package com.ibm.ws.security.auth.j2c;

import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSEncodeDecodeException;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.ProviderFailureException;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.IdentityPrincipal;
import com.ibm.websphere.security.auth.MappingAuthData;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.audit.utils.DataHelper;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.auth.WSPrincipalImpl;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.cred.AuthDataCredential;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.AuthData;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.audit.AuditService;
import com.ibm.wsspi.security.audit.ContextHandler;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandler;
import com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandlerFactory;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ConcurrentModificationException;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.resource.spi.ManagedConnectionFactory;
import javax.resource.spi.security.PasswordCredential;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSCredential;

/* loaded from: input_file:WEB-INF/lib/admin-8.5.0.jar:com/ibm/ws/security/auth/j2c/WSDefaultPrincipalMapping.class */
public class WSDefaultPrincipalMapping {
    private static boolean isFineGrained;
    private static WSMappingCallbackHandlerFactory cbkFactory;
    private static final String providerName = "WebSphere";
    private static final String componentName = "WAS.security";
    private static boolean cacheReadOnlyAuthDataSubjects;
    private static int readOnlyAuthDataSubjectCacheSize;
    private static long cushion;
    private static final TraceComponent tc = Tr.register((Class<?>) WSDefaultPrincipalMapping.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private static final WebSphereRuntimePermission perm = new WebSphereRuntimePermission("getPasswordCredential");
    private static HashMap authDataPasswordCredentialSubjectMap = new HashMap();
    public static String DEFAULT_PRINCIPAL_MAPPING = "DefaultPrincipalMapping";
    public static String TRUSTED_CONNECTION_MAPPING = "TrustedConnectionMapping";
    public static String KERBEROS_MAPPING = "KerberosMapping";
    public static String UNAUTHENTICATED = null;
    private static Subject unauthSubject = null;
    private static String activeUserRegistry = null;
    private static AuditService auditService = null;
    private static ConcurrentHashMap auditOutcome = new ConcurrentHashMap();
    private static final Class thisClass = WSDefaultPrincipalMapping.class;

    private WSDefaultPrincipalMapping() {
        Tr.warning(tc, "security.j2c.invalidWSDefaultPrincipalMapping");
    }

    public static Subject getMappedSubject(ManagedConnectionFactory managedConnectionFactory, String str, Map map) throws IOException, LoginException, SecurityException, Exception {
        WSCredential wSCredential;
        String securityName;
        LoginContext loginContext;
        WSCredential wSCredential2;
        PasswordCredential passwordCredential;
        IdentityPrincipal identityPrincipal;
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getMappedSubject(ManagedConnectionFactory, " + str + ", Map properties)");
        }
        String trim = str == null ? DEFAULT_PRINCIPAL_MAPPING : str.trim();
        boolean equals = DEFAULT_PRINCIPAL_MAPPING.equals(trim);
        boolean equals2 = TRUSTED_CONNECTION_MAPPING.equals(trim);
        boolean equals3 = KERBEROS_MAPPING.equals(trim);
        ContextHandler contextHandler = null;
        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            if (equals) {
                Tr.debug(tc, "defaultPrincipalMapping");
            } else if (equals2) {
                Tr.debug(tc, "trustedConnectionMapping");
            } else if (equals3) {
                Tr.debug(tc, "kerberosMapping");
            } else {
                Tr.debug(tc, "unknown login config >>" + trim + "<<");
            }
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (auditService == null) {
            auditService = contextManagerFactory.getAuditService();
        }
        String str2 = null;
        String[] strArr = null;
        if (auditService != null) {
            str2 = auditService.getLastTrailId();
            strArr = auditService.getEventTrailIds();
        }
        String str3 = null;
        if (!equals && !equals2 && !equals3) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Logging into mapping module: " + trim);
            }
            try {
                if (cbkFactory != null) {
                    WSMappingCallbackHandlerFactory wSMappingCallbackHandlerFactory = cbkFactory;
                    loginContext = new LoginContext(trim, WSMappingCallbackHandlerFactory.getInstance().getCallbackHandler(map, managedConnectionFactory));
                } else {
                    Tr.warning(tc, "security.j2c.initFailureRecovery");
                    loginContext = new LoginContext(trim, new WSMappingCallbackHandler(map, managedConnectionFactory));
                }
                loginContext.login();
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.exit(tc, "getMappedSubject(ManagedConnectionFactory, loginEntry, authDataAlias)");
                }
                if (auditService != null) {
                    contextHandler = auditService.getContextHandler();
                    if (contextHandler == null) {
                        Tr.error(tc, "security.audit.service.context.error");
                        auditService.processAuditFailure("security.audit.service.context.error", null);
                    }
                }
                if (auditService != null && auditService.isEventRequired("SECURITY_AUTHN_MAPPING", "SUCCESS")) {
                    try {
                        wSCredential2 = contextManagerFactory.getInvocationCredential();
                    } catch (WSSecurityException e) {
                        Tr.debug(tc, "Exception caught in getInvocationCredential. Continue: " + e);
                        wSCredential2 = null;
                    }
                    String defaultRealm = contextManagerFactory.getDefaultRealm();
                    if (wSCredential2 != null && !wSCredential2.isUnauthenticated()) {
                        wSCredential2.getSecurityName();
                    }
                    String str4 = null;
                    String str5 = null;
                    String str6 = null;
                    byte[] bArr = null;
                    Subject subject = loginContext.getSubject();
                    if (subject != null) {
                        Iterator it = subject.getPrincipals(Class.forName("com.ibm.websphere.security.auth.IdentityPrincipal")).iterator();
                        if (it.hasNext() && (identityPrincipal = (IdentityPrincipal) it.next()) != null) {
                            str4 = identityPrincipal.getName();
                            str5 = identityPrincipal.getRealm();
                            str6 = identityPrincipal.getOriginalUser();
                            bArr = identityPrincipal.getToken();
                        }
                        if (str4 == null) {
                            Iterator it2 = subject.getPrivateCredentials(Class.forName("javax.resource.spi.security.PasswordCredential")).iterator();
                            if (it2.hasNext() && (passwordCredential = (PasswordCredential) it2.next()) != null) {
                                str4 = passwordCredential.getUserName();
                            }
                        }
                        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                            Tr.debug(tc, "IdentityPrincipal current user identity  = " + str4);
                            Tr.debug(tc, "IdentityPrincipal current user realm     = " + str5);
                            Tr.debug(tc, "IdentityPrincipal original user identity = " + str6);
                            if (bArr != null) {
                                Tr.debug(tc, "IdentityPrincipal token length           = " + bArr.length);
                            }
                        }
                    }
                    contextHandler.buildContextObject("SESSION_CONTEXT", DataHelper.buildSessionData(null, null, null, null));
                    contextHandler.buildContextObject("ACCESS_CONTEXT", DataHelper.buildAccessData(str, "authMapping", str4, str6, "mappingSuccess", null, null, new Long(0L), null, null, null, null));
                    contextHandler.buildContextObject("EVENT_CONTEXT", DataHelper.buildEventData(str2, strArr, new Date(), new Long(0L).longValue()));
                    contextHandler.buildContextObject("PROPAGATION_CONTEXT", DataHelper.buildPropagationData(auditService.getFirstCaller(), auditService.getCallerList()));
                    contextHandler.buildContextObject("PROCESS_CONTEXT", DataHelper.buildProcessData(auditService.getDomain(), defaultRealm));
                    contextHandler.buildContextObject("REGISTRY_CONTEXT", DataHelper.buildRegistryData(DataHelper.convertRegistryInfoType(activeUserRegistry)));
                    contextHandler.buildContextObject("AUTHN_MAPPING_CONTEXT", DataHelper.buildAuthnMappingData(null, str5, str4));
                    contextHandler.buildContextObject("AUTHN_PROVIDER_CONTEXT", DataHelper.buildProviderData(str, "providerSuccess"));
                    auditOutcome = DataHelper.buildOutcomeData(AuditOutcome.SUCCESSFUL, new Integer(0), new Integer(0), "SUCCESS", 7L);
                    try {
                        auditService.sendEvent("SECURITY_AUTHN_MAPPING", auditOutcome);
                    } catch (ProviderFailureException e2) {
                        Tr.error(tc, "security.audit.service.sendevent.error", new Object[]{e2});
                        auditService.processAuditFailure("security.audit.service.sendevent.error", e2);
                    }
                }
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Returning login subject.");
                }
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.exit(tc, "getMappedSubject");
                }
                return loginContext.getSubject();
            } catch (Exception e3) {
                Manager.Ffdc.log(e3, thisClass, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.getSubject", "351");
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, GSSEncodeDecodeException.exceptionCaughtStr + e3);
                }
                throw e3;
            }
        }
        if (map != null) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.entry(tc, "Getting authDataAlias.");
            }
            str3 = (String) map.get("com.ibm.mapping.authDataAlias");
            if (str3 != null) {
                str3 = str3.trim();
            } else if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "security.j2c.missingParameter", new Object[]{"alias"});
            }
        } else if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "security.j2c.missingParameter", new Object[]{"properties"});
        }
        boolean z = str3 == null || str3.equals("");
        if (!contextManagerFactory.isCellSecurityEnabled() && z) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Security disabled and no authdata alias, returning Unauthenticated Subject.");
            }
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return getUnauthenticatedSubjectWithoutCredentials();
        }
        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "Creating Subject.");
        }
        Subject subject2 = new Subject();
        WSPrincipalImpl wSPrincipalImpl = null;
        try {
            wSCredential = contextManagerFactory.getInvocationCredential();
        } catch (WSSecurityException e4) {
            Tr.debug(tc, "Exception caught in getInvocationCredential. Continue: " + e4);
            wSCredential = null;
        }
        if (UNAUTHENTICATED == null) {
            UNAUTHENTICATED = ContextManagerFactory.getInstance().getUnauthenticatedString();
        }
        if (wSCredential != null && wSCredential.getExpiration() > 0 && wSCredential.getExpiration() - System.currentTimeMillis() < cushion) {
            final Subject invocationSubject = contextManagerFactory.getInvocationSubject();
            try {
                wSPrincipalImpl = (WSPrincipalImpl) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return invocationSubject.getPrincipals(WSPrincipalImpl.class).iterator().next();
                    }
                });
            } catch (Exception e5) {
            }
            if (z && wSPrincipalImpl == null) {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "No authdata alias and current Subject is null or unauthenticated.");
                }
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.exit(tc, "getMappedSubject");
                }
                return getUnauthenticatedSubjectWithoutCredentials();
            }
            if (wSPrincipalImpl != null) {
                securityName = wSPrincipalImpl.getName();
            } else {
                securityName = UNAUTHENTICATED;
                wSPrincipalImpl = new WSPrincipalImpl(securityName);
            }
        } else {
            if (z && (wSCredential == null || wSCredential.isUnauthenticated())) {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "No authdata alias and current Subject is null or unauthenticated.");
                }
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.exit(tc, "getMappedSubject");
                }
                return getUnauthenticatedSubjectWithoutCredentials();
            }
            securityName = (wSCredential == null || wSCredential.isUnauthenticated()) ? UNAUTHENTICATED : wSCredential.getSecurityName();
            wSPrincipalImpl = new WSPrincipalImpl(securityName);
        }
        if (wSPrincipalImpl != null && securityName != null) {
            Subject subject3 = null;
            if (cacheReadOnlyAuthDataSubjects && equals && str3 != null && !str3.equals("")) {
                WSAuthDataSubjectComparator wSAuthDataSubjectComparator = new WSAuthDataSubjectComparator(securityName, str3, managedConnectionFactory);
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Getting Subject authData uniqueID: " + wSAuthDataSubjectComparator.hashCode());
                }
                subject3 = (Subject) authDataPasswordCredentialSubjectMap.get(wSAuthDataSubjectComparator);
            }
            if (subject3 != null) {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found subject in the authDataPasswordCredentialSubjectMap cache.");
                }
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.exit(tc, "getMappedSubject");
                }
                return subject3;
            }
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find subject in the authDataPasswordCredentialSubjectMap cache.");
            }
            subject2.getPrincipals().add(wSPrincipalImpl);
        }
        if (equals2) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Creating identity principal.");
            }
            IdentityPrincipal identityPrincipal2 = getIdentityPrincipal(map);
            identityPrincipal2.setManagedConnectionFactory(managedConnectionFactory);
            subject2.getPrincipals().add(identityPrincipal2);
        }
        if (equals3) {
            Subject callerSubject = WSSubject.getCallerSubject();
            if (callerSubject != null) {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caller subject: " + callerSubject);
                }
                GSSCredential gSSCredential = null;
                KRBAuthnToken kerberosAuthnTokenFromSubject = SubjectHelper.getKerberosAuthnTokenFromSubject(callerSubject);
                if (kerberosAuthnTokenFromSubject != null) {
                    SubjectHelper.putKerberosAuthnTokenToSubject(kerberosAuthnTokenFromSubject, subject2);
                    if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Get GSSCredential from KRBAuthnToken");
                    }
                    gSSCredential = kerberosAuthnTokenFromSubject.getGSSCredential();
                }
                if (gSSCredential == null) {
                    if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Get GSSCredential from caller subject");
                    }
                    gSSCredential = SubjectHelper.getGSSCredentialFromSubject(callerSubject);
                }
                if (gSSCredential != null) {
                    SubjectHelper.putGSSCredentialInSubject(gSSCredential, subject2);
                    if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                        Tr.exit(tc, "getMappedSubject - GSSCredential/KrbAuthnToken");
                    }
                    return subject2;
                }
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "No GSSCredential and KerberosTicket in caller subject, fall back to " + DEFAULT_PRINCIPAL_MAPPING);
                }
                equals = true;
            } else {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "No caller subject, fall back to " + DEFAULT_PRINCIPAL_MAPPING);
                }
                equals = true;
            }
        }
        if (z) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "No authdatalias, returning subject.");
            }
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return subject2;
        }
        try {
            AuthData authDataInt = getAuthDataInt(str3);
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Got authdata info.");
            }
            if (authDataInt == null) {
                Tr.warning(tc, "security.j2c.mappingUnsuccessful");
                throw new LoginException("Incorrect authDataEntry and alias is: " + str3);
            }
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Creating password credential.");
            }
            PasswordCredential passwordCredential2 = new PasswordCredential(authDataInt.uid, authDataInt.psw.toCharArray());
            passwordCredential2.setManagedConnectionFactory(managedConnectionFactory);
            subject2.getPrivateCredentials().add(passwordCredential2);
            if (cacheReadOnlyAuthDataSubjects) {
                if (authDataPasswordCredentialSubjectMap.size() > readOnlyAuthDataSubjectCacheSize) {
                    authDataPasswordCredentialSubjectMap.clear();
                }
                if (securityName != null && str3 != null) {
                    WSAuthDataSubjectComparator wSAuthDataSubjectComparator2 = new WSAuthDataSubjectComparator(securityName, str3, managedConnectionFactory);
                    Hashtable hashtable = new Hashtable();
                    hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, Integer.toString(wSAuthDataSubjectComparator2.hashCode()));
                    if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Setting Subject authData uniqueID: " + wSAuthDataSubjectComparator2.hashCode());
                    }
                    subject2.getPublicCredentials().add(hashtable);
                    subject2.setReadOnly();
                    boolean z2 = false;
                    int i = 0;
                    do {
                        try {
                            authDataPasswordCredentialSubjectMap.put(wSAuthDataSubjectComparator2, subject2);
                            z2 = true;
                        } catch (ConcurrentModificationException e6) {
                            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                                Tr.debug(tc, "Got a ConcurrentModificationException, retry a few times and then give up.");
                            }
                        }
                        if (z2) {
                            break;
                        }
                        i++;
                    } while (i <= 5);
                }
            }
            if (auditService != null) {
                contextHandler = auditService.getContextHandler();
                if (contextHandler == null) {
                    Tr.error(tc, "security.audit.service.context.error");
                    auditService.processAuditFailure("security.audit.service.context.error", null);
                }
            }
            if (auditService != null && auditService.isEventRequired("SECURITY_AUTHN_MAPPING", "SUCCESS")) {
                HashMap buildSessionData = DataHelper.buildSessionData(null, null, null, null);
                contextHandler.buildContextObject("SESSION_CONTEXT", buildSessionData);
                if (equals) {
                    buildSessionData = DataHelper.buildAccessData(str, "authMapping", authDataInt.uid, securityName, "mappingSuccess", null, null, new Long(0L), null, null, null, null);
                } else if (equals2) {
                    buildSessionData = DataHelper.buildAccessData(str, "authMapping", null, securityName, "mappingSuccess", null, null, new Long(0L), null, null, null, null);
                }
                contextHandler.buildContextObject("ACCESS_CONTEXT", buildSessionData);
                contextHandler.buildContextObject("EVENT_CONTEXT", DataHelper.buildEventData(str2, strArr, new Date(), new Long(0L).longValue()));
                contextHandler.buildContextObject("PROPAGATION_CONTEXT", DataHelper.buildPropagationData(auditService.getFirstCaller(), auditService.getCallerList()));
                contextHandler.buildContextObject("PROCESS_CONTEXT", DataHelper.buildProcessData(auditService.getDomain(), contextManagerFactory.getDefaultRealm()));
                contextHandler.buildContextObject("REGISTRY_CONTEXT", activeUserRegistry == null ? DataHelper.buildRegistryData(null) : DataHelper.buildRegistryData(DataHelper.convertRegistryInfoType(activeUserRegistry)));
                contextHandler.buildContextObject("AUTHN_MAPPING_CONTEXT", DataHelper.buildAuthnMappingData(null, contextManagerFactory.getDefaultRealm(), securityName));
                contextHandler.buildContextObject("AUTHN_PROVIDER_CONTEXT", DataHelper.buildProviderData(str, "providerSuccess"));
                auditOutcome = DataHelper.buildOutcomeData(AuditOutcome.SUCCESSFUL, new Integer(0), new Integer(0), "SUCCESS", 7L);
                try {
                    auditService.sendEvent("SECURITY_AUTHN_MAPPING", auditOutcome);
                } catch (ProviderFailureException e7) {
                    Tr.error(tc, "security.audit.service.sendevent.error", new Object[]{e7});
                    auditService.processAuditFailure("security.audit.service.sendevent.error", e7);
                }
            }
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return subject2;
        } catch (NullPointerException e8) {
            Tr.warning(tc, "security.j2c.mappingFailed", new Object[]{e8});
            if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return subject2;
        }
    }

    public static Subject getSubject(ManagedConnectionFactory managedConnectionFactory, String str, String str2) throws IOException, LoginException, SecurityException, Exception {
        LoginContext loginContext;
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubject(ManagedConnectionFactory, " + str + ", " + str2 + ")");
        }
        String str3 = null;
        if (str2 != null) {
            str3 = str2.trim();
        }
        String trim = str == null ? DEFAULT_PRINCIPAL_MAPPING : str.trim();
        if (!trim.equals(DEFAULT_PRINCIPAL_MAPPING)) {
            try {
                HashMap hashMap = new HashMap();
                hashMap.put("com.ibm.mapping.authDataAlias", str3);
                if (cbkFactory != null) {
                    WSMappingCallbackHandlerFactory wSMappingCallbackHandlerFactory = cbkFactory;
                    loginContext = new LoginContext(trim, WSMappingCallbackHandlerFactory.getInstance().getCallbackHandler(hashMap, managedConnectionFactory));
                } else {
                    Tr.warning(tc, "security.j2c.initFailureRecovery");
                    loginContext = new LoginContext(trim, new WSPrincipalMappingCallbackHandler(str3, managedConnectionFactory));
                }
                loginContext.login();
                if (isAnyTracingEnabled && tc.isEntryEnabled()) {
                    Tr.exit(tc, "getSubject(ManagedConnectionFactory, loginEntry, authDataAlias)");
                }
                return loginContext.getSubject();
            } catch (Exception e) {
                Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.getSubject", "351");
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, GSSEncodeDecodeException.exceptionCaughtStr + e);
                }
                throw e;
            }
        }
        Subject subject = new Subject();
        final Subject invocationSubject = ContextManagerFactory.getInstance().getInvocationSubject();
        WSPrincipalImpl wSPrincipalImpl = null;
        if (invocationSubject != null) {
            try {
                wSPrincipalImpl = (WSPrincipalImpl) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.2
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return invocationSubject.getPrincipals(WSPrincipalImpl.class).iterator().next();
                    }
                });
            } catch (Exception e2) {
            }
        }
        if (wSPrincipalImpl != null) {
            subject.getPrincipals().add(wSPrincipalImpl);
        }
        if (str3 == null || str3.equals("")) {
            return subject;
        }
        try {
            AuthData authDataInt = getAuthDataInt(str3);
            if (authDataInt == null) {
                Tr.warning(tc, "security.j2c.mappingUnsuccessful");
                throw new LoginException("Incorrect authDataEntry and alias is: " + str3);
            }
            PasswordCredential passwordCredential = new PasswordCredential(authDataInt.uid, authDataInt.psw.toCharArray());
            passwordCredential.setManagedConnectionFactory(managedConnectionFactory);
            subject.getPrivateCredentials().add(passwordCredential);
            return subject;
        } catch (NullPointerException e3) {
            Tr.warning(tc, "security.j2c.mappingFailed", new Object[]{e3});
            return subject;
        }
    }

    public static AuthDataCredential getAuthData(String str) throws LoginException, SecurityException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "getAuthData(uidpswEntry = " + str + ")");
        }
        if (str == null || str.length() == 0) {
            return null;
        }
        try {
            AuthData authDataInt = getAuthDataInt(str);
            if (authDataInt != null) {
                return new AuthDataCredential(authDataInt.uid, authDataInt.psw, 0);
            }
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Alias not defined on server; local search not enabled or auth.data.props not loaded.");
            }
            return new AuthDataCredential(null, null, 1);
        } catch (NullPointerException e) {
            return new AuthDataCredential(null, null, 3);
        }
    }

    public static void refreshAuthData(HashMap hashMap) throws SecurityException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(tc, "refreshAuthData", hashMap);
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, "Expecting : " + perm.toString());
            }
            securityManager.checkPermission(perm);
        }
        if (hashMap != null) {
            try {
                if (!hashMap.isEmpty()) {
                    if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Mapping auth data has " + hashMap.size() + " entries");
                    }
                    Class<?> cls = Class.forName("com.ibm.ws.security.util.AuthData");
                    Class<?> cls2 = Class.forName("com.ibm.websphere.security.auth.MappingAuthData");
                    for (Object obj : hashMap.keySet()) {
                        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Mapping auth data alias = " + obj);
                        }
                        Object obj2 = hashMap.get(obj);
                        if (obj2 != null) {
                            if (cls2.isInstance(obj2)) {
                                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Mapping auth data Class is MappingAuthData");
                                }
                                hashMap.put(obj, new AuthData(((MappingAuthData) obj2).getUserName(), ((MappingAuthData) obj2).getPassword()));
                            } else if (!cls.isInstance(obj2)) {
                                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Mapping auth data Class is neither AuthData nor MappingAuthData; set to null");
                                }
                                hashMap.put(obj, null);
                            }
                        }
                    }
                }
            } catch (Exception e) {
                Manager.Ffdc.log(e, thisClass, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.refreshAuthData", "569");
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, GSSEncodeDecodeException.exceptionCaughtStr + e);
                }
            }
        }
        if (hashMap != null) {
            SecurityObjectLocator.getSecurityConfig().getJAASLoginConfig().refreshAuthDataEntries(hashMap);
        } else {
            SecurityObjectLocator.getSecurityConfig("Security").getJAASLoginConfig().refreshAuthDataEntries(hashMap);
            SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig("AppSecurity");
            if (securityConfig != null) {
                securityConfig.getJAASLoginConfig().refreshAuthDataEntries(hashMap);
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "refreshAuthData");
        }
    }

    public static AuthData getAuthDataInt(String str) throws SecurityException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "get one AuthDataEntry: getAuthDataInt(uidpswEntry = " + str + ")");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (isFineGrained) {
                WebSphereRuntimePermission webSphereRuntimePermission = new WebSphereRuntimePermission("getPasswordCredential." + str);
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing Java 2 Security Permission Check (Fine Grained) ...");
                    Tr.debug(tc, "Expecting : " + webSphereRuntimePermission.toString());
                }
                securityManager.checkPermission(webSphereRuntimePermission);
            } else {
                if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                    Tr.debug(tc, "Expecting : " + perm.toString());
                }
                securityManager.checkPermission(perm);
            }
        }
        AuthData authData = (AuthData) SecurityObjectLocator.getSecurityConfig().getJAASLoginConfig().getAuthData(str);
        boolean z = false;
        if (authData == null && SecurityObjectLocator.getSecurityConfigManager().isMultiDomainDefined()) {
            try {
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "<getAuthDataInt> attempting to retrieve authn alias from the domain config.");
                    }
                    z = SecurityObjectLocator.pushAppContext("");
                    authData = (AuthData) SecurityObjectLocator.getSecurityConfig().getJAASLoginConfig().getAuthData(str);
                    if (z) {
                        SecurityObjectLocator.popContext();
                    }
                } catch (Exception e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "<getAuthDataInt> unexpected exception getting domain-level authentication alias for");
                    }
                    if (z) {
                        SecurityObjectLocator.popContext();
                    }
                }
            } catch (Throwable th) {
                if (z) {
                    SecurityObjectLocator.popContext();
                }
                throw th;
            }
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(tc, "getAuthDataInt");
        }
        return authData;
    }

    private static Subject getUnauthenticatedSubjectWithoutCredentials() {
        if (unauthSubject == null) {
            if (UNAUTHENTICATED == null) {
                UNAUTHENTICATED = ContextManagerFactory.getInstance().getUnauthenticatedString();
            }
            unauthSubject = new Subject();
            unauthSubject.getPrincipals().add(new WSPrincipalImpl(UNAUTHENTICATED));
        }
        return unauthSubject;
    }

    public static IdentityPrincipal getIdentityPrincipal(Map map) throws WSSecurityException, CredentialDestroyedException, WSLoginFailedException, ClassNotFoundException, CredentialExpiredException {
        Subject invocationSubject;
        String str;
        Iterator it;
        boolean z = false;
        boolean z2 = false;
        String str2 = null;
        byte[] bArr = null;
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "Getting useCallerIdentity.");
        }
        String str3 = (String) map.get(Constants.USE_CALLER_IDENTITY);
        if (str3 != null) {
            z = "true".equalsIgnoreCase(str3.trim());
        }
        if (z) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "useCallerIdentity is true");
            }
        } else if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "useCallerIdentity is either false or not specified");
        }
        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "Getting propagateSecAttrs.");
        }
        String str4 = (String) map.get(Constants.PROPAGATE_SEC_ATTRS);
        if (str4 != null) {
            z2 = "true".equalsIgnoreCase(str4.trim());
        }
        if (z2) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "propagateSecAttrs is true");
            }
        } else if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "propagateSecAttrs is either false or not specified");
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        WSCredential invocationCredential = contextManagerFactory.getInvocationCredential();
        if (z) {
            invocationSubject = contextManagerFactory.getCallerSubject();
            if (invocationSubject != null && (it = invocationSubject.getPublicCredentials(Class.forName("com.ibm.websphere.security.cred.WSCredential")).iterator()) != null && it.hasNext()) {
                invocationCredential = (WSCredential) it.next();
            }
        } else {
            invocationSubject = contextManagerFactory.getInvocationSubject();
        }
        if (UNAUTHENTICATED == null) {
            UNAUTHENTICATED = ContextManagerFactory.getInstance().getUnauthenticatedString();
        }
        if (invocationCredential == null || invocationCredential.isUnauthenticated()) {
            str = (String) map.get(Constants.UNAUTHENTICATED_USER);
        } else {
            String securityName = invocationCredential.getSecurityName();
            str2 = invocationCredential.getRealmName();
            if (securityName != null) {
                int indexOf = securityName.indexOf(UNAUTHENTICATED);
                if (indexOf <= -1 || indexOf >= securityName.length()) {
                    str = securityName;
                    int indexOf2 = str.indexOf(47);
                    if (indexOf2 > -1 && indexOf2 < str.length()) {
                        str = str.substring(indexOf2 + 1);
                    }
                } else {
                    str = new String((String) map.get(Constants.UNAUTHENTICATED_USER));
                }
            } else {
                str = (String) map.get(Constants.UNAUTHENTICATED_USER);
            }
        }
        String trim = (str == null || (str != null && str.length() == 0)) ? UNAUTHENTICATED : str.trim();
        String str5 = (String) map.get(Constants.TARGET_REALM_NAME);
        if (str5 != null) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "targetRealm is \"" + str5 + "\" length = " + str5.length());
            }
        } else if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "targetRealm is either null or undefined");
        }
        if (str5 != null && str5.length() > 0) {
            str5 = str5.trim();
        }
        if (str5 != null && str5.length() == 0) {
            str5 = null;
        }
        if (str5 == null || str5.equals("") || str5.equals("\"\"")) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "targetRealm is null, setting current realm to null.");
            }
            str2 = null;
        } else if (str5 != null && str2 != null && str5.length() > 0 && str2.length() > 0 && str5.equalsIgnoreCase(str2)) {
            if (isAnyTracingEnabled && tc.isDebugEnabled()) {
                Tr.debug(tc, "targetRealm is identical to current realm = " + str5);
            }
            str2 = null;
        }
        String firstCaller = WSSecurityHelper.getFirstCaller();
        if (firstCaller == null) {
            firstCaller = UNAUTHENTICATED;
        }
        if (invocationSubject != null && z2) {
            contextManagerFactory.renew(invocationSubject, 50, false);
            bArr = WSOpaqueTokenHelper.getInstance().createOpaqueTokenFromSubject(invocationSubject);
        }
        IdentityPrincipal identityPrincipal = new IdentityPrincipal(trim, str2, firstCaller, bArr);
        if (isAnyTracingEnabled && tc.isDebugEnabled()) {
            Tr.debug(tc, "current user identity  = " + trim);
            Tr.debug(tc, "current user realm     = " + str2);
            Tr.debug(tc, "original user identity = " + firstCaller);
            Tr.debug(tc, "propagate security attributes = " + z2);
            if (bArr != null) {
                Tr.debug(tc, "opaque token length = " + bArr.length);
            } else {
                Tr.debug(tc, "opaque token is null");
            }
        }
        return identityPrincipal;
    }

    public static Map getDefaultTrustedConnectionProperties() {
        HashMap hashMap = new HashMap(4);
        if (UNAUTHENTICATED == null) {
            UNAUTHENTICATED = ContextManagerFactory.getInstance().getUnauthenticatedString();
        }
        hashMap.put(Constants.USE_CALLER_IDENTITY, "false");
        hashMap.put(Constants.PROPAGATE_SEC_ATTRS, "false");
        hashMap.put(Constants.TARGET_REALM_NAME, null);
        hashMap.put(Constants.UNAUTHENTICATED_USER, UNAUTHENTICATED);
        return hashMap;
    }

    static {
        isFineGrained = false;
        cbkFactory = null;
        cacheReadOnlyAuthDataSubjects = false;
        readOnlyAuthDataSubjectCacheSize = 50;
        cushion = 180000L;
        try {
            SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
            isFineGrained = securityConfig.getBoolean(SecurityConfig.ENFORCE_FINE_GRAINED_JCA_SECURITY);
            cbkFactory = WSMappingCallbackHandlerFactory.getInstance(securityConfig.getProperty("security.mappingCallbackHandlerFactoryClass"));
            long j = 0;
            try {
                j = Integer.valueOf(securityConfig.getProperty(SecurityConfig.CACHE_CUSHION_MIN)).intValue() * 60 * 1000;
            } catch (Throwable th) {
            }
            if (j != 0) {
                cushion = j;
            }
            if (securityConfig != null) {
                cacheReadOnlyAuthDataSubjects = securityConfig.getPropertyBool("com.ibm.websphere.security.auth.j2c.cacheReadOnlyAuthDataSubjects");
                if (cacheReadOnlyAuthDataSubjects) {
                    System.setProperty(CommonConstants.CACHE_CUSHION_MIN, "true");
                }
                String property = securityConfig.getProperty("com.ibm.websphere.security.auth.j2c.readOnlyAuthDataSubjectCacheSize");
                if (property != null) {
                    try {
                        readOnlyAuthDataSubjectCacheSize = Integer.parseInt(property);
                    } catch (NumberFormatException e) {
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception parsing com.ibm.websphere.security.auth.j2c.readOnlyAuthDataSubjectCacheSize value of " + property + ".  Setting the default cache sizing to 50.");
                        }
                        readOnlyAuthDataSubjectCacheSize = 50;
                    }
                }
            }
        } catch (Exception e2) {
            Manager.Ffdc.log(e2, thisClass, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.static", "133");
            Tr.error(tc, "security.j2c.initFailure", new Object[]{e2});
        }
    }
}
