package weblogic.servlet.security.internal;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.IllegalCharsetNameException;
import java.security.AccessController;
import java.util.ArrayList;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.security.SubjectUtils;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.servlet.HTTPLogger;
import weblogic.servlet.internal.ForwardAction;
import weblogic.servlet.internal.ServletInputStreamImpl;
import weblogic.servlet.internal.ServletRequestImpl;
import weblogic.servlet.internal.ServletResponseImpl;
import weblogic.servlet.internal.WebAppServletContext;
import weblogic.servlet.internal.session.SessionInternal;
import weblogic.utils.http.HttpConstants;
import weblogic.utils.http.QueryParams;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:weblogic/servlet/security/internal/FormSecurityModule.class */
public final class FormSecurityModule extends SecurityModule {
    private static final AuthenticatedSubject KERNEL_ID = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
    private AuthenticatedSubject currentUser;

    public FormSecurityModule(WebAppServletContext webAppServletContext, WebAppSecurity webAppSecurity) {
        super(webAppServletContext, webAppSecurity);
        this.currentUser = null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // weblogic.servlet.security.internal.SecurityModule
    public boolean checkAccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionInternal sessionInternal, ResourceConstraint resourceConstraint, boolean z) throws IOException, ServletException {
        String requestURI = httpServletRequest.getRequestURI();
        if (sessionInternal != null && requestURI.endsWith("/j_security_check")) {
            this.currentUser = getCurrentUser(getHttpServer(), httpServletRequest, sessionInternal);
            SecurityModule.logout(getHttpServer(), sessionInternal);
        }
        recoverSavedPostData(httpServletRequest, sessionInternal);
        String relativeURI = WebAppSecurity.getRelativeURI(httpServletRequest);
        if (resourceConstraint == null && !this.webAppSecurity.isFullSecurityDelegationRequired() && !requestURI.endsWith("/j_security_check") && !this.servletContext.isAdminMode()) {
            if (!DEBUG_SEC.isDebugEnabled()) {
                return true;
            }
            DEBUG_SEC.debug(this.webAppSecurity.getContextLog() + ": user: " + httpServletRequest.getUserPrincipal() + " has permissions to access " + httpServletRequest);
            return true;
        }
        if (!this.webAppSecurity.checkTransport(resourceConstraint, httpServletRequest, httpServletResponse)) {
            return false;
        }
        if (relativeURI.equals(this.webAppSecurity.getLoginPage()) || relativeURI.equals(this.webAppSecurity.getErrorPage())) {
            if (!DEBUG_SEC.isDebugEnabled()) {
                return true;
            }
            DEBUG_SEC.debug(this.webAppSecurity.getContextLog() + ": user: " + httpServletRequest.getUserPrincipal() + " has permissions to access " + httpServletRequest);
            return true;
        }
        if (!this.webAppSecurity.isFullSecurityDelegationRequired() && resourceConstraint != null && resourceConstraint.isUnrestricted() && !requestURI.endsWith("/j_security_check") && !this.servletContext.isAdminMode()) {
            if (!DEBUG_SEC.isDebugEnabled()) {
                return true;
            }
            DEBUG_SEC.debug(this.webAppSecurity.getContextLog() + ": " + httpServletRequest.getUserPrincipal() + " has permissions to access " + httpServletRequest);
            return true;
        }
        AuthenticatedSubject currentUser = getCurrentUser(getHttpServer(), httpServletRequest, sessionInternal);
        if (!checkUserPerm(httpServletRequest, httpServletResponse, sessionInternal, resourceConstraint, currentUser, z)) {
            return false;
        }
        if (currentUser == null || sessionInternal == null) {
            return true;
        }
        getUserSession(httpServletRequest, false).removeInternalAttribute("weblogic.formauth.immediate");
        return true;
    }

    private void recoverSavedPostData(HttpServletRequest httpServletRequest, SessionInternal sessionInternal) {
        Object obj;
        if (sessionInternal == null) {
            return;
        }
        try {
            obj = sessionInternal.getInternalAttribute("weblogic.formauth.postcookie");
        } catch (IllegalStateException e) {
            obj = null;
        }
        if (obj == null) {
            String str = (String) sessionInternal.getInternalAttribute("weblogic.formauth.method");
            if (str == null || !str.equals(HttpConstants.GET_METHOD)) {
                return;
            }
            sessionInternal.removeInternalAttribute("weblogic.formauth.method");
            return;
        }
        sessionInternal.removeInternalAttribute("weblogic.formauth.method");
        sessionInternal.removeInternalAttribute("weblogic.formauth.postcookie");
        ServletRequestImpl originalRequest = ServletRequestImpl.getOriginalRequest(httpServletRequest);
        String method = originalRequest.getMethod();
        originalRequest.setMethod(HttpConstants.POST_METHOD);
        QueryParams queryParams = (QueryParams) sessionInternal.getInternalAttribute("weblogic.formauth.queryparams");
        if (queryParams != null) {
            sessionInternal.removeInternalAttribute("weblogic.formauth.queryparams");
            originalRequest.getRequestParameters().setQueryParams(queryParams);
        }
        byte[] bArr = (byte[]) sessionInternal.getInternalAttribute("weblogic.formauth.bytearray");
        if (bArr != null) {
            sessionInternal.removeInternalAttribute("weblogic.formauth.bytearray");
            originalRequest.setInputStream((ServletInputStream) new ServletInputStreamImpl(new ByteArrayInputStream(bArr)));
            if (method.equals(HttpConstants.POST_METHOD)) {
                originalRequest.getResponse().disableKeepAlive();
            }
        }
        ArrayList arrayList = (ArrayList) sessionInternal.getInternalAttribute("weblogic.formauth.reqheadernames");
        if (arrayList != null) {
            ArrayList arrayList2 = (ArrayList) sessionInternal.getInternalAttribute("weblogic.formauth.reqheadervalues");
            byte[] headerAsBytes = originalRequest.getRequestHeaders().getHeaderAsBytes(HttpConstants.COOKIE_HEADER);
            if (headerAsBytes != null) {
                int size = arrayList.size();
                boolean z = false;
                int i = 0;
                while (true) {
                    if (i >= size) {
                        break;
                    }
                    if (HttpConstants.COOKIE_HEADER.startsWith((String) arrayList.get(i))) {
                        arrayList2.set(i, headerAsBytes);
                        z = true;
                        break;
                    }
                    i++;
                }
                if (!z) {
                    arrayList.add(HttpConstants.COOKIE_HEADER);
                    arrayList2.add(headerAsBytes);
                }
            }
            sessionInternal.removeInternalAttribute("weblogic.formauth.reqheadernames");
            sessionInternal.removeInternalAttribute("weblogic.formauth.reqheadervalues");
            if (bArr == null || bArr.length == 0) {
                int size2 = arrayList.size();
                int i2 = 0;
                while (true) {
                    if (i2 >= size2) {
                        break;
                    }
                    if (HttpConstants.CONTENT_LENGTH_HEADER.equalsIgnoreCase((String) arrayList.get(i2))) {
                        arrayList2.set(i2, String.valueOf(0).getBytes());
                        break;
                    }
                    i2++;
                }
            }
            originalRequest.getRequestHeaders().reset();
            originalRequest.getRequestHeaders().setHeaders(arrayList, arrayList2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // weblogic.servlet.security.internal.SecurityModule
    public boolean checkUserPerm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionInternal sessionInternal, ResourceConstraint resourceConstraint, AuthenticatedSubject authenticatedSubject, boolean z) throws IOException, ServletException {
        if (httpServletRequest.getRequestURI().endsWith("j_security_check")) {
            return processJSecurityCheck(httpServletRequest, httpServletResponse, sessionInternal);
        }
        if (authenticatedSubject != null) {
            return processLoggedInUser(httpServletRequest, httpServletResponse, authenticatedSubject);
        }
        if (this.webAppSecurity.isFullSecurityDelegationRequired() && this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, null, resourceConstraint)) {
            return true;
        }
        if (z && this.webAppSecurity.hasAuthFilters()) {
            invokeAuthFilterChain(httpServletRequest, httpServletResponse);
            return false;
        }
        if (isForbidden(resourceConstraint)) {
            sendForbiddenResponse(httpServletRequest, httpServletResponse);
            return false;
        }
        sendLoginPage(httpServletRequest, httpServletResponse);
        return false;
    }

    private boolean processJSecurityCheck(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SessionInternal sessionInternal) throws IOException {
        String parameter = httpServletRequest.getParameter("j_character_encoding");
        if (parameter != null) {
            try {
                if (Charset.isSupported(parameter)) {
                    httpServletRequest.setCharacterEncoding(parameter);
                }
            } catch (IllegalCharsetNameException e) {
            }
        }
        String parameter2 = httpServletRequest.getParameter("j_username");
        String parameter3 = httpServletRequest.getParameter("j_password");
        if (parameter2 == null || parameter3 == null) {
            sendError(httpServletRequest, httpServletResponse);
            return false;
        }
        AuthenticatedSubject checkAuthenticate = checkAuthenticate(parameter2, parameter3, httpServletRequest, httpServletResponse, getServletContext(), true);
        if (checkAuthenticate == null) {
            sendError(httpServletRequest, httpServletResponse);
            return false;
        }
        httpServletRequest.setAttribute(SecurityModule.REQUEST_AUTH_RESULT, new Integer(0));
        String str = null;
        if (sessionInternal != null) {
            str = getServletContext().getConfigManager().isRetainOriginalURL() ? (String) sessionInternal.getInternalAttribute("weblogic.formauth.targeturl") : (String) sessionInternal.getInternalAttribute(SecurityModule.SESSION_FORM_URI);
        }
        if (this.currentUser != null && !SubjectUtils.isUserAnonymous(this.currentUser) && !SubjectUtils.getUsername(this.currentUser).equals(parameter2) && getServletContext().getSessionContext().getConfigMgr().isInvalidateOnRelogin()) {
            if (sessionInternal != null && sessionInternal.isValid()) {
                sessionInternal.invalidate();
            }
            sessionInternal = null;
        }
        login(httpServletRequest, checkAuthenticate, sessionInternal);
        if (str == null) {
            String requestURI = httpServletRequest.getRequestURI();
            int length = httpServletRequest.getContextPath().length();
            httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(length > 0 ? requestURI.substring(0, length) : "/"));
            return false;
        }
        SessionInternal userSession = getUserSession(httpServletRequest, false);
        String str2 = (String) userSession.getInternalAttribute("weblogic.formauth.method");
        if (str2 != null && HttpConstants.POST_METHOD.equals(str2)) {
            userSession.setInternalAttribute("weblogic.formauth.postcookie", "true");
        }
        userSession.setInternalAttribute("weblogic.formauth.immediate", "true");
        httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(str));
        return false;
    }

    private boolean processLoggedInUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticatedSubject authenticatedSubject) throws IOException {
        SessionInternal userSession = getUserSession(httpServletRequest, false);
        ResourceConstraint constraint = this.webAppSecurity.getConstraint(httpServletRequest);
        if (this.webAppSecurity.hasPermission(httpServletRequest, httpServletResponse, authenticatedSubject, constraint)) {
            if (userSession != null) {
                userSession.removeInternalAttribute(SecurityModule.SESSION_FORM_URI);
                userSession.removeInternalAttribute("weblogic.formauth.targeturl");
            }
            if (checkAuthCookie(getHttpServer(), httpServletRequest, userSession)) {
                return true;
            }
            if (DEBUG_SEC.isDebugEnabled()) {
                DEBUG_SEC.debug("AuthCookie not found - permission denied for " + httpServletRequest);
            }
            sendLoginPage(httpServletRequest, httpServletResponse);
            return false;
        }
        if (userSession != null && userSession.getInternalAttribute("weblogic.formauth.immediate") != null) {
            userSession.removeInternalAttribute("weblogic.formauth.immediate");
            sendError(httpServletRequest, httpServletResponse);
            return false;
        }
        if (!isReloginEnabled() || isForbidden(constraint)) {
            sendForbiddenResponse(httpServletRequest, httpServletResponse);
            return false;
        }
        sendLoginPage(httpServletRequest, httpServletResponse);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // weblogic.servlet.security.internal.SecurityModule
    public void sendError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(403);
        if (httpServletResponse.isCommitted()) {
            httpServletResponse.sendRedirect(httpServletResponse.encodeURL(getContextURL(httpServletRequest) + this.webAppSecurity.getErrorPage()));
            return;
        }
        RequestDispatcher requestDispatcher = httpServletRequest.getRequestDispatcher(this.webAppSecurity.getErrorPage());
        AuthenticatedSubject currentUser = SecurityModule.getCurrentUser(getServletContext().getServer(), httpServletRequest);
        if (currentUser == null) {
            currentUser = SubjectUtils.getAnonymousSubject();
        }
        Throwable th = (Throwable) SecurityServiceManager.runAs(KERNEL_ID, currentUser, new ForwardAction(requestDispatcher, httpServletRequest, httpServletResponse));
        if (th != null) {
            if (th instanceof IOException) {
                throw ((IOException) th);
            }
            HTTPLogger.logSendError(getServletContext().getLogContext(), th);
        }
    }

    private static final String getContextURL(HttpServletRequest httpServletRequest) {
        int serverPort = httpServletRequest.getServerPort();
        StringBuffer stringBuffer = new StringBuffer(128);
        if (serverPort == 80 || serverPort == 443) {
            stringBuffer.append(httpServletRequest.getScheme()).append("://");
            stringBuffer.append(httpServletRequest.getServerName());
            stringBuffer.append(ServletRequestImpl.getResolvedContextPath(httpServletRequest));
        } else {
            stringBuffer.append(httpServletRequest.getScheme()).append("://");
            stringBuffer.append(httpServletRequest.getServerName()).append(':');
            stringBuffer.append(httpServletRequest.getServerPort());
            stringBuffer.append(ServletRequestImpl.getResolvedContextPath(httpServletRequest));
        }
        return stringBuffer.toString();
    }

    private final void sendLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        stuffSession(httpServletRequest, httpServletResponse);
        httpServletResponse.sendRedirect(httpServletResponse.encodeURL(ServletRequestImpl.getResolvedContextPath(httpServletRequest) + this.webAppSecurity.getLoginPage()));
    }

    private void stuffSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        SessionInternal userSession = getUserSession(httpServletRequest, true);
        ServletRequestImpl originalRequest = ServletRequestImpl.getOriginalRequest(httpServletRequest);
        ServletResponseImpl response = originalRequest.getResponse();
        String requestURI = httpServletRequest.getRequestURI();
        String uRLForRedirect = response.getURLForRedirect(httpServletRequest.getRequestURI());
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            uRLForRedirect = uRLForRedirect + "?" + queryString;
            requestURI = requestURI + "?" + queryString;
        }
        userSession.setInternalAttribute(SecurityModule.SESSION_FORM_URI, requestURI);
        userSession.setInternalAttribute("weblogic.formauth.targeturl", uRLForRedirect);
        userSession.setInternalAttribute("weblogic.formauth.method", httpServletRequest.getMethod());
        if (originalRequest.getInputHelper().getRequestParser().isMethodPost()) {
            ServletInputStream inputStream = httpServletRequest.getInputStream();
            byte[] bArr = new byte[4096];
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            while (true) {
                int read = inputStream.read(bArr, 0, bArr.length);
                if (read == -1) {
                    break;
                } else {
                    byteArrayOutputStream.write(bArr, 0, read);
                }
            }
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            if (byteArray.length > 0) {
                userSession.setInternalAttribute("weblogic.formauth.bytearray", byteArray);
            } else {
                userSession.removeInternalAttribute("weblogic.formauth.bytearray");
            }
            userSession.setInternalAttribute("weblogic.formauth.reqheadernames", originalRequest.getRequestHeaders().getHeaderNamesAsArrayList().clone());
            userSession.setInternalAttribute("weblogic.formauth.reqheadervalues", originalRequest.getRequestHeaders().getHeaderValuesAsArrayList().clone());
        }
    }
}
