package org.apache.catalina.authenticator;

import java.io.IOException;
import java.security.Principal;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.config.AuthConfigFactory;
import javax.security.auth.message.config.AuthConfigProvider;
import javax.security.auth.message.config.RegistrationListener;
import javax.security.auth.message.config.ServerAuthConfig;
import javax.security.auth.message.config.ServerAuthContext;
import javax.servlet.DispatcherType;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Authenticator;
import org.apache.catalina.Contained;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.TomcatPrincipal;
import org.apache.catalina.Valve;
import org.apache.catalina.authenticator.jaspic.MessageInfoImpl;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.filters.CorsFilter;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.util.SessionIdGeneratorBase;
import org.apache.catalina.util.StandardSessionIdGenerator;
import org.apache.catalina.valves.ValveBase;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import org.apache.tomcat.util.descriptor.web.LoginConfig;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.apache.tomcat.util.http.FastHttpDateFormat;
import org.apache.tomcat.util.http.RequestUtil;
import org.apache.tomcat.util.res.StringManager;
import org.springframework.http.HttpHeaders;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.web.servlet.support.WebContentGenerator;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.70.jar:org/apache/catalina/authenticator/AuthenticatorBase.class */
public abstract class AuthenticatorBase extends ValveBase implements Authenticator, RegistrationListener {
    private final Log log;
    private static final String DATE_ONE = FastHttpDateFormat.formatDate(1);
    protected static final StringManager sm = StringManager.getManager((Class<?>) AuthenticatorBase.class);
    protected static final String AUTH_HEADER_NAME = "WWW-Authenticate";
    protected static final String REALM_NAME = "Authentication required";
    protected boolean alwaysUseSession;
    protected boolean cache;
    protected boolean changeSessionIdOnAuthentication;
    protected Context context;
    protected boolean disableProxyCaching;
    protected boolean securePagesWithPragma;
    protected String secureRandomClass;
    protected String secureRandomAlgorithm;
    protected String secureRandomProvider;
    protected String jaspicCallbackHandlerClass;
    protected boolean sendAuthInfoResponseHeaders;
    protected SessionIdGeneratorBase sessionIdGenerator;
    protected SingleSignOn sso;
    private AllowCorsPreflight allowCorsPreflight;
    private volatile String jaspicAppContextID;
    private volatile Optional<AuthConfigProvider> jaspicProvider;
    private volatile CallbackHandler jaspicCallbackHandler;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.70.jar:org/apache/catalina/authenticator/AuthenticatorBase$AllowCorsPreflight.class */
    public enum AllowCorsPreflight {
        NEVER,
        FILTER,
        ALWAYS
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.70.jar:org/apache/catalina/authenticator/AuthenticatorBase$JaspicState.class */
    public static class JaspicState {
        public MessageInfo messageInfo;
        public ServerAuthContext serverAuthContext;

        private JaspicState() {
            this.messageInfo = null;
            this.serverAuthContext = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getRealmName(Context context) {
        LoginConfig loginConfig;
        String realmName;
        return (context == null || (loginConfig = context.getLoginConfig()) == null || (realmName = loginConfig.getRealmName()) == null) ? REALM_NAME : realmName;
    }

    public AuthenticatorBase() {
        super(true);
        this.log = LogFactory.getLog((Class<?>) AuthenticatorBase.class);
        this.alwaysUseSession = false;
        this.cache = true;
        this.changeSessionIdOnAuthentication = true;
        this.context = null;
        this.disableProxyCaching = true;
        this.securePagesWithPragma = false;
        this.secureRandomClass = null;
        this.secureRandomAlgorithm = SessionIdGeneratorBase.DEFAULT_SECURE_RANDOM_ALGORITHM;
        this.secureRandomProvider = null;
        this.jaspicCallbackHandlerClass = "org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl";
        this.sendAuthInfoResponseHeaders = false;
        this.sessionIdGenerator = null;
        this.sso = null;
        this.allowCorsPreflight = AllowCorsPreflight.NEVER;
        this.jaspicAppContextID = null;
        this.jaspicProvider = null;
        this.jaspicCallbackHandler = null;
    }

    public String getAllowCorsPreflight() {
        return this.allowCorsPreflight.name().toLowerCase(Locale.ENGLISH);
    }

    public void setAllowCorsPreflight(String str) {
        this.allowCorsPreflight = AllowCorsPreflight.valueOf(str.trim().toUpperCase(Locale.ENGLISH));
    }

    public boolean getAlwaysUseSession() {
        return this.alwaysUseSession;
    }

    public void setAlwaysUseSession(boolean z) {
        this.alwaysUseSession = z;
    }

    public boolean getCache() {
        return this.cache;
    }

    public void setCache(boolean z) {
        this.cache = z;
    }

    @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.Contained
    public Container getContainer() {
        return this.context;
    }

    @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.Contained
    public void setContainer(Container container) {
        if (container != null && !(container instanceof Context)) {
            throw new IllegalArgumentException(sm.getString("authenticator.notContext"));
        }
        super.setContainer(container);
        this.context = (Context) container;
    }

    public boolean getDisableProxyCaching() {
        return this.disableProxyCaching;
    }

    public void setDisableProxyCaching(boolean z) {
        this.disableProxyCaching = z;
    }

    public boolean getSecurePagesWithPragma() {
        return this.securePagesWithPragma;
    }

    public void setSecurePagesWithPragma(boolean z) {
        this.securePagesWithPragma = z;
    }

    public boolean getChangeSessionIdOnAuthentication() {
        return this.changeSessionIdOnAuthentication;
    }

    public void setChangeSessionIdOnAuthentication(boolean z) {
        this.changeSessionIdOnAuthentication = z;
    }

    public String getSecureRandomClass() {
        return this.secureRandomClass;
    }

    public void setSecureRandomClass(String str) {
        this.secureRandomClass = str;
    }

    public String getSecureRandomAlgorithm() {
        return this.secureRandomAlgorithm;
    }

    public void setSecureRandomAlgorithm(String str) {
        this.secureRandomAlgorithm = str;
    }

    public String getSecureRandomProvider() {
        return this.secureRandomProvider;
    }

    public void setSecureRandomProvider(String str) {
        this.secureRandomProvider = str;
    }

    public String getJaspicCallbackHandlerClass() {
        return this.jaspicCallbackHandlerClass;
    }

    public void setJaspicCallbackHandlerClass(String str) {
        this.jaspicCallbackHandlerClass = str;
    }

    public boolean isSendAuthInfoResponseHeaders() {
        return this.sendAuthInfoResponseHeaders;
    }

    public void setSendAuthInfoResponseHeaders(boolean z) {
        this.sendAuthInfoResponseHeaders = z;
    }

    @Override // org.apache.catalina.Valve
    public void invoke(Request request, Response response) throws IOException, ServletException {
        String[] findAuthRoles;
        Session sessionInternal;
        Principal principal;
        if (this.log.isDebugEnabled()) {
            this.log.debug("Security checking request " + request.getMethod() + " " + request.getRequestURI());
        }
        if (this.cache && request.getUserPrincipal() == null && (sessionInternal = request.getSessionInternal(false)) != null && (principal = sessionInternal.getPrincipal()) != null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("We have cached auth type " + sessionInternal.getAuthType() + " for principal " + principal);
            }
            request.setAuthType(sessionInternal.getAuthType());
            request.setUserPrincipal(principal);
        }
        boolean isContinuationRequired = isContinuationRequired(request);
        Realm realm = this.context.getRealm();
        SecurityConstraint[] findSecurityConstraints = realm.findSecurityConstraints(request, this.context);
        AuthConfigProvider jaspicProvider = getJaspicProvider();
        if (jaspicProvider != null) {
            isContinuationRequired = true;
        }
        if (findSecurityConstraints == null && !this.context.getPreemptiveAuthentication() && !isContinuationRequired) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Not subject to any constraint");
            }
            getNext().invoke(request, response);
            return;
        }
        if (findSecurityConstraints != null && this.disableProxyCaching && !WebContentGenerator.METHOD_POST.equalsIgnoreCase(request.getMethod())) {
            if (this.securePagesWithPragma) {
                response.setHeader(HttpHeaders.PRAGMA, "No-cache");
                response.setHeader(HttpHeaders.CACHE_CONTROL, "no-cache");
                response.setHeader(HttpHeaders.EXPIRES, DATE_ONE);
            } else {
                response.setHeader(HttpHeaders.CACHE_CONTROL, "private");
            }
        }
        if (findSecurityConstraints != null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Calling hasUserDataPermission()");
            }
            if (!realm.hasUserDataPermission(request, response, findSecurityConstraints)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed hasUserDataPermission() test");
                    return;
                }
                return;
            }
        }
        boolean z = false;
        if (findSecurityConstraints != null) {
            z = true;
            for (int i = 0; i < findSecurityConstraints.length && z; i++) {
                if (!findSecurityConstraints[i].getAuthConstraint()) {
                    z = false;
                } else if (!findSecurityConstraints[i].getAllRoles() && !findSecurityConstraints[i].getAuthenticatedUsers() && ((findAuthRoles = findSecurityConstraints[i].findAuthRoles()) == null || findAuthRoles.length == 0)) {
                    z = false;
                }
            }
        }
        if (!isContinuationRequired && z) {
            isContinuationRequired = true;
        }
        if (!isContinuationRequired && this.context.getPreemptiveAuthentication() && isPreemptiveAuthPossible(request)) {
            isContinuationRequired = true;
        }
        JaspicState jaspicState = null;
        if ((isContinuationRequired || findSecurityConstraints != null) && allowCorsPreflightBypass(request)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("CORS Preflight request bypassing authentication");
            }
            getNext().invoke(request, response);
            return;
        }
        if (isContinuationRequired) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Calling authenticate()");
            }
            if (jaspicProvider != null) {
                jaspicState = getJaspicState(jaspicProvider, request, response, z);
                if (jaspicState == null) {
                    return;
                }
            }
            if ((jaspicProvider == null && !doAuthenticate(request, response)) || (jaspicProvider != null && !authenticateJaspic(request, response, jaspicState, false))) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed authenticate() test");
                    return;
                }
                return;
            }
        }
        if (findSecurityConstraints != null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Calling accessControl()");
            }
            if (!realm.hasResourcePermission(request, response, findSecurityConstraints, this.context)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Failed accessControl() test");
                    return;
                }
                return;
            }
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Successfully passed all security constraints");
        }
        getNext().invoke(request, response);
        if (jaspicProvider != null) {
            secureResponseJspic(request, response, jaspicState);
        }
    }

    protected boolean allowCorsPreflightBypass(Request request) {
        String header;
        String header2;
        boolean z = false;
        if (this.allowCorsPreflight != AllowCorsPreflight.NEVER && "OPTIONS".equals(request.getMethod()) && (header = request.getHeader("Origin")) != null && !header.isEmpty() && RequestUtil.isValidOrigin(header) && !RequestUtil.isSameOrigin(request, header) && (header2 = request.getHeader("Access-Control-Request-Method")) != null && !header2.isEmpty()) {
            if (this.allowCorsPreflight == AllowCorsPreflight.ALWAYS) {
                z = true;
            } else if (this.allowCorsPreflight == AllowCorsPreflight.FILTER && DispatcherType.REQUEST == request.getDispatcherType()) {
                FilterDef[] findFilterDefs = request.getContext().findFilterDefs();
                int length = findFilterDefs.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    FilterDef filterDef = findFilterDefs[i];
                    if (CorsFilter.class.getName().equals(filterDef.getFilterClass())) {
                        FilterMap[] findFilterMaps = this.context.findFilterMaps();
                        int length2 = findFilterMaps.length;
                        int i2 = 0;
                        while (true) {
                            if (i2 >= length2) {
                                break;
                            }
                            FilterMap filterMap = findFilterMaps[i2];
                            if (!filterMap.getFilterName().equals(filterDef.getFilterName())) {
                                i2++;
                            } else if ((filterMap.getDispatcherMapping() & 8) > 0) {
                                String[] uRLPatterns = filterMap.getURLPatterns();
                                int length3 = uRLPatterns.length;
                                int i3 = 0;
                                while (true) {
                                    if (i3 >= length3) {
                                        break;
                                    }
                                    if (ScriptUtils.DEFAULT_BLOCK_COMMENT_START_DELIMITER.equals(uRLPatterns[i3])) {
                                        z = true;
                                        break;
                                    }
                                    i3++;
                                }
                            }
                        }
                    } else {
                        i++;
                    }
                }
            }
        }
        return z;
    }

    @Override // org.apache.catalina.Authenticator
    public boolean authenticate(Request request, HttpServletResponse httpServletResponse) throws IOException {
        AuthConfigProvider jaspicProvider = getJaspicProvider();
        if (jaspicProvider == null) {
            return doAuthenticate(request, httpServletResponse);
        }
        Response response = request.getResponse();
        JaspicState jaspicState = getJaspicState(jaspicProvider, request, response, true);
        if (jaspicState == null) {
            return false;
        }
        boolean authenticateJaspic = authenticateJaspic(request, response, jaspicState, true);
        secureResponseJspic(request, response, jaspicState);
        return authenticateJaspic;
    }

    private void secureResponseJspic(Request request, Response response, JaspicState jaspicState) {
        try {
            jaspicState.serverAuthContext.secureResponse(jaspicState.messageInfo, null);
            request.setRequest((HttpServletRequest) jaspicState.messageInfo.getRequestMessage());
            response.setResponse((HttpServletResponse) jaspicState.messageInfo.getResponseMessage());
        } catch (AuthException e) {
            this.log.warn(sm.getString("authenticator.jaspicSecureResponseFail"), e);
        }
    }

    private JaspicState getJaspicState(AuthConfigProvider authConfigProvider, Request request, Response response, boolean z) throws IOException {
        JaspicState jaspicState = new JaspicState();
        jaspicState.messageInfo = new MessageInfoImpl(request.getRequest(), response.getResponse(), z);
        try {
            ServerAuthConfig serverAuthConfig = authConfigProvider.getServerAuthConfig("HttpServlet", this.jaspicAppContextID, getCallbackHandler());
            jaspicState.serverAuthContext = serverAuthConfig.getAuthContext(serverAuthConfig.getAuthContextID(jaspicState.messageInfo), null, null);
            return jaspicState;
        } catch (AuthException e) {
            this.log.warn(sm.getString("authenticator.jaspicServerAuthContextFail"), e);
            response.sendError(500);
            return null;
        }
    }

    private CallbackHandler getCallbackHandler() {
        CallbackHandler callbackHandler = this.jaspicCallbackHandler;
        if (callbackHandler == null) {
            callbackHandler = createCallbackHandler();
        }
        return callbackHandler;
    }

    private CallbackHandler createCallbackHandler() {
        Class<?> cls = null;
        try {
            cls = Class.forName(this.jaspicCallbackHandlerClass, true, Thread.currentThread().getContextClassLoader());
        } catch (ClassNotFoundException e) {
        }
        if (cls == null) {
            try {
                cls = Class.forName(this.jaspicCallbackHandlerClass);
            } catch (ReflectiveOperationException e2) {
                throw new SecurityException(e2);
            }
        }
        CallbackHandler callbackHandler = (CallbackHandler) cls.getConstructor(new Class[0]).newInstance(new Object[0]);
        if (callbackHandler instanceof Contained) {
            ((Contained) callbackHandler).setContainer(getContainer());
        }
        this.jaspicCallbackHandler = callbackHandler;
        return callbackHandler;
    }

    protected abstract boolean doAuthenticate(Request request, HttpServletResponse httpServletResponse) throws IOException;

    protected boolean isContinuationRequired(Request request) {
        return false;
    }

    protected void associate(String str, Session session) {
        if (this.sso == null) {
            return;
        }
        this.sso.associate(str, session);
    }

    private boolean authenticateJaspic(Request request, Response response, JaspicState jaspicState, boolean z) {
        boolean checkForCachedAuthentication = checkForCachedAuthentication(request, response, false);
        Subject subject = new Subject();
        try {
            AuthStatus validateRequest = jaspicState.serverAuthContext.validateRequest(jaspicState.messageInfo, subject, null);
            request.setRequest((HttpServletRequest) jaspicState.messageInfo.getRequestMessage());
            response.setResponse((HttpServletResponse) jaspicState.messageInfo.getResponseMessage());
            if (validateRequest != AuthStatus.SUCCESS) {
                return false;
            }
            GenericPrincipal principal = getPrincipal(subject);
            if (this.log.isDebugEnabled()) {
                this.log.debug("Authenticated user: " + principal);
            }
            if (principal == null) {
                request.setUserPrincipal(null);
                request.setAuthType(null);
                if (z) {
                    return false;
                }
            } else if (!checkForCachedAuthentication || !principal.getUserPrincipal().equals(request.getUserPrincipal())) {
                Boolean bool = null;
                Map map = jaspicState.messageInfo.getMap();
                String str = (String) map.get("javax.servlet.http.registerSession");
                if (str != null) {
                    bool = Boolean.valueOf(str);
                }
                String str2 = (String) map.get("javax.servlet.http.authType");
                String str3 = str2 != null ? str2 : "JASPIC";
                if (bool != null) {
                    register(request, response, principal, str3, null, null, this.alwaysUseSession || bool.booleanValue(), bool.booleanValue());
                } else {
                    register(request, response, principal, str3, null, null);
                }
            }
            request.setNote(Constants.REQ_JASPIC_SUBJECT_NOTE, subject);
            return true;
        } catch (AuthException e) {
            this.log.debug(sm.getString("authenticator.loginFail"), e);
            return false;
        }
    }

    private GenericPrincipal getPrincipal(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set privateCredentials = subject.getPrivateCredentials(GenericPrincipal.class);
        if (privateCredentials.isEmpty()) {
            return null;
        }
        return (GenericPrincipal) privateCredentials.iterator().next();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean checkForCachedAuthentication(Request request, HttpServletResponse httpServletResponse, boolean z) {
        String messageBytes;
        Principal userPrincipal = request.getUserPrincipal();
        String str = (String) request.getNote(Constants.REQ_SSOID_NOTE);
        if (userPrincipal != null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("authenticator.check.found", userPrincipal.getName()));
            }
            if (str == null) {
                return true;
            }
            associate(str, request.getSessionInternal(true));
            return true;
        }
        if (z && str != null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("authenticator.check.sso", str));
            }
            if (reauthenticateFromSSO(str, request)) {
                return true;
            }
        }
        if (!request.getCoyoteRequest().getRemoteUserNeedsAuthorization() || (messageBytes = request.getCoyoteRequest().getRemoteUser().toString()) == null) {
            return false;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug(sm.getString("authenticator.check.authorize", messageBytes));
        }
        Principal authenticate = this.context.getRealm().authenticate(messageBytes);
        if (authenticate == null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("authenticator.check.authorizeFail", messageBytes));
            }
            authenticate = new GenericPrincipal(messageBytes, null, null);
        }
        String authType = request.getAuthType();
        if (authType == null || authType.length() == 0) {
            authType = getAuthMethod();
        }
        register(request, httpServletResponse, authenticate, authType, messageBytes, null);
        return true;
    }

    protected boolean reauthenticateFromSSO(String str, Request request) {
        Realm realm;
        if (this.sso == null || str == null) {
            return false;
        }
        boolean z = false;
        Container container = getContainer();
        if (container != null && (realm = container.getRealm()) != null) {
            z = this.sso.reauthenticate(str, realm, request);
        }
        if (z) {
            associate(str, request.getSessionInternal(true));
            if (this.log.isDebugEnabled()) {
                this.log.debug("Reauthenticated cached principal '" + request.getUserPrincipal().getName() + "' with auth type '" + request.getAuthType() + "'");
            }
        }
        return z;
    }

    public void register(Request request, HttpServletResponse httpServletResponse, Principal principal, String str, String str2, String str3) {
        register(request, httpServletResponse, principal, str, str2, str3, this.alwaysUseSession, this.cache);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void register(Request request, HttpServletResponse httpServletResponse, Principal principal, String str, String str2, String str3, boolean z, boolean z2) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Authenticated '" + (principal == null ? "none" : principal.getName()) + "' with type '" + str + "'");
        }
        request.setAuthType(str);
        request.setUserPrincipal(principal);
        if (this.sendAuthInfoResponseHeaders && Boolean.TRUE.equals(request.getAttribute(Globals.REQUEST_FORWARDED_ATTRIBUTE))) {
            httpServletResponse.setHeader("remote-user", request.getRemoteUser());
            httpServletResponse.setHeader("auth-type", request.getAuthType());
        }
        Session sessionInternal = request.getSessionInternal(false);
        if (sessionInternal != null) {
            if (getChangeSessionIdOnAuthentication() && principal != null) {
                Object changeSessionID = changeSessionID(request, sessionInternal);
                if (sessionInternal.getNote(Constants.SESSION_ID_NOTE) != null) {
                    sessionInternal.setNote(Constants.SESSION_ID_NOTE, changeSessionID);
                }
            }
        } else if (z) {
            sessionInternal = request.getSessionInternal(true);
        }
        if (sessionInternal != null && z2) {
            sessionInternal.setAuthType(str);
            sessionInternal.setPrincipal(principal);
        }
        if (this.sso == null) {
            return;
        }
        String str4 = (String) request.getNote(Constants.REQ_SSOID_NOTE);
        if (str4 == null) {
            str4 = this.sessionIdGenerator.generateSessionId();
            Cookie cookie = new Cookie(this.sso.getCookieName(), str4);
            cookie.setMaxAge(-1);
            cookie.setPath("/");
            cookie.setSecure(request.isSecure());
            String cookieDomain = this.sso.getCookieDomain();
            if (cookieDomain != null) {
                cookie.setDomain(cookieDomain);
            }
            if (request.getServletContext().getSessionCookieConfig().isHttpOnly() || request.getContext().getUseHttpOnly()) {
                cookie.setHttpOnly(true);
            }
            httpServletResponse.addCookie(cookie);
            this.sso.register(str4, principal, str, str2, str3);
            request.setNote(Constants.REQ_SSOID_NOTE, str4);
        } else {
            if (principal == null) {
                this.sso.deregister(str4);
                request.removeNote(Constants.REQ_SSOID_NOTE);
                return;
            }
            this.sso.update(str4, principal, str, str2, str3);
        }
        if (sessionInternal == null) {
            sessionInternal = request.getSessionInternal(true);
        }
        this.sso.associate(str4, sessionInternal);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String changeSessionID(Request request, Session session) {
        String str = null;
        if (this.log.isDebugEnabled()) {
            str = session.getId();
        }
        String changeSessionId = request.changeSessionId();
        if (this.log.isDebugEnabled()) {
            this.log.debug(sm.getString("authenticator.changeSessionId", str, changeSessionId));
        }
        return changeSessionId;
    }

    @Override // org.apache.catalina.Authenticator
    public void login(String str, String str2, Request request) throws ServletException {
        register(request, request.getResponse(), doLogin(request, str, str2), getAuthMethod(), str, str2);
    }

    protected abstract String getAuthMethod();

    protected Principal doLogin(Request request, String str, String str2) throws ServletException {
        Principal authenticate = this.context.getRealm().authenticate(str, str2);
        if (authenticate == null) {
            throw new ServletException(sm.getString("authenticator.loginFail"));
        }
        return authenticate;
    }

    @Override // org.apache.catalina.Authenticator
    public void logout(Request request) {
        AuthConfigProvider jaspicProvider = getJaspicProvider();
        if (jaspicProvider != null) {
            MessageInfoImpl messageInfoImpl = new MessageInfoImpl(request, request.getResponse(), true);
            Subject subject = (Subject) request.getNote(Constants.REQ_JASPIC_SUBJECT_NOTE);
            if (subject != null) {
                try {
                    ServerAuthConfig serverAuthConfig = jaspicProvider.getServerAuthConfig("HttpServlet", this.jaspicAppContextID, getCallbackHandler());
                    serverAuthConfig.getAuthContext(serverAuthConfig.getAuthContextID(messageInfoImpl), null, null).cleanSubject(messageInfoImpl, subject);
                } catch (AuthException e) {
                    this.log.debug(sm.getString("authenticator.jaspicCleanSubjectFail"), e);
                }
            }
        }
        Principal principal = request.getPrincipal();
        if (principal instanceof TomcatPrincipal) {
            try {
                ((TomcatPrincipal) principal).logout();
            } catch (Throwable th) {
                ExceptionUtils.handleThrowable(th);
                this.log.debug(sm.getString("authenticator.tomcatPrincipalLogoutFail"), th);
            }
        }
        register(request, request.getResponse(), null, null, null, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.util.LifecycleBase
    public synchronized void startInternal() throws LifecycleException {
        ServletContext servletContext = this.context.getServletContext();
        this.jaspicAppContextID = servletContext.getVirtualServerName() + " " + servletContext.getContextPath();
        Container parent = this.context.getParent();
        while (this.sso == null && parent != null) {
            Valve[] valves = parent.getPipeline().getValves();
            int length = valves.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Valve valve = valves[i];
                if (valve instanceof SingleSignOn) {
                    this.sso = (SingleSignOn) valve;
                    break;
                }
                i++;
            }
            if (this.sso == null) {
                parent = parent.getParent();
            }
        }
        if (this.log.isDebugEnabled()) {
            if (this.sso != null) {
                this.log.debug("Found SingleSignOn Valve at " + this.sso);
            } else {
                this.log.debug("No SingleSignOn Valve is present");
            }
        }
        this.sessionIdGenerator = new StandardSessionIdGenerator();
        this.sessionIdGenerator.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
        this.sessionIdGenerator.setSecureRandomClass(getSecureRandomClass());
        this.sessionIdGenerator.setSecureRandomProvider(getSecureRandomProvider());
        super.startInternal();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.util.LifecycleBase
    public synchronized void stopInternal() throws LifecycleException {
        super.stopInternal();
        this.sso = null;
    }

    protected boolean isPreemptiveAuthPossible(Request request) {
        return false;
    }

    private AuthConfigProvider getJaspicProvider() {
        Optional<AuthConfigProvider> optional = this.jaspicProvider;
        if (optional == null) {
            optional = findJaspicProvider();
        }
        return optional.orElse(null);
    }

    private Optional<AuthConfigProvider> findJaspicProvider() {
        AuthConfigFactory factory = AuthConfigFactory.getFactory();
        Optional<AuthConfigProvider> empty = factory == null ? Optional.empty() : Optional.ofNullable(factory.getConfigProvider("HttpServlet", this.jaspicAppContextID, this));
        this.jaspicProvider = empty;
        return empty;
    }

    @Override // javax.security.auth.message.config.RegistrationListener
    public void notify(String str, String str2) {
        findJaspicProvider();
    }
}
