package com.ibm.ws.security.auth.kerberos;

import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSFactory;
import com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5NLS;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.auth.callback.WSAuthMechOidCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSRealmNameCallbackImpl;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.auth.util.CredentialsHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.token.WSCredentialTokenMapper;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.security.auth.callback.WSAppContextCallback;
import com.ibm.wsspi.security.auth.callback.WSServletRequestCallback;
import com.ibm.wsspi.security.auth.callback.WSServletResponseCallback;
import com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback;
import com.ibm.wsspi.security.auth.callback.WSX509CertificateChainCallback;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.AuthorizationToken;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:WEB-INF/lib/admin-8.5.0.jar:com/ibm/ws/security/auth/kerberos/WSKrb5LoginModule.class */
public class WSKrb5LoginModule implements LoginModule {
    private Subject _subject;
    private CallbackHandler _callbackHandler;
    private Map _sharedState;
    private Map _options;
    private WSPrincipal _principal;
    private WSCredential _credential;
    private GSSCredential _gssCred = null;
    private KerberosTicket _kTicket = null;
    private KerberosPrincipal _kPrinc = null;
    private String mapUid = null;
    private String _racfId = null;
    private String _loginUser = null;
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    protected boolean validatedone = false;
    protected boolean authenticatedone = false;
    private boolean isKerberosLogin = true;
    private boolean skipCreateWSCredential = false;
    protected boolean debug = true;
    private static final TraceComponent tc = Tr.register((Class<?>) WSKrb5LoginModule.class, (String) null, Krb5NLS.MSG_FILE);

    public WSKrb5LoginModule() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "WSKrb5LoginModule()");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "WSKrb5LoginModule()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(subject = \"" + subject.toString() + "\", callbackHandler = \"" + callbackHandler.toString() + "\", sharedState = \"" + map.toString() + "\", options = \"" + map2.toString() + "\")");
        }
        this._subject = subject;
        this._callbackHandler = callbackHandler;
        this._sharedState = map;
        this._options = map2;
        this.debug = "true".equalsIgnoreCase((String) this._options.get("debug"));
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "WSLoginModuleImpl initialized");
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options)");
        }
    }

    public boolean login() throws LoginException {
        byte[] credToken;
        char[] password;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (!contextManagerFactory.isCellSecurityEnabled()) {
            try {
                Tr.warning(tc, "security.disabled.during.login");
                if (tc.isDebugEnabled()) {
                    Thread.dumpStack();
                }
                this._credential = SubjectHelper.getWSCredentialFromSubject(SubjectHelper.createUnauthenticatedSubject());
                this._principal = SubjectHelper.createPrincipal(this._credential);
                this._sharedState.put(Constants.WSPRINCIPAL_KEY, this._principal);
                this._sharedState.put(Constants.WSCREDENTIAL_KEY, this._credential);
                this.succeeded = true;
                if (this.debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(security disabled)");
                }
                return this.succeeded;
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception creating principal.", new Object[]{e});
                }
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.login", "245", this);
                throw new WSLoginFailedException(e.getMessage(), e);
            }
        }
        this._sharedState.keySet().iterator();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "shared state contains: " + this._sharedState.keySet());
        }
        if (this.commitSucceeded) {
            this.succeeded = false;
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "The login module is in funny state, cleanup before starting a new login process.");
            }
            cleanup();
        }
        if (this._callbackHandler == null) {
            throw new LoginException("No CallbackHandler available to gather authentication information from the user.");
        }
        NameCallback nameCallback = null;
        PasswordCallback passwordCallback = null;
        WSCredTokenCallbackImpl wSCredTokenCallbackImpl = null;
        WSTokenHolderCallback wSTokenHolderCallback = null;
        WSRealmNameCallbackImpl wSRealmNameCallbackImpl = null;
        WSX509CertificateChainCallback wSX509CertificateChainCallback = null;
        WSAuthMechOidCallbackImpl wSAuthMechOidCallbackImpl = null;
        if (this._sharedState.containsKey(Constants.CALLBACK_KEY)) {
            NameCallback[] nameCallbackArr = (Callback[]) this._sharedState.get(Constants.CALLBACK_KEY);
            for (int i = 0; i < nameCallbackArr.length; i++) {
                if (nameCallbackArr[i] != null) {
                    if (nameCallbackArr[i] instanceof NameCallback) {
                        nameCallback = nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSCredTokenCallbackImpl) {
                        wSCredTokenCallbackImpl = (WSCredTokenCallbackImpl) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSServletRequestCallback) {
                    } else if (nameCallbackArr[i] instanceof WSServletResponseCallback) {
                    } else if (nameCallbackArr[i] instanceof WSAppContextCallback) {
                    } else if (nameCallbackArr[i] instanceof WSTokenHolderCallback) {
                        wSTokenHolderCallback = (WSTokenHolderCallback) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSRealmNameCallbackImpl) {
                        wSRealmNameCallbackImpl = (WSRealmNameCallbackImpl) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSX509CertificateChainCallback) {
                        wSX509CertificateChainCallback = (WSX509CertificateChainCallback) nameCallbackArr[i];
                    } else if (nameCallbackArr[i] instanceof WSAuthMechOidCallbackImpl) {
                        wSAuthMechOidCallbackImpl = (WSAuthMechOidCallbackImpl) nameCallbackArr[i];
                    } else if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "The following callback was ignored: " + nameCallbackArr[i].getClass().getName());
                    }
                }
            }
        } else {
            if (this._callbackHandler == null) {
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException("No CallbackHandler available to gather authentication information from the user.");
                contextManagerFactory.setRootException(wSLoginFailedException);
                throw wSLoginFailedException;
            }
            NameCallback nameCallback2 = new NameCallback("Username: ");
            nameCallback = nameCallback2;
            PasswordCallback passwordCallback2 = new PasswordCallback("Password: ", false);
            passwordCallback = passwordCallback2;
            WSCredTokenCallbackImpl wSCredTokenCallbackImpl2 = new WSCredTokenCallbackImpl("Credential Token: ");
            wSCredTokenCallbackImpl = wSCredTokenCallbackImpl2;
            WSTokenHolderCallback wSTokenHolderCallback2 = new WSTokenHolderCallback("Authz Token List: ");
            wSTokenHolderCallback = wSTokenHolderCallback2;
            WSRealmNameCallbackImpl wSRealmNameCallbackImpl2 = new WSRealmNameCallbackImpl("Realm Name", contextManagerFactory.getDefaultRealm());
            wSRealmNameCallbackImpl = wSRealmNameCallbackImpl2;
            WSX509CertificateChainCallback wSX509CertificateChainCallback2 = new WSX509CertificateChainCallback("X509Certificate[]: ");
            wSX509CertificateChainCallback = wSX509CertificateChainCallback2;
            WSAuthMechOidCallbackImpl wSAuthMechOidCallbackImpl2 = new WSAuthMechOidCallbackImpl("AuthMechOid: ");
            wSAuthMechOidCallbackImpl = wSAuthMechOidCallbackImpl2;
            Callback[] callbackArr = {nameCallback2, passwordCallback2, wSCredTokenCallbackImpl2, new WSServletRequestCallback("HttpServletRequest: "), new WSServletResponseCallback("HttpServletResponse: "), new WSAppContextCallback("ApplicationContextCallback: "), wSTokenHolderCallback2, wSRealmNameCallbackImpl2, wSX509CertificateChainCallback2, wSAuthMechOidCallbackImpl2};
            try {
                this._callbackHandler.handle(callbackArr);
                this._sharedState.put(Constants.CALLBACK_KEY, callbackArr);
            } catch (IOException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "312", this);
                Tr.error(tc, "security.jaas.callBackHandlerIOException", new Object[]{getClass().getName(), e2});
                contextManagerFactory.setRootException(e2);
                throw new WSLoginFailedException("IOException: " + e2.getMessage(), e2);
            } catch (UnsupportedCallbackException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.server.lm.ltpaLoginModule.login", "317", this);
                Tr.error(tc, "security.jaas.callBackHandlerException", new Object[]{getClass().getName(), e3.getCallback().toString(), e3});
                contextManagerFactory.setRootException(e3);
                throw new WSLoginFailedException(e3.getCallback().toString() + " not supported by CallbackHandler to gather authentication information from the user" + e3.getMessage(), e3);
            }
        }
        char[] cArr = null;
        byte[] bArr = null;
        String authMechOid = wSAuthMechOidCallbackImpl != null ? wSAuthMechOidCallbackImpl.getAuthMechOid() : null;
        String name = nameCallback != null ? nameCallback.getName() : null;
        if (passwordCallback != null && (password = passwordCallback.getPassword()) != null && password.length != 0) {
            cArr = new char[password.length];
            System.arraycopy(password, 0, cArr, 0, password.length);
        }
        String realmName = wSRealmNameCallbackImpl != null ? wSRealmNameCallbackImpl.getRealmName() : null;
        if (wSCredTokenCallbackImpl != null && (credToken = wSCredTokenCallbackImpl.getCredToken()) != null) {
            bArr = CredentialsHelper.copyCredToken(credToken);
            if (authMechOid == null || authMechOid.length() == 0) {
                try {
                    authMechOid = GSSFactory.getMechOIDFromGSSToken(bArr);
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "authMechOid pass in is null, get authMechOid from the credToken: " + authMechOid);
                    }
                } catch (Exception e4) {
                    Object[] objArr = {WSKrb5LoginModule.class, "credToken"};
                    throw new WSLoginFailedException("Get authMechOid from the credToken exception - " + e4.getMessage(), e4);
                }
            }
        }
        this.isKerberosLogin = Krb5Utils.isKrb5Login(authMechOid, name);
        if (!this.isKerberosLogin) {
            this.succeeded = true;
            return this.succeeded;
        }
        X509Certificate[] x509CertificateChain = wSX509CertificateChainCallback != null ? wSX509CertificateChainCallback.getX509CertificateChain() : null;
        List tokenHolderList = wSTokenHolderCallback != null ? wSTokenHolderCallback.getTokenHolderList() : null;
        this._gssCred = SubjectHelper.getGSSCredentialFromSubject(this._subject);
        Hashtable hashtable = (Hashtable) this._sharedState.get(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY);
        if (hashtable == null) {
            try {
                final Subject subject = this._subject;
                hashtable = (Hashtable) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws CredentialDestroyedException, CredentialExpiredException {
                        Object[] array = subject.getPublicCredentials().toArray();
                        if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                            Tr.debug(WSKrb5LoginModule.tc, "Looking for custom properties in public cred list.");
                        }
                        for (int i2 = 0; i2 < array.length; i2++) {
                            if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                                Tr.debug(WSKrb5LoginModule.tc, "Object[" + i2 + "] in public list: " + array[i2]);
                            }
                            if ((array[i2] instanceof Hashtable) && (((Hashtable) array[i2]).get(AttributeNameConstants.WSCREDENTIAL_UNIQUEID) != null || ((Hashtable) array[i2]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null)) {
                                return array[i2];
                            }
                        }
                        Object[] array2 = subject.getPrivateCredentials().toArray();
                        if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                            Tr.debug(WSKrb5LoginModule.tc, "Looking for custom properties in private cred list.");
                        }
                        for (int i3 = 0; i3 < array2.length; i3++) {
                            if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                                Tr.debug(WSKrb5LoginModule.tc, "Object[" + i3 + "] in private list: " + array2[i3]);
                            }
                            if ((array2[i3] instanceof Hashtable) && (((Hashtable) array2[i3]).get(AttributeNameConstants.WSCREDENTIAL_UNIQUEID) != null || ((Hashtable) array2[i3]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null)) {
                                return array2[i3];
                            }
                        }
                        return null;
                    }
                });
            } catch (PrivilegedActionException e5) {
                FFDCFilter.processException(e5.getException(), "com.ibm.ws.security.auth.kerberos.wskrb5loginmodule.login", "468", this);
                contextManagerFactory.setRootException(e5.getException());
                throw new WSLoginFailedException(e5.getException().getMessage(), e5.getException());
            }
        }
        if (hashtable != null) {
            this.mapUid = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_USERID);
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "sharedState mapUid: " + this.mapUid);
        }
        this._kTicket = (KerberosTicket) this._sharedState.get(AttributeNameConstants.KERBEROS_TICKET);
        this._kPrinc = (KerberosPrincipal) this._sharedState.get(AttributeNameConstants.KERBEROS_PRINCIPAL);
        if (this._kPrinc != null) {
            this._racfId = Krb5Utils.mapKerbPrincToRACF(this._kPrinc.toString(), this._gssCred);
            if (this._racfId != null) {
                this.mapUid = this._racfId;
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Map Kerberos principal to RACF id (mapUid): " + this.mapUid);
                }
                this._sharedState.put(AttributeNameConstants.WSCREDENTIAL_USERID, this.mapUid);
            }
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "uid = " + name);
            Tr.debug(tc, "password = " + (cArr == null ? "<null>" : "XXXXXXXX"));
            Tr.debug(tc, "mapUid = " + this.mapUid);
            Tr.debug(tc, "_kPrinc = " + this._kPrinc);
            Tr.debug(tc, "_racfId = " + this._racfId);
            Tr.debug(tc, "realm = " + realmName);
            Tr.debug(tc, "authMechOid = " + authMechOid);
            Tr.debug(tc, "cred token = " + (bArr != null ? "<not null>" : "<null>"));
            Tr.debug(tc, "_kTicket = " + (this._kTicket != null ? "<not null>" : "<null>"));
            Tr.debug(tc, "_gssCred = " + (this._gssCred != null ? "<not null>" : "<null>"));
            Tr.debug(tc, "certChain = " + x509CertificateChain);
            Tr.debug(tc, "customProperties = " + hashtable);
            Tr.debug(tc, "authz token list = " + tokenHolderList);
        }
        if (x509CertificateChain != null) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Certificate pass in. Skipping WSKrb5LoginModule. Handling login outside this login module.");
            }
            this.isKerberosLogin = false;
            this.succeeded = true;
            return this.succeeded;
        }
        boolean z = SecurityObjectLocator.getSecurityConfig().getActiveAuthMechanism().getBoolean("trimUserName");
        if (hashtable != null && hashtable.get(AttributeNameConstants.WSCREDENTIAL_UNIQUEID) != null) {
            String str = hashtable != null ? (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_UNIQUEID) : null;
            if (str == null || str.equals("") || this._gssCred == null) {
                this.skipCreateWSCredential = true;
            } else {
                createCredentialsFromHashtable(hashtable, this._gssCred);
                this._sharedState.put(Constants.WSCREDENTIAL_KEY, this._credential);
                this._sharedState.put(Constants.WSPRINCIPAL_KEY, this._principal);
            }
            this.succeeded = true;
            return this.succeeded;
        }
        if (this._gssCred != null && tokenHolderList == null) {
            try {
                GSSName name2 = this._gssCred.getName();
                if (name2 != null) {
                    String obj = name2.toString();
                    this._racfId = Krb5Utils.mapKerbPrincToRACF(obj, this._gssCred);
                    if (this._racfId != null) {
                        this.mapUid = this._racfId;
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Map gssUserName to RACF id (mapUid): " + this.mapUid);
                        }
                    }
                    if (this.mapUid != null) {
                        this._loginUser = this.mapUid;
                    } else {
                        this._loginUser = z ? Krb5Utils.trimUserName(obj) : obj;
                    }
                    createCredentialsFromUsername(this._loginUser);
                    this._sharedState.put(AttributeNameConstants.WSCREDENTIAL_USERID, this._loginUser);
                    this._sharedState.put(Constants.WSCREDENTIAL_KEY, this._credential);
                    this._sharedState.put(Constants.WSPRINCIPAL_KEY, this._principal);
                }
                this.succeeded = true;
                return this.succeeded;
            } catch (GSSException e6) {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Error getting name from GSSCredential.");
                }
                throw new WSLoginFailedException(e6.getMessage(), e6);
            }
        }
        if ((bArr != null || this._gssCred != null) && tokenHolderList != null) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Skipping WSKrb5LoginModule to validate in wsMapDefaultInboundLoginModule.");
            }
            this.isKerberosLogin = false;
            this.succeeded = true;
            return this.succeeded;
        }
        if ((name == null && cArr == null && bArr == null) || (name == null && this.mapUid == null && this._kPrinc == null)) {
            throw new LoginException("No authentication data.");
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Successfully gathered authentication information");
        }
        if (name != null && ((cArr == null || cArr.length == 0) && bArr == null)) {
            this.isKerberosLogin = false;
            this.succeeded = true;
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Only UID pass in. Skipping WSKrb5LoginModule. Handling login outside this login module.");
            }
            return this.succeeded;
        }
        if (name == null && cArr == null) {
            if (bArr == null) {
                throw new LoginException("No authentication data");
            }
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Using Kerberos token for authentication");
            }
            if (this.mapUid != null) {
                this._loginUser = this.mapUid;
            } else if (this._kPrinc != null) {
                this._loginUser = z ? Krb5Utils.trimUserName(this._kPrinc.toString()) : this._kPrinc.toString();
            }
            createCredentialsFromUsername(this._loginUser);
            this._sharedState.put(AttributeNameConstants.WSCREDENTIAL_USERID, this._loginUser);
            this.validatedone = true;
            if (this._credential != null) {
                this.succeeded = true;
                this.authenticatedone = true;
            } else {
                this.succeeded = false;
            }
        } else {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Using Kerberos ticket for authentication");
            }
            try {
                if (this.mapUid != null) {
                    this._loginUser = this.mapUid;
                } else {
                    this._loginUser = z ? Krb5Utils.trimUserName(name) : name;
                }
                this.authenticatedone = authenticate(this._loginUser);
                this._sharedState.put(AttributeNameConstants.WSCREDENTIAL_USERID, this._loginUser);
                this.succeeded = true;
            } catch (Exception e7) {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.error(tc, "security.auth.kerberos.LoginException", new Object[]{this._loginUser, e7});
                }
            }
        }
        if (this._credential == null && !this.skipCreateWSCredential) {
            throw new LoginException("credential is null");
        }
        Tr.debug(tc, "credential = " + this._credential);
        if (this._credential != null) {
            this._sharedState.put(Constants.WSCREDENTIAL_KEY, this._credential);
            this._sharedState.put(Constants.WSPRINCIPAL_KEY, this._principal);
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "login()");
        }
        return this.succeeded;
    }

    public boolean commit() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (!this.isKerberosLogin || this.skipCreateWSCredential) {
            return true;
        }
        if (!this.succeeded) {
            if (!this.debug && !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Do not commit because of authentication failed.");
            return false;
        }
        if (!this.commitSucceeded) {
            if (this.authenticatedone) {
                try {
                    this._credential = (WSCredential) this._sharedState.get(Constants.WSCREDENTIAL_KEY);
                    this._principal = (WSPrincipal) this._sharedState.get(Constants.WSPRINCIPAL_KEY);
                    this._kTicket = SubjectHelper.getKerberosTicketFromSubject(this._subject);
                    if (this._kTicket != null) {
                        boolean isRenewable = this._kTicket.isRenewable();
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Kerberos Ticket renewable is " + String.valueOf(isRenewable));
                        }
                        final String name = this._kTicket.getClient().getName();
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Name for cred: " + name);
                        }
                        Krb5Utils.setUseSubjectCredsOnly(true);
                        try {
                            Subject.doAs(this._subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.2
                                @Override // java.security.PrivilegedExceptionAction
                                public Object run() throws WSLoginFailedException {
                                    try {
                                        Oid krb5MechOid = Krb5Utils.getKrb5MechOid();
                                        GSSManager gSSManager = GSSManager.getInstance();
                                        if (WSKrb5LoginModule.this._gssCred == null) {
                                            WSKrb5LoginModule.this._gssCred = gSSManager.createCredential((name != null ? gSSManager.createName(name, GSSName.NT_USER_NAME, krb5MechOid) : null).canonicalize(krb5MechOid), Integer.MAX_VALUE, krb5MechOid, 1);
                                            if (WSKrb5LoginModule.this._gssCred != null && WSKrb5LoginModule.this._credential == null) {
                                                SubjectHelper.putGSSCredentialInSubject(WSKrb5LoginModule.this._gssCred, WSKrb5LoginModule.this._subject);
                                            }
                                            if (WSKrb5LoginModule.this._credential != null) {
                                                WSKrb5LoginModule.this._credential = Krb5WSCredentialUtils.Krb5ToAuthMechWSCredential(WSKrb5LoginModule.this._subject, WSKrb5LoginModule.this._gssCred, WSKrb5LoginModule.this._credential);
                                                WSKrb5LoginModule.this._sharedState.put(Constants.WSCREDENTIAL_KEY, WSKrb5LoginModule.this._credential);
                                            }
                                            SingleSignonToken singleSignonToken = (SingleSignonToken) WSKrb5LoginModule.this._sharedState.get(Constants.WSSSOTOKEN_KEY);
                                            if (singleSignonToken != null) {
                                                if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                                                    Tr.debug(WSKrb5LoginModule.tc, "Setting expiration in SSO token: " + String.valueOf(WSKrb5LoginModule.this._credential.getExpiration()));
                                                }
                                                singleSignonToken.addAttribute(AttributeNameConstants.WSCREDENTIAL_EXPIRATION, String.valueOf(WSKrb5LoginModule.this._credential.getExpiration()));
                                                WSKrb5LoginModule.this._sharedState.put(Constants.WSSSOTOKEN_KEY, singleSignonToken);
                                            } else if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                                                Tr.debug(WSKrb5LoginModule.tc, "Could not find the SSO token in shared state.");
                                            }
                                            AuthorizationToken authorizationToken = (AuthorizationToken) WSKrb5LoginModule.this._sharedState.get(Constants.WSAUTHZTOKEN_KEY);
                                            if (authorizationToken != null) {
                                                authorizationToken.addAttribute(AttributeNameConstants.WSCREDENTIAL_EXPIRATION, String.valueOf(WSKrb5LoginModule.this._credential.getExpiration()));
                                                authorizationToken.addAttribute(AttributeNameConstants.WSCREDENTIAL_OID, WSKrb5LoginModule.this._credential.getOID());
                                                authorizationToken.addAttribute(AttributeNameConstants.WSCREDENTIAL_FORWARDABLE, String.valueOf(WSKrb5LoginModule.this._credential.isForwardable()));
                                            } else if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                                                Tr.debug(WSKrb5LoginModule.tc, "Could not find the authorization token in shared state.");
                                            }
                                        }
                                        return null;
                                    } catch (GSSException e) {
                                        if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                                            Tr.error(WSKrb5LoginModule.tc, "security.auth.kerberos.GSSException", new Object[]{e});
                                        }
                                        throw new WSLoginFailedException(e.getMessage(), e);
                                    } catch (Exception e2) {
                                        if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                                            Tr.error(WSKrb5LoginModule.tc, "security.auth.kerberos.Exception", new Object[]{e2});
                                        }
                                        throw new WSLoginFailedException(e2.getMessage(), e2);
                                    }
                                }
                            });
                        } catch (PrivilegedActionException e) {
                            Tr.debug(tc, "Exception in Subject.doAS.", new Object[]{e});
                            throw e.getException();
                        }
                    } else if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Kerberos Ticket is null ");
                    }
                    KRBAuthnToken kRBAuthnToken = null;
                    if (!SecurityObjectLocator.getSecurityConfig().getActiveAuthMechanism().getBoolean("enabledGssCredDelegate") && this.validatedone) {
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Delegated GSSCredential is not enabled");
                        }
                        if (this._kPrinc != null) {
                            kRBAuthnToken = Krb5Utils.createKRBAuthnToken(null, null, this._kPrinc, null, 0L);
                        } else if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "No Kerberos principal in shared state, can not create KRBAuthnToken");
                        }
                    } else if (this._gssCred != null || this._kTicket != null || this._kPrinc != null) {
                        kRBAuthnToken = Krb5Utils.createKRBAuthnToken(this._kTicket, this._gssCred, this._kPrinc, null, 0L);
                    } else if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "No gssCred, Kerberos ticket, and  Kerberos principal in shared state, can not create KRBAuthnToken");
                    }
                    if (kRBAuthnToken != null && this.mapUid != null && this.mapUid.length() > 0) {
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "krbAuthnToken addAttribute mapUid: " + this.mapUid);
                        }
                        kRBAuthnToken.addTokenAttribute(CommonConstants.KRB_MAP_UID, this.mapUid);
                    }
                    if (kRBAuthnToken != null && !this._subject.getPrivateCredentials().contains(kRBAuthnToken)) {
                        this._subject.getPrivateCredentials().add(kRBAuthnToken);
                    }
                } catch (Exception e2) {
                    Tr.debug(tc, "Exception during commit.", new Object[]{e2});
                    if (e2 instanceof WSLoginFailedException) {
                        throw ((WSLoginFailedException) e2);
                    }
                    throw new WSLoginFailedException(e2.getMessage(), e2);
                }
            }
            if (this._principal == null) {
                this._principal = (WSPrincipal) this._sharedState.get(Constants.WSPRINCIPAL_KEY);
                if (this._principal == null) {
                    throw new WSLoginFailedException("WSPrincipal is null in commit (phase 2) stage");
                }
            } else if (this._sharedState.get(Constants.WSPRINCIPAL_KEY) == null) {
                this._sharedState.put(Constants.WSPRINCIPAL_KEY, this._principal);
            }
            if (this._credential == null) {
                this._credential = (WSCredential) this._sharedState.get(Constants.WSCREDENTIAL_KEY);
                if (this._credential == null) {
                    throw new WSLoginFailedException("WSCredential is null in commit (phase 2) stage");
                }
            } else if (this._sharedState.get(Constants.WSCREDENTIAL_KEY) == null) {
                this._sharedState.put(Constants.WSCREDENTIAL_KEY, this._credential);
            }
            try {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Start committing the changes to the Subject ...");
                }
                AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.3
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        if (!WSKrb5LoginModule.this._subject.getPrincipals().contains(WSKrb5LoginModule.this._principal)) {
                            WSKrb5LoginModule.this._subject.getPrincipals().add(WSKrb5LoginModule.this._principal);
                        }
                        if (WSKrb5LoginModule.this._subject.getPublicCredentials().contains(WSKrb5LoginModule.this._credential)) {
                            return null;
                        }
                        WSKrb5LoginModule.this._subject.getPublicCredentials().add(WSKrb5LoginModule.this._credential);
                        return null;
                    }
                });
                if (SubjectHelper.getGSSCredentialFromSubject(this._subject) == null && WSSecurityHelper.isGlobalSecurityEnabled() && (this.debug || tc.isDebugEnabled())) {
                    Tr.debug(tc, "GSSCredential is not in the Subject after commit (phase 2) stage.");
                }
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Change committed!");
                }
                this.commitSucceeded = true;
            } catch (Exception e3) {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.error(tc, "security.auth.kerberos.DoPrivException", new Object[]{e3});
                }
                cleanup();
                this.commitSucceeded = false;
            }
        } else if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "It has been committed prior this call, nothing is done.");
        }
        try {
            if (this._kTicket != null && this._subject.getPrivateCredentials().contains(this._kTicket)) {
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Removed Kerberos ticket from a subject: " + this._kTicket);
                }
                this._subject.getPrivateCredentials().remove(this._kTicket);
                if (this.debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Removed KerberosTicket from sharedState");
                }
                if (((KerberosTicket) this._sharedState.get(AttributeNameConstants.KERBEROS_TICKET)) != null) {
                    this._sharedState.remove(AttributeNameConstants.KERBEROS_TICKET);
                }
            }
        } catch (Exception e4) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.error(tc, "security.auth.kerberos.RemCredException", new Object[]{e4});
            }
        }
        boolean z = this.commitSucceeded;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "commit()");
        }
        return z;
    }

    public boolean abort() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes principal and credential, reset variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "abort()");
        return true;
    }

    public boolean logout() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes principal and credential, reset variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "logout()");
        return true;
    }

    private void cleanup() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup()");
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing principal, Kerberos ticket and credentials from the Subject.");
            Tr.debug(tc, "Start removing ...");
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.WSKrb5LoginModule.4
            @Override // java.security.PrivilegedAction
            public Object run() {
                try {
                    if (WSKrb5LoginModule.this._principal != null && WSKrb5LoginModule.this._subject.getPrincipals().contains(WSKrb5LoginModule.this._principal)) {
                        WSKrb5LoginModule.this._subject.getPrincipals().remove(WSKrb5LoginModule.this._principal);
                    }
                } catch (Exception e) {
                    if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                        Tr.error(WSKrb5LoginModule.tc, "security.auth.kerberos.RemPrincException", new Object[]{e});
                    }
                }
                try {
                    if (WSKrb5LoginModule.this._credential != null && WSKrb5LoginModule.this._subject.getPublicCredentials().contains(WSKrb5LoginModule.this._credential)) {
                        WSKrb5LoginModule.this._subject.getPublicCredentials().remove(WSKrb5LoginModule.this._credential);
                    }
                } catch (Exception e2) {
                    if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                        Tr.error(WSKrb5LoginModule.tc, "security.auth.kerberos.RemCredException", new Object[]{e2});
                    }
                }
                try {
                    if (WSKrb5LoginModule.tc.isDebugEnabled()) {
                        Tr.debug(WSKrb5LoginModule.tc, "acceptSecContext: clean up Kerberos ticket " + WSKrb5LoginModule.this._kTicket);
                    }
                    if (WSKrb5LoginModule.this._kTicket != null && WSKrb5LoginModule.this._subject.getPrivateCredentials().contains(WSKrb5LoginModule.this._kTicket)) {
                        WSKrb5LoginModule.this._subject.getPrivateCredentials().remove(WSKrb5LoginModule.this._kTicket);
                        Tr.debug(WSKrb5LoginModule.tc, "acceptSecContext: removed Kerberos ticket " + WSKrb5LoginModule.this._kTicket);
                    }
                } catch (Exception e3) {
                    if (WSKrb5LoginModule.this.debug || WSKrb5LoginModule.tc.isDebugEnabled()) {
                        Tr.error(WSKrb5LoginModule.tc, "security.auth.kerberos.RemCredException", new Object[]{e3});
                    }
                }
                if (WSKrb5LoginModule.this._credential == null) {
                    return null;
                }
                try {
                    WSKrb5LoginModule.this._credential.destroy();
                    return null;
                } catch (Exception e4) {
                    if (!WSKrb5LoginModule.this.debug && !WSKrb5LoginModule.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.error(WSKrb5LoginModule.tc, "security.auth.kerberos.DestroyCredException", new Object[]{e4});
                    return null;
                }
            }
        });
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        this._principal = null;
        this._credential = null;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanup()");
        }
    }

    private boolean authenticate(String str) throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate() " + str);
        }
        try {
            this._credential = Krb5WSCredentialUtils.Krb5ToRegistryWSCredential(str);
        } catch (Exception e) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.error(tc, "security.auth.kerberos.CredUtilsException", new Object[]{e});
            }
        }
        try {
        } catch (Exception e2) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.error(tc, "security.auth.kerberos.CredUtilsException", new Object[]{e2});
            }
        }
        if (this._credential == null) {
            throw new LoginException("WSCredential is null in login (phase 1) stage");
        }
        this._principal = ContextManagerFactory.getInstance().createPrincipal(this._credential);
        if (this._principal == null) {
            throw new LoginException("WSPrincipal is null in login (phase 1) stage");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "authenticate()");
        return true;
    }

    private void createCredentialsFromUsername(String str) {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "createCredentialsFromUsername()", str);
        }
        try {
            this._credential = Krb5WSCredentialUtils.Krb5ToRegistryWSCredential(str);
        } catch (Exception e) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.error(tc, "security.auth.kerberos.CredUtilsException", new Object[]{e});
            }
        }
        if (this._credential == null) {
            throw new LoginException("WSCredential is null in validate stage");
        }
        this._credential = Krb5WSCredentialUtils.Krb5ToAuthMechWSCredential(this._subject, this._gssCred, this._credential);
        this._principal = ContextManagerFactory.getInstance().createPrincipal(this._credential);
        if (this._principal == null) {
            throw new LoginException("WSPrincipal is null in validate stage");
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "createCredentialsFromUsername()");
        }
    }

    private void createCredentialsFromHashtable(Hashtable hashtable, GSSCredential gSSCredential) {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "createCredentialsFromHashtable()");
        }
        try {
            this._credential = WSCredentialTokenMapper.getInstance().createWSCredentialFromProperties(hashtable);
        } catch (Exception e) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.error(tc, "security.auth.kerberos.CredUtilsException", new Object[]{e});
            }
        }
        if (this._credential == null) {
            throw new LoginException("WSCredential is null in validate stage");
        }
        this._credential = Krb5WSCredentialUtils.Krb5ToAuthMechWSCredential(this._subject, gSSCredential, this._credential);
        this._principal = ContextManagerFactory.getInstance().createPrincipal(this._credential);
        if (this._principal == null) {
            throw new LoginException("WSPrincipal is null in validate stage");
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "createCredentialsFromHashtable()");
        }
    }
}
