package org.apache.geronimo.jetty8.handler;

import java.io.IOException;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.geronimo.jetty8.JettyContainer;
import org.apache.geronimo.security.Callers;
import org.apache.geronimo.security.ContextManager;
import org.apache.geronimo.security.jacc.PolicyContextHandlerHttpServletRequest;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.UserIdentity;

/* loaded from: input_file:org/apache/geronimo/jetty8/handler/JaccSecurityHandler.class */
public class JaccSecurityHandler extends SecurityHandler {
    private final String policyContextID;
    private final AccessControlContext defaultAcc;

    public JaccSecurityHandler(String str, Authenticator authenticator, LoginService loginService, IdentityService identityService, AccessControlContext accessControlContext) {
        setAuthenticator(authenticator);
        this.policyContextID = str;
        this.defaultAcc = accessControlContext;
        loginService.setIdentityService(identityService);
        setLoginService(loginService);
        setIdentityService(identityService);
    }

    public void doStop(JettyContainer jettyContainer) throws Exception {
        super.doStop();
    }

    public void handle(String str, Request request, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        String contextID = PolicyContext.getContextID();
        Callers callers = ContextManager.getCallers();
        HttpServletRequest pushContextData = PolicyContextHandlerHttpServletRequest.pushContextData(httpServletRequest);
        try {
            PolicyContext.setContextID(this.policyContextID);
            super.handle(str, request, httpServletRequest, httpServletResponse);
            PolicyContext.setContextID(contextID);
            ContextManager.popCallers(callers);
            PolicyContextHandlerHttpServletRequest.popContextData(pushContextData);
        } catch (Throwable th) {
            PolicyContext.setContextID(contextID);
            ContextManager.popCallers(callers);
            PolicyContextHandlerHttpServletRequest.popContextData(pushContextData);
            throw th;
        }
    }

    protected Object prepareConstraintInfo(String str, Request request) {
        return null;
    }

    protected boolean checkUserDataPermissions(String str, Request request, Response response, Object obj) throws IOException {
        try {
            this.defaultAcc.checkPermission(request.isSecure() || !request.getConnection().isIntegral(request) ? new WebUserDataPermission(request) : new WebUserDataPermission(encodeColons(request), new String[]{request.getMethod()}, "INTEGRAL"));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }

    private static String encodeColons(HttpServletRequest httpServletRequest) {
        String str = httpServletRequest.getServletPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo());
        if (str.indexOf(":") > -1) {
            str = str.replaceAll(":", "%3A");
        }
        return str;
    }

    protected boolean isAuthMandatory(Request request, Response response, Object obj) {
        return !checkWebResourcePermission(request, this.defaultAcc);
    }

    protected boolean checkWebResourcePermissions(String str, Request request, Response response, Object obj, UserIdentity userIdentity) throws IOException {
        if (userIdentity instanceof GeronimoJettyUserIdentity) {
            return checkWebResourcePermission(request, ((GeronimoJettyUserIdentity) userIdentity).getAccessControlContext());
        }
        return false;
    }

    private boolean checkWebResourcePermission(Request request, AccessControlContext accessControlContext) {
        try {
            accessControlContext.checkPermission(new WebResourcePermission(request));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }
}
