package org.apache.felix.webconsole.internal.servlet;

import java.io.IOException;
import java.security.PrivilegedActionException;
import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.karaf.util.jaas.JaasHelper;
import org.osgi.framework.BundleContext;

/* loaded from: input_file:org/apache/felix/webconsole/internal/servlet/KarafOsgiManager.class */
public class KarafOsgiManager extends OsgiManager {
    private static final long serialVersionUID = 1090035807469459598L;
    private static final Class[] SECURITY_BUGFIX = {JaasHelper.class, JaasHelper.OsgiSubjectDomainCombiner.class, JaasHelper.DelegatingProtectionDomain.class};
    public static final String SUBJECT_RUN_AS = "karaf.subject.runas";

    public KarafOsgiManager(BundleContext bundleContext) {
        super(bundleContext);
    }

    @Override // org.apache.felix.webconsole.internal.servlet.OsgiManager
    public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
        Object attribute = servletRequest.getAttribute(SUBJECT_RUN_AS);
        if (!(attribute instanceof Subject)) {
            super.service(servletRequest, servletResponse);
            return;
        }
        try {
            JaasHelper.doAs((Subject) attribute, () -> {
                doService((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
                return null;
            });
        } catch (PrivilegedActionException e) {
            ServletException exception = e.getException();
            if (exception instanceof ServletException) {
                throw exception;
            }
            if (!(exception instanceof IOException)) {
                throw new ServletException(exception);
            }
            throw ((IOException) exception);
        }
    }

    protected void doService(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        httpServletResponse.setHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
        httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
        httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
        super.service(httpServletRequest, httpServletResponse);
    }
}
