package com.ibm.ws.security.web;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.audit.utils.AuditHelper;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.WSAccessManager;
import com.ibm.ws.security.jaspi.AuthConfigFactoryWrapper;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.web.JaspiCollaborator;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.webcontainer.servlet.IExtendedResponse;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.config.AuthConfigFactory;
import javax.security.auth.message.config.AuthConfigProvider;
import javax.security.auth.message.config.RegistrationListener;
import javax.security.auth.message.config.ServerAuthConfig;
import javax.security.auth.message.config.ServerAuthContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jst.j2ee.webapplication.LoginConfig;
import org.eclipse.jst.j2ee.webapplication.WebApp;

/* loaded from: input_file:WEB-INF/lib/admin-8.5.0.jar:com/ibm/ws/security/web/JaspiWebCollaborator.class */
public class JaspiWebCollaborator implements JaspiCollaborator {
    private static final TraceComponent tc = Tr.register((Class<?>) JaspiWebCollaborator.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static final String AUTH_TYPE = "javax.servlet.http.authType";
    private static final String IS_MANDATORY_POLICY = "javax.security.auth.message.MessagePolicy.isMandatory";
    private static final String JACC_POLICY_CONTEXT = "javax.security.jacc.PolicyContext";
    private static final String JASPI_WEB_REQUEST = "com.ibm.websphere.jaspi.request";
    private static final String JASPI_USER = "com.ibm.websphere.jaspi.user";
    private static final String JASPI_PASSWORD = "com.ibm.websphere.jaspi.password";
    protected AuthConfigFactory jaspiFactory = AuthConfigFactoryWrapper.getFactory();
    private String cellName = SecurityObjectLocator.getAdminData().getCellName();
    private ReferrerURLCookieHandler referrerURLHandler = new ReferrerURLCookieHandler();

    /* loaded from: input_file:WEB-INF/lib/admin-8.5.0.jar:com/ibm/ws/security/web/JaspiWebCollaborator$PostInvokeJaspiContext.class */
    public static class PostInvokeJaspiContext implements JaspiCollaborator.JaspiAuthContext {
        private ServerAuthContext authContext;
        private MessageInfo msgInfo;
        private boolean runSecureResponse;

        public PostInvokeJaspiContext(ServerAuthContext serverAuthContext, MessageInfo messageInfo) {
            this.authContext = serverAuthContext;
            this.msgInfo = messageInfo;
        }

        @Override // com.ibm.ws.security.web.JaspiCollaborator.JaspiAuthContext
        public MessageInfo getMessageInfo() {
            return this.msgInfo;
        }

        @Override // com.ibm.ws.security.web.JaspiCollaborator.JaspiAuthContext
        public ServerAuthContext getServerAuthContext() {
            return this.authContext;
        }

        @Override // com.ibm.ws.security.web.JaspiCollaborator.JaspiAuthContext
        public boolean runSecureResponse() {
            return this.runSecureResponse;
        }

        @Override // com.ibm.ws.security.web.JaspiCollaborator.JaspiAuthContext
        public void setRunSecureResponse(boolean z) {
            this.runSecureResponse = z;
        }
    }

    @Override // com.ibm.ws.security.web.JaspiCollaborator
    public Hashtable<String, Object> getCustomCredentials(final Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCustomCredentials");
        }
        if (subject == null) {
            return null;
        }
        Hashtable<String, Object> hashtable = (Hashtable) AccessController.doPrivileged(new PrivilegedAction<Hashtable<String, Object>>() { // from class: com.ibm.ws.security.web.JaspiWebCollaborator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Hashtable<String, Object> run() {
                Set privateCredentials = subject.getPrivateCredentials(Hashtable.class);
                if (privateCredentials != null && !privateCredentials.isEmpty()) {
                    return (Hashtable) privateCredentials.iterator().next();
                }
                if (!JaspiWebCollaborator.tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(JaspiWebCollaborator.tc, "Subject has no Hashtable with custom credentials, return null.");
                return null;
            }
        });
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCustomCredentials", hashtable);
        }
        return hashtable;
    }

    @Override // com.ibm.ws.security.web.JaspiCollaborator
    public void postInvoke(WebSecurityContext webSecurityContext) throws WebSecurityException {
        String str;
        String str2;
        String str3;
        String str4;
        long j;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "postInvoke", webSecurityContext);
        }
        AuthStatus authStatus = null;
        if (webSecurityContext != null) {
            JaspiCollaborator.JaspiAuthContext jaspiAuthContext = webSecurityContext.getJaspiAuthContext();
            if (!jaspiAuthContext.runSecureResponse()) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "postInvoke", "skip secureResponse.");
                    return;
                }
                return;
            }
            MessageInfo messageInfo = jaspiAuthContext.getMessageInfo();
            ServerAuthContext serverAuthContext = jaspiAuthContext.getServerAuthContext();
            Subject receivedSubject = webSecurityContext.getReceivedSubject();
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "secureResponse with Jaspi", new Object[]{"authContext=" + serverAuthContext, "serviceSubject=" + receivedSubject, messageInfo});
                }
                authStatus = serverAuthContext.secureResponse(messageInfo, receivedSubject);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "secureResponse status: " + authStatus);
                }
                String str5 = null;
                String str6 = null;
                HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
                if (AuthStatus.SEND_SUCCESS == authStatus) {
                    str = "SUCCESS";
                    if (httpServletRequest != null && httpServletRequest.getUserPrincipal() != null && httpServletRequest.getUserPrincipal().getName() != null) {
                        str6 = httpServletRequest.getUserPrincipal().getName();
                    }
                    str5 = str6;
                    str2 = "authnSuccess";
                    str3 = "providerSuccess";
                    str4 = AuditOutcome.SUCCESSFUL;
                    j = 5;
                } else if (AuthStatus.SEND_FAILURE == authStatus) {
                    str = "FAILURE";
                    str2 = "authnFailure";
                    str3 = "failure";
                    str4 = AuditOutcome.UNSUCCESSFUL;
                    j = 15;
                } else {
                    if (AuthStatus.SEND_CONTINUE != authStatus) {
                        if (httpServletRequest != null) {
                            String str7 = null;
                            if (httpServletRequest.getRequestURL() != null) {
                                str7 = httpServletRequest.getRequestURL().toString();
                            }
                            AuditHelper.auditGenerateAuthenticationRecord(str7, AuditConstants.JASPI_WEB_AUTH_SECURE_RESPONSE, "FAILURE", httpServletRequest, null, null, "authnFailure", httpServletRequest.getMethod(), httpServletRequest.getAuthType(), null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                        } else {
                            AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.JASPI_WEB_AUTH_SECURE_RESPONSE, "FAILURE", null, null, null, "authnFailure", null, null, null, "failure", AuditOutcome.UNSUCCESSFUL, 15L);
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "secureResponse  AuthStatus=" + authStatus);
                        }
                        String str8 = "Unexpected AuthStatus received during secureResponse() status=" + authStatus + ", MessageInfo=" + messageInfo + ", ServerAuthContext=" + serverAuthContext;
                        throw new WebSecurityException(str8, new DenyReply(str8), webSecurityContext);
                    }
                    str = AuditOutcome.S_REDIRECT;
                    str2 = "authnRedirect";
                    str3 = "providerSuccess";
                    str4 = AuditOutcome.UNSUCCESSFUL;
                    j = 15;
                }
                if (httpServletRequest != null) {
                    String str9 = null;
                    if (httpServletRequest.getRequestURL() != null) {
                        str9 = httpServletRequest.getRequestURL().toString();
                    }
                    AuditHelper.auditGenerateAuthenticationRecord(str9, AuditConstants.JASPI_WEB_AUTH_SECURE_RESPONSE, str, httpServletRequest, str5, str6, str2, httpServletRequest.getMethod(), httpServletRequest.getAuthType(), null, str3, str4, j);
                } else {
                    AuditHelper.auditGenerateAuthenticationRecord(null, AuditConstants.JASPI_WEB_AUTH_SECURE_RESPONSE, str, null, str5, str6, str2, null, null, null, str3, str4, j);
                }
            } catch (AuthException e) {
                FFDCFilter.processException(e, getClass().getName() + ".postInvoke", "269");
                WebSecurityException webSecurityException = new WebSecurityException(e.toString(), new DenyReply("JASPI authentication failed after invoking the requested target service."), webSecurityContext);
                webSecurityException.initCause(e);
                throw webSecurityException;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "postInvoke", authStatus);
        }
    }

    @Override // com.ibm.ws.security.web.JaspiCollaborator
    public AuthenticationResult authenticate(String str, WebRequest webRequest, AuthConfigProvider authConfigProvider) throws WebSecurityException {
        return authenticate(new Subject(), str, webRequest, authConfigProvider);
    }

    @Override // com.ibm.ws.security.web.JaspiCollaborator
    public AuthConfigProvider getAuthConfigProvider(String str) {
        return this.jaspiFactory.getConfigProvider(AdminConstants.PROFILE_SERVLET_MSG_LAYER, str, (RegistrationListener) null);
    }

    @Override // com.ibm.ws.security.web.JaspiCollaborator
    public JaspiCollaborator.JaspiAuthContext getJaspiAuthContext(WebRequest webRequest, AuthConfigProvider authConfigProvider) throws WebSecurityException {
        PostInvokeJaspiContext postInvokeJaspiContext = null;
        try {
            ServerAuthContext serverAuthContext = getServerAuthContext(webRequest, authConfigProvider);
            if (serverAuthContext != null) {
                postInvokeJaspiContext = new PostInvokeJaspiContext(serverAuthContext, webRequest.getMessageInfo());
            }
            return postInvokeJaspiContext;
        } catch (Exception e) {
            WebSecurityException webSecurityException = new WebSecurityException(new DenyReply("Unable to get JASPI ServerAuthConfig."));
            webSecurityException.initCause(e);
            throw webSecurityException;
        }
    }

    AuthenticationResult authenticate(Subject subject, String str, WebRequest webRequest, AuthConfigProvider authConfigProvider) throws WebSecurityException {
        AuthenticationResult mapToAuthenticationResult;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate", new Object[]{str, webRequest, authConfigProvider});
        }
        WebSecurityContext webSecurityContext = webRequest.getWebSecurityContext();
        try {
            ServerAuthContext serverAuthContext = getServerAuthContext(webRequest, authConfigProvider);
            MessageInfo messageInfo = webRequest.getMessageInfo();
            setAuthType(webRequest.getHttpServletRequest(), str);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateRequest with Jaspi", new Object[]{"authContext=" + serverAuthContext, messageInfo});
            }
            if (webSecurityContext != null) {
                setRunSecureResponse(true, webSecurityContext.getJaspiAuthContext());
            } else if (webRequest.isLoginMethod() || webRequest.isAuthenticateMethod()) {
                setRunAsOrServlet30Request(webRequest, webRequest.isLoginMethod() ? AuditConstants.LOGIN : "authenticate", true);
            }
            AuthStatus validateRequest = serverAuthContext.validateRequest(messageInfo, subject, null);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateRequest status: " + validateRequest);
            }
            if (AuthStatus.SUCCESS == validateRequest || AuthStatus.SEND_SUCCESS == validateRequest) {
                mapToAuthenticationResult = mapToAuthenticationResult(validateRequest, webRequest, doJaspiCustomLogin(subject, webRequest));
                WebAccessContext webAccessContext = webRequest.getWebAccessContext();
                if (webAccessContext != null) {
                    setAuthTypeByJaspi(messageInfo, webAccessContext.getWebApp());
                }
            } else {
                mapToAuthenticationResult = mapToAuthenticationResult(validateRequest, webRequest, null);
            }
            String str2 = null;
            String str3 = null;
            String str4 = null;
            String str5 = null;
            String str6 = null;
            long j = -1;
            String convertJASPIAuthnStatus = AuditHelper.convertJASPIAuthnStatus(mapToAuthenticationResult.getStatus());
            if (convertJASPIAuthnStatus.equals("SUCCESS")) {
                if (mapToAuthenticationResult.getSubject().getPrincipals().toArray().length != 0) {
                    str3 = ((Principal) mapToAuthenticationResult.getSubject().getPrincipals().toArray()[0]).getName();
                }
                str2 = str3;
                str4 = "authnSuccess";
                str5 = "providerSuccess";
                str6 = AuditOutcome.SUCCESSFUL;
                j = 5;
            } else if (convertJASPIAuthnStatus.equals("FAILURE")) {
                str4 = "authnFailure";
                str5 = "failure";
                str6 = AuditOutcome.UNSUCCESSFUL;
                j = 15;
            } else if (convertJASPIAuthnStatus.equals(AuditOutcome.S_REDIRECT)) {
                str4 = "authnRedirect";
                str5 = "providerSuccess";
                str6 = AuditOutcome.UNSUCCESSFUL;
                j = 15;
            } else if (convertJASPIAuthnStatus.equals(AuditOutcome.S_CHALLENGE)) {
                str4 = "challengeResponse";
                str5 = "providerSuccess";
                str6 = AuditOutcome.UNSUCCESSFUL;
                j = 106;
            }
            AuditHelper.auditGenerateAuthenticationRecord(webRequest.getAppName(), AuditConstants.JASPI_WEB_AUTH_VALIDATE_REQUEST, convertJASPIAuthnStatus, webRequest.getHttpServletRequest(), str2, str3, str4, webRequest.getHttpServletRequest().getMethod(), str, authConfigProvider.getClass().getName(), str5, str6, j);
            if (webRequest.isLoginMethod() || webRequest.isAuthenticateMethod()) {
                setRunAsOrServlet30Request(webRequest, webRequest.isLoginMethod() ? AuditConstants.LOGIN : "authenticate", false);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "authenticate", validateRequest);
            }
            return mapToAuthenticationResult;
        } catch (WSLoginFailedException e) {
            FFDCFilter.processException(e, getClass().getName() + ".authenticate", "396");
            WebSecurityException webSecurityException = new WebSecurityException(new DenyReply("Custom login failure after JASPI authentication completed successfully, exception: " + e));
            webSecurityException.initCause(e);
            throw webSecurityException;
        } catch (AuthException e2) {
            FFDCFilter.processException(e2, getClass().getName() + ".authenticate", "387");
            WebSecurityException webSecurityException2 = new WebSecurityException(new DenyReply("JASPI authentication failure: " + e2));
            webSecurityException2.initCause(e2);
            if (webSecurityContext != null) {
                setRunSecureResponse(false, webSecurityContext.getJaspiAuthContext());
            }
            throw webSecurityException2;
        }
    }

    protected MessageInfo newMessageInfo(WebRequest webRequest) {
        WebConstraintsTable constraints;
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        JaspiMessageInfo jaspiMessageInfo = new JaspiMessageInfo(httpServletRequest, webRequest.getHttpServletResponse());
        boolean z = false;
        WebAccessContext webAccessContext = webRequest.getWebAccessContext();
        if (webAccessContext != null && (constraints = webAccessContext.getConstraints()) != null) {
            String servletURI = this.referrerURLHandler.getServletURI(httpServletRequest);
            String method = httpServletRequest.getMethod();
            WebResourceCollectionConstraints constraints2 = constraints.getConstraints(webAccessContext, servletURI, method, httpServletRequest);
            z = (constraints2 == null ? null : constraints2.matches(servletURI, method)) != null;
        }
        jaspiMessageInfo.getMap().put(IS_MANDATORY_POLICY, Boolean.toString(z));
        return jaspiMessageInfo;
    }

    protected ServerAuthContext getAuthContextFromProvider(WebRequest webRequest, AuthConfigProvider authConfigProvider) throws AuthException, SecurityException {
        ServerAuthContext serverAuthContext = null;
        String appContext = webRequest.getAppContext();
        if (authConfigProvider != null) {
            ServerAuthConfig serverAuthConfig = authConfigProvider.getServerAuthConfig(AdminConstants.PROFILE_SERVLET_MSG_LAYER, appContext, new JaspiCallbackHandler(webRequest, this));
            MessageInfo newMessageInfo = newMessageInfo(webRequest);
            webRequest.setMessageInfo(newMessageInfo);
            serverAuthContext = serverAuthConfig.getAuthContext(serverAuthConfig.getAuthContextID(newMessageInfo), null, getAuthContextProps(webRequest));
        }
        return serverAuthContext;
    }

    protected ServerAuthContext getServerAuthContext(WebRequest webRequest, AuthConfigProvider authConfigProvider) throws WebSecurityException {
        ServerAuthContext authContextFromProvider;
        JaspiCollaborator.JaspiAuthContext jaspiAuthContext;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServerAuthContext", webRequest != null ? webRequest.getWebSecurityContext() : null);
        }
        WebSecurityContext webSecurityContext = webRequest.getWebSecurityContext();
        if (webSecurityContext == null || (jaspiAuthContext = webSecurityContext.getJaspiAuthContext()) == null) {
            try {
                authContextFromProvider = getAuthContextFromProvider(webRequest, authConfigProvider);
            } catch (Exception e) {
                WebSecurityException webSecurityException = new WebSecurityException(new DenyReply("Unable to get JASPI ServerAuthContext."));
                webSecurityException.initCause(e);
                throw webSecurityException;
            }
        } else {
            authContextFromProvider = jaspiAuthContext.getServerAuthContext();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getServerAuthContext", authContextFromProvider);
        }
        return authContextFromProvider;
    }

    protected void setAuthTypeByJaspi(MessageInfo messageInfo, WebApp webApp) {
        String dDAuthorizationMethod;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setAuthType", new Object[]{messageInfo, webApp});
        }
        if (messageInfo.getMap().containsKey(AUTH_TYPE)) {
            dDAuthorizationMethod = (String) messageInfo.getMap().get(AUTH_TYPE);
        } else {
            dDAuthorizationMethod = getDDAuthorizationMethod(webApp);
            if (dDAuthorizationMethod == null) {
                dDAuthorizationMethod = "JASPI";
            }
        }
        setAuthType((HttpServletRequest) messageInfo.getRequestMessage(), dDAuthorizationMethod);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setAuthType", dDAuthorizationMethod);
        }
    }

    protected String getDDAuthorizationMethod(WebApp webApp) {
        LoginConfig loginConfig;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDDAuthorizationMethod");
        }
        String str = null;
        if (webApp != null && (loginConfig = webApp.getLoginConfig()) != null) {
            str = loginConfig.getAuthorizationMethod();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "login configuration", new Object[]{loginConfig, str});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getDDAuthorizationMethod", str);
        }
        return str;
    }

    protected void setAuthType(HttpServletRequest httpServletRequest, String str) {
        if (str != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Set authType: " + str);
            }
            WebCollaborator.setPrivateAttributes(httpServletRequest, "AUTH_TYPE", str);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "authType is null, do not set null.", new Object[0]);
        }
    }

    protected int getResponseStatus(HttpServletResponse httpServletResponse) {
        if (httpServletResponse instanceof IExtendedResponse) {
            return ((IExtendedResponse) httpServletResponse).getStatusCode();
        }
        return 500;
    }

    protected AuthenticationResult mapToAuthenticationResult(AuthStatus authStatus, WebRequest webRequest, Subject subject) {
        AuthenticationResult authenticationResult;
        String str;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapToAuthenticationResult", "AuthStatus=" + authStatus);
        }
        String str2 = "FAILURE";
        if (AuthStatus.SUCCESS == authStatus || AuthStatus.SEND_SUCCESS == authStatus) {
            authenticationResult = new AuthenticationResult(1, subject);
            str2 = "SUCCESS";
        } else if (AuthStatus.SEND_CONTINUE == authStatus) {
            int responseStatus = getResponseStatus(webRequest.getHttpServletResponse());
            HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
            switch (responseStatus) {
                case 302:
                case 303:
                case 307:
                    String loginURL = webRequest.getWebAuthenticator().getLoginURL(httpServletRequest, webRequest.getWebAccessContext().getWebAttributes());
                    String queryString = httpServletRequest.getQueryString();
                    String stringBuffer = httpServletRequest.getRequestURL().append(queryString != null ? queryString : "").toString();
                    authenticationResult = new AuthenticationResult(4, loginURL);
                    str2 = AuditOutcome.S_REDIRECT;
                    this.referrerURLHandler.setReferrerURLCookie(httpServletRequest, authenticationResult, stringBuffer, webRequest.getSecurityConfig());
                    break;
                case 401:
                    authenticationResult = new AuthenticationResult(3, webRequest.getContextManager().getAppRealm());
                    str2 = "SEND_401";
                    break;
                default:
                    authenticationResult = new AuthenticationResult(2, "Jaspi authentication failed, unexpected HttpServletResponse status: " + responseStatus);
                    break;
            }
        } else if (AuthStatus.SEND_FAILURE == authStatus) {
            if (webRequest.isAuthenticateMethod()) {
                str = "HttpServletRequest.authenticate() failed, JASPI AuthStatus: " + authStatus + ", AuthenticationResult.SEND_401";
                authenticationResult = new AuthenticationResult(3, str, (Cookie) null);
                str2 = "SEND_401";
            } else if (webRequest.isLoginMethod()) {
                str = "HttpServletRequest.login() failed, JASPI AuthStatus: " + authStatus + ", AuthenticationResult.FAILURE";
                authenticationResult = new AuthenticationResult(2, str);
            } else {
                str = "Authentication failed, JASPI AuthStatus: " + authStatus + ", AuthenticationResult.FAILURE";
                authenticationResult = new AuthenticationResult(2, str);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str);
            }
        } else {
            authenticationResult = new AuthenticationResult(2, "Authentication failed, unexpected JASPI AuthStatus: " + authStatus);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapToAuthenticationResult", "AuthenticationResult=" + str2);
        }
        return authenticationResult;
    }

    protected Subject doJaspiCustomLogin(Subject subject, WebRequest webRequest) throws WSLoginFailedException {
        String str;
        Subject login;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doJaspiCustomLogin");
        }
        Hashtable<String, Object> customCredentials = getCustomCredentials(subject);
        ContextManager contextManager = webRequest.getContextManager();
        String unauthenticatedString = contextManager.getUnauthenticatedString();
        if (customCredentials != null) {
            str = (String) customCredentials.get(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME);
        } else {
            if (Boolean.parseBoolean((String) webRequest.getMessageInfo().getMap().get(IS_MANDATORY_POLICY))) {
                throw new WSLoginFailedException("JASPI custom login cannot be performed, Subject does not have Hashtable with custom credentials.");
            }
            str = unauthenticatedString;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Web resource is unprotected and Subject does not have Hashtable with custom credentials.");
            }
        }
        if (unauthenticatedString.equals(str)) {
            login = SubjectHelper.createUnauthenticatedSubject();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Jaspi Subject is unauthenticated, custom login is not necessary.");
            }
        } else {
            if (str == null) {
                str = "";
            }
            String property = webRequest.getSecurityConfig().getProperty("com.ibm.ws.security.webInboundLoginConfig");
            HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
            HttpServletResponse httpServletResponse = (HttpServletResponse) webRequest.getMessageInfo().getResponseMessage();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JASPI login, authMech: " + property + ", custom cred: " + customCredentials);
            }
            login = contextManager.login((String) null, str, property, httpServletRequest, httpServletResponse, (HashMap) null, subject);
            if (login == null) {
                throw new WSLoginFailedException("JASPI custom login failed, user: " + str + ", realm: " + ((String) null) + ", authMech: " + property);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "doJaspiCustomLogin", "JASPI Subject successfully authenticated? " + (login != null));
        }
        return login;
    }

    void setRunSecureResponse(boolean z, JaspiCollaborator.JaspiAuthContext jaspiAuthContext) {
        if (jaspiAuthContext != null) {
            jaspiAuthContext.setRunSecureResponse(z);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "setRunSecureResponse: " + z);
            }
        }
    }

    private Map<String, String> getAuthContextProps(WebRequest webRequest) {
        HashMap hashMap = new HashMap();
        String str = webRequest.isJaccEnabled() ? WSAccessManager.getContextID(webRequest.getAppName()) + "/" + webRequest.getModuleName() : "href:" + this.cellName + "/" + webRequest.getAppName() + "/" + webRequest.getModuleName();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "JACC Policy Context: " + str);
        }
        hashMap.put(JACC_POLICY_CONTEXT, str);
        return hashMap;
    }

    private void setRunAsOrServlet30Request(WebRequest webRequest, String str, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setRunAsOrServlet30Request operationName: " + str + " doSet: " + z);
        }
        Map map = webRequest.getMessageInfo().getMap();
        if (z) {
            map.put(JASPI_WEB_REQUEST, str);
            map.put(JASPI_USER, webRequest.getUser());
            map.put(JASPI_PASSWORD, webRequest.getPassword());
        } else {
            map.remove(JASPI_WEB_REQUEST);
            map.remove(JASPI_USER);
            map.remove(JASPI_PASSWORD);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setRunAsOrServlet30Request", map);
        }
    }
}
