package org.apache.geronimo.tomcat.security;

import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.catalina.Globals;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.apache.geronimo.tomcat.security.jacc.JACCEJBWebServiceAuthorizer;

/* loaded from: input_file:org/apache/geronimo/tomcat/security/SecurityValve.class */
public class SecurityValve extends ValveBase {
    private final Authenticator authenticator;
    private final Authorizer authorizer;
    private final IdentityService identityService;

    public SecurityValve(Authenticator authenticator, Authorizer authorizer, IdentityService identityService) {
        this.authenticator = authenticator;
        this.authorizer = authorizer;
        this.identityService = identityService;
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        Object constraints = this.authorizer.getConstraints(request);
        if (!this.authorizer.hasUserDataPermissions(request, constraints)) {
            if (response.isError() || request.getRequest().isSecure() || (this.authorizer instanceof JACCEJBWebServiceAuthorizer)) {
                response.sendError(403);
                return;
            }
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("https").append("://").append(request.getServerName());
            int redirectPort = request.getConnector().getRedirectPort();
            if (redirectPort <= 0) {
                response.sendError(403, request.getRequestURI());
                return;
            }
            if (redirectPort != 443) {
                stringBuffer.append(":").append(redirectPort);
            }
            stringBuffer.append(request.getRequestURI());
            String requestedSessionId = request.getRequestedSessionId();
            if (requestedSessionId != null && request.isRequestedSessionIdFromURL()) {
                stringBuffer.append(";");
                stringBuffer.append(Globals.SESSION_PARAMETER_NAME);
                stringBuffer.append("=");
                stringBuffer.append(requestedSessionId);
            }
            String queryString = request.getQueryString();
            if (queryString != null) {
                stringBuffer.append('?');
                stringBuffer.append(queryString);
            }
            response.sendRedirect(stringBuffer.toString());
            return;
        }
        boolean isAuthMandatory = this.authorizer.isAuthMandatory(request, constraints);
        try {
            AuthResult validateRequest = this.authenticator.validateRequest(request, response, isAuthMandatory);
            TomcatAuthStatus authStatus = validateRequest.getAuthStatus();
            if (authStatus == TomcatAuthStatus.FAILURE || authStatus == TomcatAuthStatus.SEND_CONTINUE || authStatus == TomcatAuthStatus.SEND_FAILURE || authStatus == TomcatAuthStatus.SEND_SUCCESS) {
                return;
            }
            if (authStatus != TomcatAuthStatus.SUCCESS) {
                throw new ServletException("unexpected auth status: " + authStatus);
            }
            request.setAuthType(this.authenticator.getAuthType());
            UserIdentity userIdentity = validateRequest.getUserIdentity();
            request.setUserPrincipal(userIdentity == null ? null : userIdentity.getUserPrincipal());
            if (isAuthMandatory && !this.authorizer.hasResourcePermissions(request, validateRequest, constraints, userIdentity)) {
                if (response.isError()) {
                    return;
                }
                response.sendError(403);
                return;
            }
            Object associate = this.identityService.associate(userIdentity);
            try {
                getNext().invoke(request, response);
                this.identityService.dissociate(associate);
                this.authenticator.secureResponse(request, response, validateRequest);
            } catch (Throwable th) {
                this.identityService.dissociate(associate);
                throw th;
            }
        } catch (ServerAuthException e) {
            throw new ServletException(e);
        }
    }
}
