package com.ibm.ISecurityLocalObjectTokenBaseImpl;

import com.ibm.CORBA.iiop.ExtendedClientRequestInfo;
import com.ibm.CORBA.iiop.ORB;
import com.ibm.CSIv2Security.LTPAMechOID;
import com.ibm.IExtendedSecurityReplaceablePriv.SessionEntryHolder;
import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason;
import com.ibm.ISecurityLocalObjectBaseL13Impl.VaultImpl;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.ClientSessionKey;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSFactory;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.OID;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.SessionManager;
import com.ibm.ISecurityUtilityImpl.CSIUtil;
import com.ibm.ISecurityUtilityImpl.MechanismAmbiguityException;
import com.ibm.ISecurityUtilityImpl.MechanismFactory;
import com.ibm.ISecurityUtilityImpl.RealmSecurityName;
import com.ibm.ISecurityUtilityImpl.SecurityMinorCodes;
import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.ISecurityUtilityImpl.VaultConstants;
import com.ibm.ISecurityUtilityImpl.WSSecurityContextFactory;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSSecurityContext;
import com.ibm.websphere.security.auth.WSSecurityContextException;
import com.ibm.websphere.security.auth.WSSecurityContextResult;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.security.token.WSSecurityPropagationHelper;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.CertPathValidatorException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.omg.CORBA.Any;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.INTERNAL;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CORBA.StringHolder;
import org.omg.CORBA.SystemException;
import org.omg.CORBA.TypeCodePackage.BadKind;
import org.omg.CSI.AuthorizationElement;
import org.omg.CSI.CompleteEstablishContext;
import org.omg.CSI.ContextError;
import org.omg.CSI.EstablishContext;
import org.omg.CSI.IdentityToken;
import org.omg.CSI.KRB5MechOID;
import org.omg.CSI.SASContextBody;
import org.omg.GSSUP.GSSUPMechOID;
import org.omg.IOP.Codec;
import org.omg.IOP.ServiceContext;
import org.omg.PortableInterceptor.ClientRequestInfo;
import org.omg.PortableInterceptor.RequestInfo;
import org.omg.PortableInterceptor.ServerRequestInfo;
import org.omg.Security.AssociationStatus;
import org.omg.Security.AuthenticationStatus;
import org.omg.Security.OpaqueHolder;

/* loaded from: input_file:wasJars/sas.jar:com/ibm/ISecurityLocalObjectTokenBaseImpl/SecurityContextImpl.class */
public class SecurityContextImpl extends com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl {
    private static final long serialVersionUID = -1426189254434020015L;
    private static final TraceComponent tc = Tr.register(SecurityContextImpl.class, "SASRas", "com.ibm.ISecurityL13SupportImpl.sec");
    private CSIv2Config csiv2;
    private ORB orb;
    private VaultImpl vault;
    private String mechType;

    public SecurityContextImpl() {
        this.orb = null;
        this.vault = null;
        this.mechType = null;
    }

    public SecurityContextImpl(VaultImpl vaultImpl, String str) {
        super(vaultImpl, str);
        this.orb = null;
        this.vault = null;
        this.mechType = null;
        this.csiv2 = SecurityObjectLocator.getCSIv2Config();
        if (vaultImpl != null) {
            this.vault = vaultImpl;
            this.orb = vaultImpl.getORB();
            MechanismFactory mechanismFactory = vaultImpl.getMechanismFactory();
            if (mechanismFactory != null) {
                try {
                    this._mechanismType = mechanismFactory.getMechanismTypeIdentity(this.csiv2.getString(CSIv2Config.ACTIVE_AUTH_MECH_OID));
                } catch (MechanismAmbiguityException e) {
                    Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.SecurityContextImpl", "130", this);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "MechanismAmbiguityException occurred in getMechanismTypeIdentity.", new Object[]{e});
                    }
                }
            }
        }
    }

    public SecurityContextImpl(VaultImpl vaultImpl, String str, String str2) {
        super(vaultImpl, str);
        this.orb = null;
        this.vault = null;
        this.mechType = null;
        this.csiv2 = SecurityObjectLocator.getCSIv2Config();
        if (vaultImpl != null) {
            this.vault = vaultImpl;
            this._mechanismType = str2;
        }
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized AssociationStatus csi_continue_security_context(ClientRequestInfo clientRequestInfo, com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl securityContextImpl) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "csi_continue_security_context", new Object[]{clientRequestInfo, securityContextImpl, this});
        }
        CSIUtil cSIUtil = new CSIUtil();
        SASContextBody sASContextBody = null;
        switch (clientRequestInfo.reply_status()) {
            case 0:
            case 2:
            case 3:
            case 4:
                ServiceContext serviceContext = cSIUtil.get_sc_from_reply((RequestInfo) clientRequestInfo);
                if (serviceContext != null) {
                    sASContextBody = cSIUtil.get_message_from_sc(serviceContext);
                }
                if (sASContextBody != null && sASContextBody.discriminator() == 1) {
                    CompleteEstablishContext complete_msg = sASContextBody.complete_msg();
                    cSIUtil.print_cec_message(complete_msg, "csi_continue_security_context");
                    WSSecurityContext wSSecurityContext = cSIUtil.getCurrent().getWSSecurityContext();
                    if (wSSecurityContext != null) {
                        try {
                            wSSecurityContext.completeSecContext(complete_msg.final_context_token);
                            wSSecurityContext.dispose();
                            break;
                        } catch (WSSecurityContextException e) {
                            Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_continue_security_context", "203", this);
                            String str = "Caught WSSecurityContextException in WSSecurityContext.completeSecContext(), reason: " + e.toString();
                            Tr.debug(tc, str);
                            PrincipalAuthFailReason.map_auth_fail_to_minor_code(e.getMajor(), StringBytesConversion.getConvertedBytes(str));
                            break;
                        }
                    }
                } else if (sASContextBody != null && sASContextBody.discriminator() == 4) {
                    cSIUtil.print_ce_message(sASContextBody.error_msg(), "csi_continue_security_context");
                    break;
                }
                break;
            case 1:
                try {
                    Any received_exception = clientRequestInfo.received_exception();
                    SystemException systemException = ((ExtendedClientRequestInfo) clientRequestInfo).getSystemException();
                    cSIUtil.read_detailed_message(clientRequestInfo);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "A SYSTEM_EXCEPTION has been received: " + received_exception.type().id() + ", Minor code: " + Long.toHexString(systemException.minor));
                    }
                } catch (BadKind e2) {
                    Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_continue_security_context", "238", this);
                }
                ServiceContext serviceContext2 = cSIUtil.get_sc_from_reply((RequestInfo) clientRequestInfo);
                if (serviceContext2 != null) {
                    SASContextBody sASContextBody2 = cSIUtil.get_message_from_sc(serviceContext2);
                    if (sASContextBody2 != null && sASContextBody2.discriminator() == 4) {
                        cSIUtil.print_ce_message(sASContextBody2.error_msg(), "csi_continue_security_context");
                        break;
                    }
                } else {
                    return AssociationStatus.SecAssocFailure;
                }
                break;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "csi_continue_security_context", AssociationStatus.SecAssocSuccess);
        }
        return AssociationStatus.SecAssocSuccess;
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized void csi_initialize(byte[] bArr, byte[] bArr2, X509Certificate[] x509CertificateArr, OpaqueHolder opaqueHolder) throws WSLoginFailedException {
        csi_initialize(bArr, bArr2, x509CertificateArr, opaqueHolder, null);
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized void csi_initialize(byte[] bArr, byte[] bArr2, final X509Certificate[] x509CertificateArr, OpaqueHolder opaqueHolder, final Map map) throws WSLoginFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "csi_initialize", new Object[]{bArr, bArr2, x509CertificateArr, opaqueHolder, this});
        }
        String str = null;
        OpaqueHolder opaqueHolder2 = new OpaqueHolder();
        byte[] bArr3 = {100};
        Subject subject = null;
        final ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        final String defaultRealm = contextManagerFactory.getDefaultRealm();
        if (tc.isDebugEnabled()) {
            str = "Setting identityName: " + getIdentityName();
            Tr.debug(tc, str);
        }
        try {
            if (getIdentityName().equals(VaultConstants.ClientAuthToken)) {
                WSSecurityContext wSSecurityContext = null;
                try {
                    try {
                        WSSecurityContext createContext = WSSecurityContextFactory.getInstance().createContext(GSSFactory.getMechOIDFromGSSToken(bArr2));
                        String mechOIDFromGSSToken = GSSFactory.getMechOIDFromGSSToken(bArr2);
                        byte[] decodeGSSToken = new GSSFactory(GSSFactory.getMechOIDFromGSSToken(bArr2)).decodeGSSToken(bArr2);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "calling plugin acceptSecContext(gssInitToken, in_oid) " + mechOIDFromGSSToken);
                        }
                        WSSecurityContextResult acceptSecContext = createContext.acceptSecContext(decodeGSSToken, map, mechOIDFromGSSToken);
                        if (acceptSecContext == null || acceptSecContext.getSubject() == null) {
                            if (tc.isDebugEnabled()) {
                                str = "Subject returned from acceptSecContext is NULL.";
                                Tr.debug(tc, str);
                            }
                            this._principalAuthFailReason = (byte) 7;
                            this._principalAuthFailDetail = StringBytesConversion.getConvertedBytes(str);
                            this._contextState = 4;
                            if (null == AuthenticationStatus.SecAuthFailure) {
                                Tr.debug(tc, str);
                                AuthenticationStatus authenticationStatus = AuthenticationStatus.SecAuthFailure;
                                opaqueHolder2.value = StringBytesConversion.getConvertedBytes(str);
                            }
                            try {
                                createContext.dispose();
                                return;
                            } catch (WSSecurityContextException e) {
                                AuthenticationStatus authenticationStatus2 = AuthenticationStatus.SecAuthFailure;
                                bArr3[0] = (byte) e.getMajor();
                                Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: " + e.toString(), new Object[]{e});
                                return;
                            }
                        }
                        subject = acceptSecContext.getSubject();
                        if (acceptSecContext.getFinalToken() != null) {
                            setFinalToken(acceptSecContext.getFinalToken());
                        }
                        this._contextState = 3;
                        this._principalAuthFailReason = (byte) 100;
                        this._clientSubject = subject;
                        this._targetSubject = null;
                        this._mechanismType = this.mechType;
                        if (tc.isDebugEnabled()) {
                            str = "Authentication success";
                            Tr.debug(tc, str);
                        }
                        if (AuthenticationStatus.SecAuthSuccess == AuthenticationStatus.SecAuthFailure) {
                            Tr.debug(tc, str);
                            AuthenticationStatus authenticationStatus3 = AuthenticationStatus.SecAuthFailure;
                            opaqueHolder2.value = StringBytesConversion.getConvertedBytes(str);
                        }
                        try {
                            createContext.dispose();
                        } catch (WSSecurityContextException e2) {
                            AuthenticationStatus authenticationStatus4 = AuthenticationStatus.SecAuthFailure;
                            bArr3[0] = (byte) e2.getMajor();
                            Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: " + e2.toString(), new Object[]{e2});
                        }
                    } catch (Throwable th) {
                        if (null == AuthenticationStatus.SecAuthFailure) {
                            Tr.debug(tc, str);
                            AuthenticationStatus authenticationStatus5 = AuthenticationStatus.SecAuthFailure;
                            opaqueHolder2.value = StringBytesConversion.getConvertedBytes(str);
                        }
                        try {
                            wSSecurityContext.dispose();
                        } catch (WSSecurityContextException e3) {
                            AuthenticationStatus authenticationStatus6 = AuthenticationStatus.SecAuthFailure;
                            bArr3[0] = (byte) e3.getMajor();
                            Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: " + e3.toString(), new Object[]{e3});
                        }
                        throw th;
                    }
                } catch (WSSecurityContextException e4) {
                    AuthenticationStatus authenticationStatus7 = AuthenticationStatus.SecAuthFailure;
                    bArr3[0] = (byte) e4.getMajor();
                    Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.acceptSecContext(), reason: " + e4.toString(), new Object[]{e4});
                    throw e4;
                } catch (Exception e5) {
                    AuthenticationStatus authenticationStatus8 = AuthenticationStatus.SecAuthFailure;
                    bArr3[0] = 13;
                    Tr.debug(tc, "Caught Java exception in WSSecurityContext.acceptSecContext(), reason: " + e5.toString(), new Object[]{e5});
                    throw e5;
                }
            } else if (getIdentityName().equals(VaultConstants.ClientCertificate) && x509CertificateArr != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ClientCertificate == " + x509CertificateArr[0].toString());
                }
                final String identityName = getIdentityName();
                final byte[] identityValue = getIdentityValue();
                try {
                    subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws WSLoginFailedException, CredentialDestroyedException, CredentialExpiredException {
                            Subject login = contextManagerFactory.login(defaultRealm, x509CertificateArr, SecurityContextImpl.this.csiv2.getString("com.ibm.CSI.rmiInboundLoginConfig"), (HttpServletRequest) null, (HttpServletResponse) null, map);
                            if (login == null) {
                                return null;
                            }
                            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(login);
                            if (identityName != null) {
                                wSCredentialFromSubject.set("wssecurity.identity_name", identityName);
                                wSCredentialFromSubject.set("wssecurity.identity_value", identityValue);
                            }
                            return login;
                        }
                    });
                    this._contextState = 3;
                    this._principalAuthFailReason = (byte) 100;
                    this._clientSubject = subject;
                    this._targetSubject = null;
                    this._mechanismType = this.mechType;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Authentication success");
                    }
                } catch (PrivilegedActionException e6) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception occurred: " + e6.getException().getMessage(), new Object[]{e6.getException()});
                    }
                    throw e6.getException();
                }
            } else if (getIdentityName().startsWith("ITT")) {
                final String convertedString = StringBytesConversion.getConvertedString(bArr2);
                if (convertedString == null || convertedString.length() < 1) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "IdentityAssertion Security name == NULL.");
                    }
                    this._contextState = 4;
                    this._principalAuthFailReason = (byte) 1;
                    return;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IdentityAssertion Security name == " + convertedString);
                }
                final String identityName2 = getIdentityName();
                final byte[] identityValue2 = getIdentityValue();
                try {
                    subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.2
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws WSLoginFailedException, CredentialDestroyedException, CredentialExpiredException {
                            Subject login = contextManagerFactory.login(defaultRealm, convertedString, SecurityContextImpl.this.csiv2.getString("com.ibm.CSI.rmiInboundLoginConfig"), (HttpServletRequest) null, (HttpServletResponse) null, (Map) null);
                            if (login == null) {
                                return null;
                            }
                            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(login);
                            if (wSCredentialFromSubject != null && identityName2 != null) {
                                wSCredentialFromSubject.set("wssecurity.identity_name", identityName2);
                                wSCredentialFromSubject.set("wssecurity.identity_value", identityValue2);
                            }
                            return login;
                        }
                    });
                } catch (PrivilegedActionException e7) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception occurred: " + e7.getException().getMessage());
                    }
                    throw e7.getException();
                }
            }
            if (subject == null) {
                throw new WSLoginFailedException("Subject is null.  Authentication Failed.");
            }
            this._contextState = 3;
            this._principalAuthFailReason = (byte) 100;
            this._clientSubject = subject;
            this._targetSubject = null;
            this._mechanismType = this.mechType;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication success");
            }
        } catch (WSLoginFailedException e8) {
            Manager.Ffdc.log(e8, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_initialize", "605", this);
            this._contextState = 4;
            this._principalAuthFailReason = (byte) 0;
            this._principalAuthFailDetail = opaqueHolder2.value;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication failed");
            }
            throw e8;
        } catch (WSSecurityContextException e9) {
            if (isCertPathValidatorException(e9)) {
                this._principalAuthFailReason = (byte) 19;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "RSA certificate validation failed");
                }
            } else {
                this._principalAuthFailReason = (byte) 0;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication failed");
                }
            }
            if (!SecurityMessages.suppressFFDCforKrbSkewError(e9)) {
                Manager.Ffdc.log(e9, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "642", this);
            }
            Manager.Ffdc.log(e9, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "644", this);
            this._contextState = 4;
            this._principalAuthFailDetail = opaqueHolder2.value;
            throw new WSLoginFailedException(e9.getMessage(), e9);
        } catch (Exception e10) {
            Manager.Ffdc.log(e10, this, "com.ibm.ISecurityLocalObjectGSSUPImpl.SecurityContextImpl.csi_initialize", "652", this);
            this._contextState = 4;
            this._principalAuthFailReason = (byte) 0;
            this._principalAuthFailDetail = opaqueHolder2.value;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication failed");
            }
            throw new WSLoginFailedException(e10.getMessage(), e10);
        }
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized boolean csi_client_preprotect(ClientRequestInfo clientRequestInfo, com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl securityContextImpl) {
        String str;
        String targetHostName;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "csi_client_preprotect", new Object[]{clientRequestInfo, securityContextImpl, this});
        }
        String str2 = "";
        ServiceContext serviceContext = null;
        StringHolder stringHolder = new StringHolder();
        new OpaqueHolder();
        CSIUtil cSIUtil = new CSIUtil();
        Subject subject = null;
        final Subject clientSubject = getClientSubject();
        new SessionEntryHolder();
        AuthorizationElement[] authorizationElementArr = {new AuthorizationElement(0, new byte[0])};
        IdentityToken identityToken = securityContextImpl.getIdentityToken();
        CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy = this.vault.get_effective_policy(clientRequestInfo.request_id());
        ClientSessionKey clientSessionKey = cSIv2EffectivePerformPolicy.getClientSessionKey();
        str = "";
        byte[] bArr = null;
        boolean z = false;
        long j = 0;
        SessionManager sessionManager = this.vault.getSessionManager();
        ArrayList performClientAuthTargetList = cSIv2EffectivePerformPolicy.getPerformClientAuthTargetList();
        if (cSIv2EffectivePerformPolicy.isStateful()) {
            j = cSIv2EffectivePerformPolicy.getStatefulContextID();
            if (tc.isDebugEnabled()) {
                str2 = "Effective policy indicates stateful request, client_context_id: " + j;
                Tr.debug(tc, str2);
            }
        } else if (tc.isDebugEnabled()) {
            str2 = "Effective policy indicates stateless request.";
            Tr.debug(tc, str2);
        }
        if (securityContextImpl.getTokenType().equals(VaultConstants.CLIENTAUTH_ONLY)) {
            str = cSIv2EffectivePerformPolicy != null ? cSIv2EffectivePerformPolicy.getTargetSecurityName() : "";
            if (str == null || str.equals("")) {
                str = RealmSecurityName.getRealm(stringHolder.value);
            }
            subject = getClientSubject();
        } else if (securityContextImpl.getTokenType().equals(VaultConstants.CLIENTAUTH_AND_IDENTITY)) {
            try {
                if (tc.isDebugEnabled()) {
                    str2 = "Forming Client Authentication Token";
                    Tr.debug(tc, str2);
                }
                CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
                String string = cSIv2Config.getString(CSIv2Config.PERFORM_ALTERNATE_INDENTITY_ASSERTION_TRUSTED_ID);
                String string2 = cSIv2Config.getString(CSIv2Config.PERFORM_ALTERNATE_INDENTITY_ASSERTION_TRUSTED_PASSWORD);
                if (string != null && !string.equals("") && string2 != null && !string2.equals("")) {
                    if (tc.isDebugEnabled()) {
                        str2 = "Alternate ID/Password has been specified.  Sending alternate Userid/Password for trusted identity.";
                        Tr.debug(tc, str2);
                    }
                    str = ContextManagerFactory.getInstance().getDefaultRealm();
                    subject = SubjectHelper.createBasicAuthSubject(str, string, string2);
                } else if (cSIv2Config.getBoolean(CSIv2Config.IS_USE_REGISTRY_SERVERID)) {
                    String string3 = cSIv2Config.getString("com.ibm.CORBA.loginUserid");
                    str = RealmSecurityName.getRealm(cSIv2Config.getString("com.ibm.CORBA.principalName"));
                    String string4 = cSIv2Config.getString("com.ibm.CORBA.loginPassword");
                    if (string4 == null || string4.equals("")) {
                        if (tc.isDebugEnabled()) {
                            str2 = "Alternate ID/Password is not specified.  Sending server's token for trusted identity.";
                            Tr.debug(tc, str2);
                        }
                        subject = ContextManagerFactory.getInstance().getServerSubject();
                        z = true;
                    } else {
                        if (tc.isDebugEnabled()) {
                            str2 = "Alternate ID/Password is not specified.  Sending server's token for trusted identity.";
                            Tr.debug(tc, str2);
                        }
                        if (performClientAuthTargetList.contains(4)) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Basic auth is enabled for the target server, creating a basic auth subject using the server's id and password.");
                            }
                            subject = SubjectHelper.createBasicAuthSubject(str, string3, string4);
                        } else {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Basic auth is disabled for the target server, creating a token subject");
                            }
                            subject = ContextManagerFactory.getInstance().getServerSubject();
                            z = true;
                        }
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        str2 = "UserRegistry server ID is not set and alternate ID/Password is not specified.  Sending server's LTPA token for trusted identity.";
                        Tr.debug(tc, str2);
                    }
                    subject = ContextManagerFactory.getInstance().getServerSubject();
                    z = true;
                }
            } catch (Exception e) {
                Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_client_preprotect", "774", this);
                if (tc.isDebugEnabled()) {
                    str2 = "Cannot get server's credentials (userid/password/realm) from security configuration";
                    Tr.debug(tc, str2, new Object[]{e});
                }
                if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                    sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
                }
                throw new NO_PERMISSION(str2, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
            }
        } else if (tc.isDebugEnabled()) {
            str2 = "No Client Authentication Token will be put in the request";
            Tr.debug(tc, str2);
        }
        if (subject != null) {
            try {
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                if (wSCredentialFromSubject != null && wSCredentialFromSubject.isForwardable()) {
                    WSSecurityContextFactory wSSecurityContextFactory = WSSecurityContextFactory.getInstance();
                    WSSecurityContext wSSecurityContext = null;
                    String performClientAuthMechOID = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOID();
                    if (wSCredentialFromSubject.isBasicAuth()) {
                        if (!OID.compareOIDs(performClientAuthMechOID, GSSUPMechOID.value) && !performClientAuthTargetList.contains(4)) {
                            throw new INTERNAL("Target server does not allow basicAuth (GSSUP)", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                        }
                        wSSecurityContext = wSSecurityContextFactory.createContext(GSSUPMechOID.value);
                    } else if (OID.compareOIDs(wSCredentialFromSubject.getOID(), LTPAMechOID.value) && OID.compareOIDs(performClientAuthMechOID, KRB5MechOID.value)) {
                        ArrayList performClientAuthMechOIDList = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOIDList();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "csi_client_preprotect oid list", performClientAuthMechOIDList);
                        }
                        boolean z2 = false;
                        if (performClientAuthMechOIDList != null) {
                            ArrayList performClientAuthMechList = cSIv2EffectivePerformPolicy.getPerformClientAuthMechList();
                            for (int i = 0; i < performClientAuthMechOIDList.size() && !z2; i++) {
                                String str3 = (String) performClientAuthMechOIDList.get(i);
                                if (OID.compareOIDs(str3, LTPAMechOID.value)) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "csi_client_preprotect found LTPA oid in target");
                                    }
                                    z2 = true;
                                    cSIv2EffectivePerformPolicy.setPerformClientAuthMechOID(str3);
                                    cSIv2EffectivePerformPolicy.setPerformClientAuthMech((String) performClientAuthMechList.get(i));
                                    performClientAuthMechOID = str3;
                                    cSIv2EffectivePerformPolicy.setTargetSecurityName((String) cSIv2EffectivePerformPolicy.getTargetSecurityNameList().get(i));
                                }
                            }
                        }
                        if (!z2) {
                            throw new INTERNAL("LTPA wsCredential can not go outbound with Kerberos authentication mechanism", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                        }
                    }
                    if (OID.compareOIDs(wSCredentialFromSubject.getOID(), KRB5MechOID.value) && OID.compareOIDs(performClientAuthMechOID, GSSUPMechOID.value) && SubjectHelper.getPrincipalFromSubject(subject) == null) {
                        throw new INTERNAL("The authenticationTarget setting in the client security properties file is set to BasicAuth, but the Kerberos credential in the subject cannot go outbound with BasicAuth (GSSUP).  Review this setting and consider changing it to KRB5", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                    }
                    if (OID.compareOIDs(wSCredentialFromSubject.getOID(), KRB5MechOID.value) && OID.compareOIDs(performClientAuthMechOID, KRB5MechOID.value) && SubjectHelper.getGSSCredentialFromSubject(subject) == null) {
                        ArrayList performClientAuthMechOIDList2 = cSIv2EffectivePerformPolicy.getPerformClientAuthMechOIDList();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "wsCredOid and performClientAuthMechOid are Kerberos OID, but no GSSCredential in subject.");
                            Tr.debug(tc, "csi_client_preprotect oid list", performClientAuthMechOIDList2);
                        }
                        boolean z3 = false;
                        if (performClientAuthMechOIDList2 != null) {
                            ArrayList performClientAuthMechList2 = cSIv2EffectivePerformPolicy.getPerformClientAuthMechList();
                            for (int i2 = 0; i2 < performClientAuthMechOIDList2.size() && !z3; i2++) {
                                String str4 = (String) performClientAuthMechOIDList2.get(i2);
                                if (OID.compareOIDs(str4, LTPAMechOID.value)) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "csi_client_preprotect found LTPA oid in target");
                                    }
                                    z3 = true;
                                    cSIv2EffectivePerformPolicy.setPerformClientAuthMechOID(str4);
                                    cSIv2EffectivePerformPolicy.setPerformClientAuthMech((String) performClientAuthMechList2.get(i2));
                                    performClientAuthMechOID = str4;
                                    cSIv2EffectivePerformPolicy.setTargetSecurityName((String) cSIv2EffectivePerformPolicy.getTargetSecurityNameList().get(i2));
                                }
                            }
                        }
                        if (!z3) {
                            throw new INTERNAL("Kerberos wsCredential without GSSCredential can not go outbound with Kerberos authentication mechanism", SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
                        }
                    }
                    if (wSSecurityContext == null) {
                        wSSecurityContext = cSIv2EffectivePerformPolicy.isAdmin() ? wSSecurityContextFactory.createContext(performClientAuthMechOID) : z ? wSSecurityContextFactory.createContext(wSCredentialFromSubject.getOID()) : wSSecurityContextFactory.createContext(performClientAuthMechOID);
                    }
                    cSIUtil.getCurrent().setWSSecurityContext(wSSecurityContext);
                    if (KRB5MechOID.value.endsWith(performClientAuthMechOID)) {
                        targetHostName = cSIv2EffectivePerformPolicy.getTargetSecurityName();
                        int indexOf = targetHostName.indexOf("@");
                        if (indexOf != -1) {
                            str = targetHostName.substring(indexOf + 1, targetHostName.length());
                        }
                    } else {
                        targetHostName = cSIv2EffectivePerformPolicy.getTargetHostName();
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Calling plugin initSecContext with targetServerName: " + targetHostName + " realm: " + str + " authMech: " + cSIv2EffectivePerformPolicy.getPerformClientAuthMech() + " " + performClientAuthMechOID);
                    }
                    bArr = (wSCredentialFromSubject.isBasicAuth() ? new GSSFactory(GSSUPMechOID.value) : new GSSFactory(performClientAuthMechOID)).encodeGSSToken(wSSecurityContext.initSecContext(subject, targetHostName, str, performClientAuthMechOID));
                    if (WSSecurityPropagationHelper.getInstance().isRMIOutboundPropagationEnabled()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Adding authorization token to the request.");
                        }
                        TokenHolder tokenHolder = null;
                        if (clientSubject != null) {
                            try {
                                tokenHolder = (TokenHolder) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.3
                                    @Override // java.security.PrivilegedExceptionAction
                                    public Object run() throws Exception {
                                        if (SecurityContextImpl.tc.isDebugEnabled()) {
                                            Tr.debug(SecurityContextImpl.tc, "Client subject: " + clientSubject);
                                        }
                                        Iterator it = clientSubject.getPrivateCredentials(TokenHolder.class).iterator();
                                        while (it != null && it.hasNext()) {
                                            Object next = it.next();
                                            if ((next instanceof TokenHolder) && ((TokenHolder) next).getName().equals(WSOpaqueTokenHelper.getInstance().getOpaqueTokenName()) && ((TokenHolder) next).getVersion() == WSOpaqueTokenHelper.getInstance().getOpaqueTokenVersion()) {
                                                if (SecurityContextImpl.tc.isDebugEnabled()) {
                                                    Tr.debug(SecurityContextImpl.tc, "Returning token holder containing opaque authz token.");
                                                }
                                                return (TokenHolder) next;
                                            }
                                        }
                                        return null;
                                    }
                                });
                            } catch (PrivilegedActionException e2) {
                                Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_client_preprotect", "941", this);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Exception getting private/public tokens from Subject.");
                                }
                            }
                        }
                        if (tokenHolder != null) {
                            authorizationElementArr[0] = new AuthorizationElement(SecurityMinorCodes.CSIV2_AUTHZ_TOKEN, tokenHolder.getBytes());
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Didn't find an authz token to propagate.");
                        }
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WSCredential isn't forwardable, identity token insertion is skipped.");
                }
            } catch (WSSecurityContextException e3) {
                Manager.Ffdc.log(e3, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_client_preprotect", "968", this);
                Tr.debug(tc, "Caught WSSecurityContextException in WSSecurityContext.initSecContext(), reason: " + e3.toString(), new Object[]{e3});
                if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                    sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
                }
                PrincipalAuthFailReason.map_auth_fail_to_minor_code(e3.getMajor(), StringBytesConversion.getConvertedBytes(e3.toString()));
            } catch (Exception e4) {
                Manager.Ffdc.log(e4, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_client_preprotect", "979", this);
                String str5 = "Caught Java exception in WSSecurityContext.initSecContext(), reason:, " + e4.toString();
                Tr.debug(tc, str5, new Object[]{e4});
                if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                    sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
                }
                throw new INTERNAL(str5, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
            }
        } else if ((securityContextImpl.getTokenType().equals(VaultConstants.CLIENTAUTH_ONLY) || securityContextImpl.getTokenType().equals(VaultConstants.CLIENTAUTH_AND_IDENTITY)) && subject == null) {
            if (tc.isDebugEnabled()) {
                str2 = SecurityMessages.getMsgOrUseDefault("JSAS0020W", "JSAS0020W: Unable to get credentials.");
                Tr.debug(tc, str2);
            }
            if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                sessionManager.csi_client_session_status_update(j, clientSessionKey, 7);
            }
            throw new NO_PERMISSION(str2, SecurityMinorCodes.CREDENTIAL_NOT_AVAILABLE, CompletionStatus.COMPLETED_NO);
        }
        if (bArr == null) {
            bArr = new byte[0];
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Client Authentication Token is null.");
            }
        }
        EstablishContext establishContext = new EstablishContext(j, authorizationElementArr, identityToken, bArr);
        cSIUtil.print_ec_message(establishContext, "csi_client_preprotect");
        if (establishContext != null) {
            serviceContext = cSIUtil.create_sc_from_ec_message(establishContext);
            if (cSIv2EffectivePerformPolicy.isStateful() && j != 0) {
                sessionManager.csi_client_session_ecmessage_update(j, clientSessionKey, establishContext);
            }
        }
        if (serviceContext != null) {
            clientRequestInfo.add_request_service_context(serviceContext, true);
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "csi_client_preprotect", Boolean.TRUE);
        return true;
    }

    @Override // com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl
    public synchronized boolean csi_server_preprotect(ServerRequestInfo serverRequestInfo, com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityContextImpl securityContextImpl) {
        ContextError contextError;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "csi_server_preprotect", new Object[]{serverRequestInfo, securityContextImpl, this});
        }
        CSIUtil cSIUtil = new CSIUtil();
        long j = get_stateful_context_id();
        boolean z = false;
        if (SecurityObjectLocator.getCSIv2Config().getBoolean(CSIv2Config.CLAIM_STATEFUL) && j > 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Stateful set to true for CompleteEstablishContext.  ContextID: " + j);
            }
            z = true;
        }
        switch (serverRequestInfo.reply_status()) {
            case 0:
                byte[] bArr = new byte[0];
                if (getFinalToken() != null) {
                    bArr = getFinalToken();
                }
                CompleteEstablishContext completeEstablishContext = new CompleteEstablishContext(j, z, bArr);
                cSIUtil.print_cec_message(completeEstablishContext, "csi_server_preprotect");
                ServiceContext create_sc_from_cec_message = cSIUtil.create_sc_from_cec_message(completeEstablishContext);
                if (create_sc_from_cec_message != null) {
                    serverRequestInfo.add_reply_service_context(create_sc_from_cec_message, true);
                    break;
                }
                break;
            case 1:
                try {
                    Any sending_exception = serverRequestInfo.sending_exception();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "A SYSTEM_EXCEPTION occurred: " + sending_exception.type().id() + ".  Sending ContextError.");
                    }
                } catch (BadKind e) {
                    Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_server_preprotect", "1108", this);
                }
                byte[] serializeRootException = cSIUtil.serializeRootException();
                if (securityContextImpl != null) {
                    contextError = securityContextImpl.get_minor_code() == 1229079304 ? new ContextError(j, 4, 1, serializeRootException) : new ContextError(j, 0, securityContextImpl.get_minor_code(), serializeRootException);
                    cSIUtil.print_ce_message(contextError, "csi_server_preprotect");
                } else {
                    contextError = new ContextError(j, 0, 0, serializeRootException);
                    cSIUtil.print_ce_message(contextError, "csi_server_preprotect");
                }
                ServiceContext create_sc_from_ce_message = cSIUtil.create_sc_from_ce_message(contextError);
                if (create_sc_from_ce_message != null) {
                    serverRequestInfo.add_reply_service_context(create_sc_from_ce_message, true);
                    break;
                }
                break;
            case 2:
                try {
                    Any sending_exception2 = serverRequestInfo.sending_exception();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "A USER_EXCEPTION occurred: " + sending_exception2.type().id() + ".  Sending CompleteEstablishContext.");
                    }
                } catch (BadKind e2) {
                    Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectTokenBaseImpl.SecurityContextImpl.csi_server_preprotect", "1156", this);
                }
                byte[] bArr2 = new byte[0];
                if (getFinalToken() != null) {
                    bArr2 = getFinalToken();
                }
                CompleteEstablishContext completeEstablishContext2 = new CompleteEstablishContext(j, z, bArr2);
                cSIUtil.print_cec_message(completeEstablishContext2, "csi_server_preprotect");
                ServiceContext create_sc_from_cec_message2 = cSIUtil.create_sc_from_cec_message(completeEstablishContext2);
                if (create_sc_from_cec_message2 != null) {
                    serverRequestInfo.add_reply_service_context(create_sc_from_cec_message2, true);
                    break;
                }
                break;
            case 3:
                byte[] bArr3 = new byte[0];
                if (getFinalToken() != null) {
                    bArr3 = getFinalToken();
                }
                CompleteEstablishContext completeEstablishContext3 = new CompleteEstablishContext(j, z, bArr3);
                cSIUtil.print_cec_message(completeEstablishContext3, "csi_server_preprotect");
                ServiceContext create_sc_from_cec_message3 = cSIUtil.create_sc_from_cec_message(completeEstablishContext3);
                if (create_sc_from_cec_message3 != null) {
                    serverRequestInfo.add_reply_service_context(create_sc_from_cec_message3, true);
                    break;
                }
                break;
            case 4:
                byte[] bArr4 = new byte[0];
                if (getFinalToken() != null) {
                    bArr4 = getFinalToken();
                }
                CompleteEstablishContext completeEstablishContext4 = new CompleteEstablishContext(j, z, bArr4);
                cSIUtil.print_cec_message(completeEstablishContext4, "csi_server_preprotect");
                ServiceContext create_sc_from_cec_message4 = cSIUtil.create_sc_from_cec_message(completeEstablishContext4);
                if (create_sc_from_cec_message4 != null) {
                    serverRequestInfo.add_reply_service_context(create_sc_from_cec_message4, true);
                    break;
                }
                break;
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "csi_server_preprotect", Boolean.TRUE);
        return true;
    }

    protected Codec getCodec() {
        return this.vault.getCodec();
    }

    public static boolean isCertPathValidatorException(Object obj) {
        Throwable cause;
        Throwable cause2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCertPathValidatorException", obj);
        }
        boolean z = false;
        if (obj != null && (obj instanceof WSSecurityContextException) && (cause = ((WSSecurityContextException) obj).getCause()) != null && (cause instanceof WSSecurityException) && (cause2 = ((WSSecurityException) cause).getCause()) != null && (cause2 instanceof CertPathValidatorException)) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCertPathValidatorException: " + z);
        }
        return z;
    }
}
