    public static final String REALM_AUTH = "REALM";
    protected final WebAppServletContext servletContext;
    protected final WebAppSecurity webAppSecurity;
    protected String authRealmBanner;
    protected boolean delegateControl;
    private static boolean changeSessionIdOnAuthentication;
    protected static int AUTH_COOKIE_ID_LENGTH = 20;
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    protected static final DebugLogger DEBUG_SEC = DebugLogger.getDebugLogger("DebugWebAppSecurity");
    private static final WebAppContainerMBean webAppContainer = ManagementService.getRuntimeAccess(KERNEL_ID).getDomain().getWebAppContainer();

    /* loaded from: input_file:weblogic/servlet/security/internal/SecurityModule$ServletAuthenticationFilterAction.class */
    private static class ServletAuthenticationFilterAction implements PrivilegedAction {
        private final HttpServletRequest request;
        private final HttpServletResponse response;
        private final FilterChain chain;

        ServletAuthenticationFilterAction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
            this.request = httpServletRequest;
            this.response = httpServletResponse;
            this.chain = filterChain;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this.chain.doFilter(this.request, this.response);
                return null;
            } catch (Throwable th) {
                return th;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:weblogic/servlet/security/internal/SecurityModule$SessionRetrievalAction.class */
    public static class SessionRetrievalAction implements PrivilegedAction {
        private final HttpServletRequest request;
        private final boolean flag;
        private SessionInternal session = null;

        SessionRetrievalAction(HttpServletRequest httpServletRequest, boolean z) {
            this.request = httpServletRequest;
            this.flag = z;
        }

        public SessionInternal getUserSession() {
            return this.session;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                this.session = (SessionInternal) this.request.getSession(this.flag);
                return null;
            } catch (Throwable th) {
                return th;
            }
        }
    }

    public SecurityModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity) {
        this.authRealmBanner = null;
        this.delegateControl = false;
        this.servletContext = webAppServletContext;
        this.webAppSecurity = webAppSecurity;
    }

    public SecurityModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity, boolean z) {
        this(webAppServletContext, webAppSecurity);
        this.delegateControl = z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpServer getHttpServer() {
        return this.servletContext.getServer();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public WebAppServletContext getServletContext() {
        return this.servletContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isReloginEnabled() {
        return this.servletContext.getConfigManager().isReloginEnabled();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkAccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionInternal sessionInternal, ResourceConstraint resourceConstraint, boolean z) throws IOException, ServletException {
        if (this.webAppSecurity.checkTransport(resourceConstraint, httpServletRequest, httpServletResponse)) {
            return checkUserPerm(httpServletRequest, httpServletResponse, sessionInternal, resourceConstraint, getCurrentUser(getHttpServer(), httpServletRequest, sessionInternal), z);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract boolean checkUserPerm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionInternal sessionInternal, ResourceConstraint resourceConstraint, AuthenticatedSubject authenticatedSubject, boolean z) throws IOException, ServletException;

    public static final AuthenticatedSubject getCurrentUser(HttpServer httpServer, HttpServletRequest httpServletRequest) {
        return getCurrentUser(httpServer, httpServletRequest, (SessionInternal) httpServletRequest.getSession(false));
    }

    public static String getWLSAuthCookieName(SessionInternal sessionInternal) {
        return sessionInternal == null ? SessionConstants.DEFAULT_WLS_AUTHCOOKIE : sessionInternal.getContext().getConfigMgr().getWLSAuthCookieName();
    }

    private static String getWLSAuthCookieName(WebAppServletContext webAppServletContext) {
        return webAppServletContext.getSessionContext().getConfigMgr().getWLSAuthCookieName();
    }

    public static final AuthenticatedSubject getCurrentUser(HttpServer httpServer, HttpServletRequest httpServletRequest, SessionInternal sessionInternal) {
        AuthenticatedSubject authenticatedSubject = null;
        try {
            if (sessionInternal != null) {
                String internalId = sessionInternal.getInternalId();
                authenticatedSubject = httpServer.getSessionLogin().getUser(internalId);
                if (authenticatedSubject != null) {
                    sessionInternal.setInternalAttribute(SESSION_AUTH_USER, authenticatedSubject);
                } else {
                    authenticatedSubject = (AuthenticatedSubject) sessionInternal.getInternalAttribute(SESSION_AUTH_USER);
                    if (authenticatedSubject != null) {
                        httpServer.getSessionLogin().setUser(internalId, authenticatedSubject);
                    }
                }
                String wLSAuthCookieName = getWLSAuthCookieName(sessionInternal);
                String str = (String) sessionInternal.getInternalAttribute(wLSAuthCookieName);
                if (str == null) {
                    String cookieId = httpServer.getSessionLogin().getCookieId(internalId);
                    if (cookieId != null) {
                        sessionInternal.setInternalAttribute(wLSAuthCookieName, cookieId);
                    }
                } else {
                    httpServer.getSessionLogin().addCookieId(internalId, str);
                }
            } else {
                String requestedSessionId = httpServletRequest.getRequestedSessionId();
                if (requestedSessionId != null) {
                    authenticatedSubject = httpServer.getSessionLogin().getUser(RSID.getID(requestedSessionId));
                }
            }
        } catch (IllegalStateException e) {
            HTTPSessionLogger.logSessionExpired(sessionInternal == null ? "null" : sessionInternal.getInternalId(), e);
        }
        return authenticatedSubject;
    }

    public static final AuthenticatedSubject checkAuthenticate(String str, Object obj, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppServletContext webAppServletContext, boolean z) {
        try {
            return checkAuthenticate(str, obj, httpServletRequest, httpServletResponse, webAppServletContext);
        } catch (LoginException e) {
            if (DEBUG_SEC.isDebugEnabled()) {
                DEBUG_SEC.debug("Login failed for request: " + httpServletRequest.toString(), e);
            }
            if (!z) {
                return null;
            }
            httpServletRequest.setAttribute("javax.servlet.error.exception_type", e.getClass());
            httpServletRequest.setAttribute("javax.servlet.error.exception", e);
            httpServletRequest.setAttribute("javax.servlet.error.message", e.getMessage());
            SessionInternal sessionInternal = (SessionInternal) httpServletRequest.getSession(false);
            if (sessionInternal != null) {
                Object obj2 = (String) sessionInternal.getInternalAttribute(SESSION_FORM_URI);
                httpServletRequest.setAttribute("javax.servlet.error.request_uri", obj2 == null ? httpServletRequest.getRequestURI() : obj2);
            }
            httpServletRequest.setAttribute(PageContext.EXCEPTION, e);
            httpServletRequest.setAttribute("javax.servlet.error.status_code", new Integer(403));
            return null;
        }
    }

    public static AuthenticatedSubject checkAuthenticate(String str, Object obj, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppServletContext webAppServletContext) throws LoginException {
        HttpServer server = webAppServletContext.getServer();
        String securityRealmName = webAppServletContext.getSecurityRealmName();
        String logContext = webAppServletContext.getLogContext();
        SessionInternal sessionInternal = (SessionInternal) httpServletRequest.getSession(false);
        AuthenticatedSubject currentUser = getCurrentUser(server, httpServletRequest, sessionInternal);
        if (currentUser != null) {
            if (str == null || str.equals(SubjectUtils.getUsername(currentUser))) {
                return currentUser;
            }
            logout(server, sessionInternal);
        }
        if (str == null) {
            return null;
        }
        final AuthenticatedSubject authenticate = ((PrincipalAuthenticator) SecurityServiceManager.getSecurityService(KERNEL_ID, securityRealmName, SecurityService.ServiceType.AUTHENTICATION)).authenticate(new ServletCallbackHandler(str, obj, httpServletRequest, httpServletResponse), new WebAppContextHandler(httpServletRequest, httpServletResponse));
        if (authenticate != null) {
            final PasswordCredential passwordCredential = new PasswordCredential(str, (String) obj);
            AccessController.doPrivileged(new PrivilegedAction() { // from class: weblogic.servlet.security.internal.SecurityModule.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    AuthenticatedSubject.this.getPrivateCredentials(SecurityModule.KERNEL_ID).add(passwordCredential);
                    return null;
                }
            });
        }
        if (DEBUG_SEC.isDebugEnabled()) {
            DEBUG_SEC.debug(logContext + " authenticated user: " + getUsername(authenticate));
        }
        return authenticate;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static final String getUsername(AuthenticatedSubject authenticatedSubject) {
        return authenticatedSubject == null ? "anonymous" : SubjectUtils.getUsername(authenticatedSubject);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setAuthRealmBanner(String str) {
        this.authRealmBanner = "Basic realm=\"" + str + JNDIImageSourceConstants.DOUBLE_QUOTES;
    }

    public static void setAuthCookieIDLength(int i) {
        AUTH_COOKIE_ID_LENGTH = i;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final void logout(HttpServer httpServer, SessionInternal sessionInternal) {
        if (sessionInternal == null) {
            return;
        }
        httpServer.getSessionLogin().unregister(sessionInternal.getInternalId());
        sessionInternal.removeInternalAttribute(SESSION_AUTH_USER);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final void login(HttpServletRequest httpServletRequest, AuthenticatedSubject authenticatedSubject, SessionInternal sessionInternal) {
        if (authenticatedSubject == null || SubjectUtils.isUserAnonymous(authenticatedSubject) || SecurityServiceManager.isKernelIdentity(authenticatedSubject)) {
            return;
        }
        HttpServer httpServer = getHttpServer();
        if (sessionInternal == null) {
            sessionInternal = getUserSession(httpServletRequest, true);
        } else if (!((HttpSession) sessionInternal).isNew() && changeSessionIdOnAuthentication) {
            sessionInternal = generateNewSession(httpServletRequest);
        }
        sessionInternal.setInternalAttribute(SESSION_AUTH_USER, authenticatedSubject);
        String internalId = sessionInternal.getInternalId();
        httpServer.getSessionLogin().setUser(internalId, authenticatedSubject);
        setupAuthCookie(httpServer, httpServletRequest, sessionInternal, internalId, true);
    }

    private final SessionInternal generateNewSession(HttpServletRequest httpServletRequest) {
        ServletRequestImpl.getOriginalRequest(httpServletRequest).getSessionHelper().updateSessionId();
        return getUserSession(httpServletRequest, true);
    }

    public static final void setupAuthCookie(HttpServer httpServer, HttpServletRequest httpServletRequest, SessionInternal sessionInternal, String str) {
        setupAuthCookie(httpServer, httpServletRequest, sessionInternal, str, false);
    }

    private static final void setupAuthCookie(HttpServer httpServer, HttpServletRequest httpServletRequest, SessionInternal sessionInternal, String str, boolean z) {
        SessionContext sessionContext;
        SessionData sessionInternalForAuthentication;
        if (httpServer.isAuthCookieEnabled() && httpServletRequest.isSecure()) {
            String cookieId = httpServer.getSessionLogin().getCookieId(str);
            String wLSAuthCookieName = getWLSAuthCookieName(sessionInternal);
            if (!z && cookieId != null) {
                sessionInternal.setInternalAttribute(wLSAuthCookieName, cookieId);
                return;
            }
            if (cookieId == null) {
                cookieId = (String) sessionInternal.getInternalAttribute(wLSAuthCookieName);
                if (!z && cookieId != null) {
                    httpServer.getSessionLogin().addCookieId(str, cookieId);
                    return;
                }
            }
            boolean z2 = cookieId != null;
            ServletResponseImpl response = ServletRequestImpl.getOriginalRequest(httpServletRequest).getResponse();
            String generateNewId = generateNewId();
            sessionInternal.setInternalAttribute(wLSAuthCookieName, generateNewId);
            if (z && z2) {
                ServletRequestImpl originalRequest = ServletRequestImpl.getOriginalRequest(httpServletRequest);
                for (WebAppServletContext webAppServletContext : httpServer.getServletContextManager().getAllContexts()) {
                    if (!webAppServletContext.equals(sessionInternal.getContext().getServletContext()) && getWLSAuthCookieName(webAppServletContext).equals(wLSAuthCookieName) && (sessionInternalForAuthentication = (sessionContext = webAppServletContext.getSessionContext()).getSessionInternalForAuthentication(str, originalRequest, response)) != null) {
                        if (sessionInternalForAuthentication.getInternalAttribute(wLSAuthCookieName) != null) {
                            sessionInternalForAuthentication.removeInternalAttribute(wLSAuthCookieName);
                        }
                        synchronized (sessionInternalForAuthentication) {
                            sessionContext.sync(sessionInternalForAuthentication);
                        }
                    }
                }
            }
            Cookie cookie = new Cookie(wLSAuthCookieName, generateNewId);
            cookie.setSecure(true);
            cookie.setMaxAge(-1);
            cookie.setPath(sessionInternal.getContext().getConfigMgr().getCookiePath());
            String cookieDomain = sessionInternal.getContext().getConfigMgr().getCookieDomain();
            if (cookieDomain != null) {
                cookie.setDomain(cookieDomain);
            }
            response.addCookieInternal(cookie);
            httpServer.getSessionLogin().addCookieId(str, generateNewId);
        }
    }

    private static String generateNewId() {
        return new String(new BASE64Encoder().encodeBuffer(Salt.getRandomBytes(AUTH_COOKIE_ID_LENGTH))).substring(0, AUTH_COOKIE_ID_LENGTH).replace('/', '.').replace('+', '-').replace('=', '_');
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkAuthCookie(HttpServer httpServer, HttpServletRequest httpServletRequest, SessionInternal sessionInternal) {
        if (!httpServer.isAuthCookieEnabled() || !httpServletRequest.isSecure() || !getServletContext().getSessionContext().getConfigMgr().isSessionCookiesEnabled() || this.webAppSecurity.getConstraint(httpServletRequest) == null) {
            return true;
        }
        String str = null;
        String wLSAuthCookieName = getWLSAuthCookieName(sessionInternal);
        if (sessionInternal != null) {
            str = httpServer.getSessionLogin().getCookieId(sessionInternal.getInternalId());
            if (str != null) {
                sessionInternal.setInternalAttribute(wLSAuthCookieName, str);
            } else {
                str = (String) sessionInternal.getInternalAttribute(wLSAuthCookieName);
            }
        }
        if (str == null) {
            return true;
        }
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (int i = 0; i < cookies.length; i++) {
                if (cookies[i].getName().equals(wLSAuthCookieName) && cookies[i].getValue().equals(str)) {
                    return true;
                }
            }
        }
        Cookie cookie = ServletRequestImpl.getOriginalRequest(httpServletRequest).getResponse().getCookie(wLSAuthCookieName);
        return cookie != null && cookie.getValue().equals(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void sendForbiddenResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.delegateControl) {
            return;
        }
        httpServletResponse.sendError(403, ErrorMessages.getErrorPage(403));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void sendUnauthorizedResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.delegateControl) {
            return;
        }
        httpServletResponse.sendError(401, ErrorMessages.getErrorPage(401));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void sendError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.delegateControl) {
            return;
        }
        ServletRequestImpl.getOriginalRequest(httpServletRequest).getResponse().setHeaderInternal("WWW-Authenticate", this.authRealmBanner);
        sendUnauthorizedResponse(httpServletRequest, httpServletResponse);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isForbidden(ResourceConstraint resourceConstraint) {
        return this.webAppSecurity.isFullSecurityDelegationRequired() && resourceConstraint != null && resourceConstraint.isForbidden();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final SessionInternal getUserSession(HttpServletRequest httpServletRequest, boolean z) {
        if (!SecurityServiceManager.isKernelIdentity(SecurityServiceManager.getCurrentSubject(KERNEL_ID))) {
            return (SessionInternal) httpServletRequest.getSession(z);
        }
        SessionRetrievalAction sessionRetrievalAction = new SessionRetrievalAction(httpServletRequest, z);
        Throwable th = (Throwable) SecurityServiceManager.runAs(KERNEL_ID, SubjectUtils.getAnonymousSubject(), sessionRetrievalAction);
        if (th == null) {
            return sessionRetrievalAction.getUserSession();
        }
        if (th instanceof NestedRuntimeException) {
            throw ((NestedRuntimeException) th);
        }
        HTTPSessionLogger.logUnexpectedError(getServletContext().getLogContext(), th);
        throw new NestedRuntimeException("Failed to retrieve session: " + th.getMessage(), th);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void invokeAuthFilterChain(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        if (this.webAppSecurity.hasAuthFilters()) {
            Throwable th = (Throwable) SecurityServiceManager.runAs(KERNEL_ID, KERNEL_ID, new ServletAuthenticationFilterAction(httpServletRequest, httpServletResponse, this.webAppSecurity.getAuthFilterChain()));
            if (th != null) {
                throw new ServletException(th);
            }
        }
    }

    private static String[] validateAuthMethods(String str) {
        if (str == null) {
            throw new IllegalArgumentException("NULL auth-method list");
        }
        String[] splitCompletely = StringUtils.splitCompletely(str, ", ");
        for (int i = 0; i < splitCompletely.length; i++) {
            if (!splitCompletely[i].equals("BASIC") && !splitCompletely[i].equals("FORM") && !splitCompletely[i].equals(HttpServletRequest.CLIENT_CERT_AUTH) && !splitCompletely[i].equals("DIGEST") && !splitCompletely[i].equals(ASSERTION_AUTH) && !splitCompletely[i].equals("BASIC_ENFORCE") && !splitCompletely[i].equals("BASIC_PLAIN")) {
                throw new IllegalArgumentException("Invalid auth-method list - " + str);
            }
            if ((splitCompletely[i].equals("BASIC") || splitCompletely[i].equals("BASIC_ENFORCE") || splitCompletely[i].equals("BASIC_PLAIN") || splitCompletely[i].equals("FORM")) && i != splitCompletely.length - 1) {
                throw new IllegalArgumentException("Invalid auth-method list - '" + splitCompletely[i] + " ' has to be at the end in '" + str + "'");
            }
        }
        return splitCompletely;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecurityModule createModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity) {
        String str = null;
        if (webAppSecurity != null) {
            str = webAppSecurity.getAuthMethod();
        }
        if (str == null || str.length() < 1) {
            str = "BASIC";
        }
        return createModule(webAppServletContext, webAppSecurity, false, str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecurityModule createModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity, boolean z, String str) {
        SecurityModule basic2SecurityModule;
        if (str.equals("BASIC")) {
            basic2SecurityModule = new BasicSecurityModule(webAppServletContext, webAppSecurity, z);
        } else if (str.equals("FORM")) {
            basic2SecurityModule = new FormSecurityModule(webAppServletContext, webAppSecurity);
        } else if (str.equals(HttpServletRequest.CLIENT_CERT_AUTH)) {
            basic2SecurityModule = new CertSecurityModule(webAppServletContext, webAppSecurity, z, false);
        } else if (str.equals("DIGEST")) {
            HTTPLogger.logDigestAuthNotSupported(webAppServletContext.getLogContext());
            basic2SecurityModule = new BasicSecurityModule(webAppServletContext, webAppSecurity, z);
        } else if (str.equals(ASSERTION_AUTH)) {
            basic2SecurityModule = new CertSecurityModule(webAppServletContext, webAppSecurity, z, true);
        } else if (str.equals("BASIC_ENFORCE") || str.equals("BASIC_PLAIN")) {
            basic2SecurityModule = new Basic2SecurityModule(webAppServletContext, webAppSecurity, z, str);
        } else if (str.equals(REALM_AUTH)) {
            webAppServletContext.getConfigManager();
            basic2SecurityModule = new ChainedSecurityModule(webAppServletContext, webAppSecurity, validateAuthMethods(WebAppConfigManager.getRealmAuthMethods()));
        } else {
            basic2SecurityModule = new ChainedSecurityModule(webAppServletContext, webAppSecurity, validateAuthMethods(str));
        }
        basic2SecurityModule.setAuthRealmBanner(webAppServletContext.getConfigManager().getAuthRealmName());
        if (DEBUG_SEC.isDebugEnabled()) {
            DEBUG_SEC.debug(webAppServletContext + " creating " + basic2SecurityModule);
        }
        return basic2SecurityModule;
    }

    static {
        changeSessionIdOnAuthentication = webAppContainer.isChangeSessionIDOnAuthentication();
        String property = System.getProperty("changeSessionIdOnAuthentication");
        if (property != null) {
            changeSessionIdOnAuthentication = new Boolean(property).booleanValue();
        }
    }
}
