package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.nws.ffdc.FFDCFilter;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.SAMLGenerateCallback;
import com.ibm.websphere.wssecurity.wssapi.WSSException;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.websphere.wssecurity.wssapi.trust.WSSTrustClient;
import com.ibm.ws.wssecurity.config.DerivedKeyInfoConfig;
import com.ibm.ws.wssecurity.config.KeyInfoContentGeneratorConfig;
import com.ibm.ws.wssecurity.config.WSSGeneratorConfig;
import com.ibm.ws.wssecurity.confimpl.PrivateConsumerConfig;
import com.ibm.ws.wssecurity.handler.PolicyConfigUtil;
import com.ibm.ws.wssecurity.handler.PolicyOutboundConfig;
import com.ibm.ws.wssecurity.keyinfo.KeyInfoConsumer;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.platform.util.SAMLIssuerConfigData;
import com.ibm.ws.wssecurity.platform.util.SAMLIssuerConfigDataFactory;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.saml.config.impl.SAMLIssuerConfigDataImpl;
import com.ibm.ws.wssecurity.saml.config.impl.SamlConfigUtil;
import com.ibm.ws.wssecurity.saml.security.impl.KeyInfoUtil;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.ConstantsRetrieverFactory;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.NamespaceUtil;
import com.ibm.ws.wssecurity.util.SAMLTokenCacheHelper;
import com.ibm.ws.wssecurity.util.SAMLTokenHelper;
import com.ibm.ws.wssecurity.util.SamlConfigUtils;
import com.ibm.ws.wssecurity.util.TokenUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.WSSGenerationContextImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.CallbackHandlerConfig;
import com.ibm.wsspi.wssecurity.core.config.TokenGeneratorConfig;
import com.ibm.wsspi.wssecurity.core.token.SecurityTokenManager;
import com.ibm.wsspi.wssecurity.core.token.config.RequesterConfiguration;
import com.ibm.wsspi.wssecurity.saml.config.CredentialConfig;
import com.ibm.wsspi.wssecurity.saml.config.ProviderConfig;
import com.ibm.wsspi.wssecurity.saml.config.RequesterConfig;
import com.ibm.wsspi.wssecurity.saml.config.SamlConstants;
import com.ibm.wsspi.wssecurity.wssapi.OMStructure;
import java.security.Key;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.client.Options;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.description.WSDL2Constants;
import org.apache.axis2.engine.AxisConfiguration;

/* loaded from: input_file:com/ibm/ws/wssecurity/wssapi/token/impl/SAMLGenerateLoginModule.class */
public class SAMLGenerateLoginModule implements LoginModule {
    private Subject _subject;
    private CallbackHandler _handler;
    private Map _sharedState;
    private Map _options;
    List<SecurityToken> _processedTokens;
    List<SecurityToken> _insertedTokens;
    SecurityTokenManager _securityTokenManager;
    MessageContext messageContext = null;
    Map<Object, Object> _context;
    OMNode _referencedTokenElement;
    private static final String comp = "security.wssecurity";
    private static final String UNAUTHENTICATED = "UNAUTHENTICATED";
    private static final String WS_TRUST_14 = "http://docs.oasis-open.org/ws-sx/ws-trust/200802";
    private static final String WS_TRUST_14_PREFIX = "wst14";
    private static final TraceComponent tc = Tr.register(SAMLGenerateLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = SAMLGenerateLoginModule.class.getName();
    private static String[] sicPropertyNames = {SamlConstants.ISSUER_URI_PROP, SamlConstants.TTL_PROP, SamlConstants.KS_REF_PROP, SamlConstants.KS_PATH_PROP, SamlConstants.KS_TYPE_PROP, SamlConstants.KS_PW_PROP, SamlConstants.KEY_ALIAS_PROP, SamlConstants.KEY_NAME_PROP, SamlConstants.KEY_PW_PROP, SamlConstants.TS_REF_PROP, SamlConstants.TS_PATH_PROP, SamlConstants.TS_TYPE_PROP, SamlConstants.TS_PW_PROP, "com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerFormat", "com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptingAlias", "com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptSAML", "com.ibm.wsspi.wssecurity.saml.config.issuer.AttributeProvider", "com.ibm.wsspi.wssecurity.saml.config.issuer.NameIDProvider", "com.ibm.wsspi.wssecurity.saml.config.issuer.oldEnvelopedSignature", "com.ibm.wsspi.wssecurity.saml.config.issuer.UseSha2ForSignature"};
    private static String[][] sicPropertyNamesToConfigData = {new String[]{SamlConstants.ISSUER_URI_PROP, SAMLIssuerConfigData.ISSUER_URI}, new String[]{SamlConstants.TTL_PROP, SAMLIssuerConfigData.TIME_TO_LIVE_MILLISECONDS}, new String[]{SamlConstants.KS_REF_PROP, SAMLIssuerConfigData.KEY_STORE_REF}, new String[]{SamlConstants.KS_PATH_PROP, SAMLIssuerConfigData.KEY_STORE_PATH}, new String[]{SamlConstants.KS_TYPE_PROP, SAMLIssuerConfigData.KEY_STORE_TYPE}, new String[]{SamlConstants.KS_PW_PROP, SAMLIssuerConfigData.KEY_STORE_PASSWORD}, new String[]{SamlConstants.KEY_ALIAS_PROP, SAMLIssuerConfigData.KEY_ALIAS}, new String[]{SamlConstants.KEY_NAME_PROP, SAMLIssuerConfigData.KEY_NAME}, new String[]{SamlConstants.KEY_PW_PROP, SAMLIssuerConfigData.KEY_PASSWORD}, new String[]{SamlConstants.TS_REF_PROP, SAMLIssuerConfigData.TRUST_STORE_REF}, new String[]{SamlConstants.TS_PATH_PROP, SAMLIssuerConfigData.TRUST_STORE_PATH}, new String[]{SamlConstants.TS_TYPE_PROP, SAMLIssuerConfigData.TRUST_STORE_TYPE}, new String[]{SamlConstants.TS_PW_PROP, SAMLIssuerConfigData.TRUST_STORE_PASSWORD}, new String[]{"com.ibm.wsspi.wssecurity.saml.config.issuer.IssuerFormat", SAMLIssuerConfigData.ISSUER_FORMAT}, new String[]{"com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptingAlias", "EncryptingAlias"}, new String[]{"com.ibm.wsspi.wssecurity.saml.config.issuer.EncryptSAML", "EncryptSAML"}, new String[]{"com.ibm.wsspi.wssecurity.saml.config.issuer.AttributeProvider", SAMLIssuerConfigData.ATTRIBUTE_PROVIDER}, new String[]{"com.ibm.wsspi.wssecurity.saml.config.issuer.NameIDProvider", SAMLIssuerConfigData.NAME_ID_PROVIDER}, new String[]{"com.ibm.wsspi.wssecurity.saml.config.issuer.oldEnvelopedSignature", PrivateConsumerConfig.OLD_ENVELOPED_SIG}, new String[]{"com.ibm.wsspi.wssecurity.saml.config.issuer.UseSha2ForSignature", "UseSha2ForSignature"}};
    private static final OMFactory omFactory = OMAbstractFactory.getOMFactory();

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._subject = subject;
        this._handler = callbackHandler;
        this._sharedState = map;
        this._options = map2;
        this._processedTokens = new ArrayList();
        this._insertedTokens = new ArrayList();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(SAMLTokenFactory.GET_NEWSAMLTOKEN_PERM);
        }
        SAMLGenerateCallback sAMLGenerateCallback = new SAMLGenerateCallback();
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{sAMLGenerateCallback, propertyCallback});
            this._context = propertyCallback.getProperties();
            if (this._context != null) {
                createSAMLTokenWithMessageContext(sAMLGenerateCallback);
            } else {
                createSAMLTokenWithoutMessageContext(sAMLGenerateCallback);
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "login()");
            return true;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".login", "138", this);
            Tr.error(tc, "security.wssecurity.BSTokenLoginModule.s01", e);
            LoginException loginException = new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e.toString()}));
            loginException.initCause(e);
            throw loginException;
        }
    }

    private void createSAMLTokenWithMessageContext(SAMLGenerateCallback sAMLGenerateCallback) throws LoginException {
        OMStructure oMStructure;
        String algorithmSuite;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createSAMLTokenWithMessageContext(SAMLGenerateCallback samlCallback)");
        }
        this.messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
        this._securityTokenManager = (SecurityTokenManager) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
        TokenGeneratorConfig tokenGeneratorConfig = (TokenGeneratorConfig) this._context.get(TokenGeneratorConfig.CONFIG_KEY);
        WSSGeneratorConfig wSSGeneratorConfig = (WSSGeneratorConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssGenerator.configKey");
        this._securityTokenManager = (SecurityTokenManager) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
        SAMLToken sAMLToken = null;
        Collection<SecurityToken> tokens = this._securityTokenManager.getTokens(tokenGeneratorConfig);
        if (tokens != null && tokens.size() > 0) {
            Iterator<SecurityToken> it = tokens.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SecurityToken next = it.next();
                if (next instanceof SAMLTokenImpl) {
                    sAMLToken = (SAMLTokenImpl) next;
                    break;
                }
            }
        }
        if (tc.isDebugEnabled() && sAMLToken != null) {
            Tr.debug(tc, "SAML token found in local context");
        }
        try {
            boolean isServiceProvider = Axis2Util.isServiceProvider(this.messageContext);
            if (sAMLToken == null) {
                if ((wSSGeneratorConfig instanceof PolicyOutboundConfig) && (algorithmSuite = ((PolicyOutboundConfig) wSSGeneratorConfig).getAlgorithmSuite()) != null) {
                    Object obj = "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
                    if (algorithmSuite.contains("Basic256")) {
                        obj = "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
                    } else if (algorithmSuite.contains("Basic192")) {
                        obj = "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
                    }
                    this._context.put(CommonTokenParser.EncryptionAlgorithm, obj);
                }
                sAMLToken = createSAMLToken(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, this.messageContext, isServiceProvider);
                this._context.remove(CommonTokenParser.EncryptionAlgorithm);
            } else if (!isServiceProvider && (oMStructure = (OMStructure) sAMLToken.getXML()) != null) {
                this._referencedTokenElement = oMStructure.getNode();
            }
            this._processedTokens.add(sAMLToken);
            if (requireDKT()) {
                populateSharedStateForDKT(sAMLToken);
            } else {
                this._context.put(Constants.WSSECURITY_KEYINFO_TYPE, KeyInfoConsumer.KEYID);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createSAMLTokenWithMessageContext");
            }
        } catch (Exception e) {
            Tr.processException(e, clsName + ".createSAMLTokenWithMessageContext", "245", this);
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    private void createSAMLTokenWithoutMessageContext(SAMLGenerateCallback sAMLGenerateCallback) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createSAMLTokenWithoutMessageContext");
        }
        this._sharedState.put(SamlConstants.SAML_TOKEN, isSelfIssue(sAMLGenerateCallback) ? selfIssueWithoutMessageContext(sAMLGenerateCallback) : stsIssueSAMLTokenForNonWSClient(sAMLGenerateCallback));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createSAMLTokenWithoutMessageContext");
        }
    }

    private SecurityToken selfIssueWithoutMessageContext(SAMLGenerateCallback sAMLGenerateCallback) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "selfIssueWithoutMessageContext(SAMLGenerateCallback samlCallback)");
        }
        try {
            SAMLTokenFactory sAMLTokenFactory = SAMLTokenFactory.getInstance(sAMLGenerateCallback.getTokenType());
            RequesterConfig requesterConfig = getRequesterConfig(null, sAMLTokenFactory, sAMLGenerateCallback, null, sAMLGenerateCallback.getTokenType());
            try {
                String normalizedConfirmationMethod = SamlConfigUtils.getNormalizedConfirmationMethod(sAMLGenerateCallback.getConfirmationMethod(), sAMLGenerateCallback.getTokenType());
                if (!normalizedConfirmationMethod.contains("bearer") && !normalizedConfirmationMethod.contains("sender-vouches") && !normalizedConfirmationMethod.contains("holder-of-key")) {
                    throw WSSException.format("CWSML2030E");
                }
                if (!RequesterConfig.requestMode.PROPAGATION.equals(sAMLGenerateCallback.getIssueMode()) && !RequesterConfig.requestMode.SAMLORPRINCIPAL.equals(sAMLGenerateCallback.getIssueMode()) && !RequesterConfig.requestMode.WSPRINCIPAL.equals(sAMLGenerateCallback.getIssueMode()) && !RequesterConfig.requestMode.WSCREDENTIAL.equals(sAMLGenerateCallback.getIssueMode())) {
                    throw WSSException.format("CWSML2030E");
                }
                WSSGenerationContextImpl wSSGenerationContextImpl = (WSSGenerationContextImpl) sAMLGenerateCallback.getWSSGenerationContext();
                if (wSSGenerationContextImpl != null) {
                    issuerConfigFromCustomProperties(wSSGenerationContextImpl.getCustomProperties());
                } else {
                    SAMLIssuerConfigDataFactory.setSamlIssuerConfigData(null);
                }
                ProviderConfig newDefaultProviderConfig = sAMLTokenFactory.newDefaultProviderConfig(sAMLGenerateCallback.getStsURI());
                SAMLToken processPropagationToken = (sAMLGenerateCallback.getNameId() == null || sAMLGenerateCallback.getNameId().isEmpty()) ? RequesterConfig.requestMode.PROPAGATION.equals(sAMLGenerateCallback.getIssueMode()) ? processPropagationToken(sAMLGenerateCallback, null, null) : newSAMLTokenFromSubject(WSSContextManagerFactory.getInstance().getInvocationSubject(), sAMLGenerateCallback, sAMLTokenFactory, requesterConfig, newDefaultProviderConfig) : newSAMLTokenFromCallback(sAMLTokenFactory, sAMLGenerateCallback, requesterConfig, newDefaultProviderConfig);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "selfIssueWithoutMessageContext(SAMLGenerateCallback samlCallback)");
                }
                return processPropagationToken;
            } catch (Exception e) {
                Tr.processException(e, clsName + ".selfIssueWithoutMessageContext", "344", this);
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        } catch (Exception e2) {
            Tr.processException(e2, clsName + ".selfIssueWithoutMessageContext", "%C", this);
            LoginException loginException2 = new LoginException(e2.getMessage());
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    private static boolean isSelfIssue(SAMLGenerateCallback sAMLGenerateCallback) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSelfIssue(SAMLGenerateCallback samlCallback)");
        }
        boolean z = false;
        String stsURI = sAMLGenerateCallback.getStsURI();
        if (stsURI != null && stsURI.indexOf("www.ibm.com/SelfIssue") > -1) {
            stsURI = null;
        }
        if (stsURI != null && stsURI.equalsIgnoreCase(SamlConstants.SAMLTOKEN_SELF_ISSUER)) {
            stsURI = null;
        }
        if (stsURI == null || stsURI.isEmpty()) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isSelfIssue(SAMLGenerateCallback samlCallback):" + z);
        }
        return z;
    }

    private SAMLToken createSAMLToken(SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext, boolean z) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createSAMLToken()");
        }
        String str = null;
        if (messageContext.getTo() != null) {
            String address = messageContext.getTo().getAddress();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The End Point Address (from mc) is: " + address);
            }
        } else {
            Options options = messageContext.getOptions();
            if (options != null) {
                str = options.getTo().getAddress();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The End Point Address (from options, from mc returns null) is: " + str);
            }
        }
        boolean checkForHolderOfKey = checkForHolderOfKey(sAMLGenerateCallback, tokenGeneratorConfig, messageContext);
        SAMLToken processServerSideSAML = (z && checkForHolderOfKey) ? processServerSideSAML(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, messageContext, checkForHolderOfKey) : processClientSideSAML(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, messageContext);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createSAMLToken returns samlToken[" + (processServerSideSAML == null ? AppConstants.NULL_STRING : processServerSideSAML.getSamlID()) + "]");
        }
        return processServerSideSAML;
    }

    private SAMLToken processClientSideSAML(SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processClientSideSAML()");
        }
        SAMLToken customerSamlToken = getCustomerSamlToken(tokenGeneratorConfig.getType());
        if (customerSamlToken == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking for SAML token in message context");
            }
            customerSamlToken = getSAMLTokenFromMessageContext(sAMLGenerateCallback, tokenGeneratorConfig, this.messageContext);
        }
        if (customerSamlToken == null) {
            customerSamlToken = processGenrationContextSecurityTokens(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, this.messageContext);
        }
        if (customerSamlToken == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Not SAML found from RequestContext. Continue to issue.");
            }
            sAMLGenerateCallback.getTokenRequest();
            customerSamlToken = !RequesterConfig.requestMode.PROPAGATION.equals(sAMLGenerateCallback.getIssueMode()) ? processClientSideSAMLIssue(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, messageContext) : processPropagationToken(sAMLGenerateCallback, tokenGeneratorConfig, messageContext);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Found SAMLToken from RequestContext. Not issue performed.");
        }
        String samlID = customerSamlToken.getSamlID();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Setting " + SAMLTokenHelper.SAMLTOKEN_ID + " to [" + samlID + "] on the messageContext");
        }
        this.messageContext.setProperty(SAMLTokenHelper.SAMLTOKEN_ID, samlID);
        SAMLTokenHelper.setSAMLTokenToContext(customerSamlToken, this.messageContext);
        mapKeyIdentifierToTokenValueType(customerSamlToken);
        this._insertedTokens.add(customerSamlToken);
        createSecurityTokenReferenceElement(customerSamlToken, tokenGeneratorConfig);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processClientSideSAML returns samlToken[" + (customerSamlToken == null ? AppConstants.NULL_STRING : customerSamlToken.getSamlID()) + "]");
        }
        return customerSamlToken;
    }

    private SAMLToken processGenrationContextSecurityTokens(SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processGenrationContextSecurityTokens()");
        }
        SAMLToken sAMLToken = null;
        if (messageContext != null && messageContext.getProperty(com.ibm.ws.wssecurity.common.Constants.WSSAPI_CONFIG_KEY_GENERATOR) != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSSAPI enables...");
                Tr.debug(tc, "WSSAPI check if zmy stand-alone SAMLToken . . .");
            }
            Set<Object> standAloneSecurityTokens = ((WSSGenerationContextImpl) this.messageContext.getProperty(com.ibm.ws.wssecurity.common.Constants.WSSAPI_CONFIG_KEY_GENERATOR)).getStandAloneSecurityTokens();
            if (standAloneSecurityTokens != null && standAloneSecurityTokens.size() > 0) {
                Iterator<Object> it = standAloneSecurityTokens.iterator();
                while (it != null && it.hasNext()) {
                    Object next = it.next();
                    if (next instanceof SAMLToken) {
                        sAMLToken = (SAMLToken) next;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "WSS API: adding stand alone SAML token: " + sAMLToken.getId());
                        }
                    }
                }
            }
        }
        addKeyToTokenIfRequired(sAMLToken, sAMLGenerateCallback);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processGenrationContextSecurityTokens returns samlToken[" + (sAMLToken == null ? AppConstants.NULL_STRING : sAMLToken.getSamlID()) + "]");
        }
        return sAMLToken;
    }

    private SAMLTokenImpl processClientSideSAMLIssue(SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext) throws LoginException {
        String keyType;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processClientSideSAMLIssue()");
        }
        SAMLTokenImpl sAMLTokenImpl = null;
        long cacheCushion = sAMLGenerateCallback.getCacheCushion();
        boolean cacheToken = sAMLGenerateCallback.cacheToken();
        if (cacheToken) {
            sAMLTokenImpl = (SAMLTokenImpl) SAMLTokenCacheHelper.getSAMLToken(messageContext, tokenGeneratorConfig, cacheCushion);
        }
        KeyStoreManager.KeyInformation keyInformation = null;
        String keyType2 = sAMLGenerateCallback.getKeyType();
        if (keyType2 != null && (keyType2.contains("public") || keyType2.contains("Public"))) {
            keyInformation = getKeyInformation(sAMLGenerateCallback);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "token is [" + (sAMLTokenImpl == null ? AppConstants.NULL_STRING : "not null") + "]");
        }
        if (sAMLTokenImpl == null) {
            String stsURI = sAMLGenerateCallback.getStsURI();
            if (stsURI != null && stsURI.indexOf("www.ibm.com/SelfIssue") > -1) {
                stsURI = null;
            }
            if (stsURI != null && stsURI.equalsIgnoreCase(SamlConstants.SAMLTOKEN_SELF_ISSUER)) {
                stsURI = null;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "stsEndpointAddress is [" + stsURI + "]");
            }
            sAMLTokenImpl = (stsURI == null || stsURI.isEmpty()) ? selfIssueSAMLToken(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, messageContext, keyInformation) : stsIssueSAMLToken(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, messageContext, keyInformation);
            if (cacheToken) {
                SAMLTokenCacheHelper.setSAMLTokenCacheKeys(sAMLTokenImpl, messageContext, tokenGeneratorConfig, cacheCushion);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "token is [" + (sAMLTokenImpl == null ? AppConstants.NULL_STRING : "not null") + "]");
        }
        if (sAMLTokenImpl == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Fail to acquire SAML assertion");
            }
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7510E"));
        }
        sAMLTokenImpl.setId(sAMLTokenImpl.getSamlID());
        String confirmationMethod = sAMLGenerateCallback.getConfirmationMethod();
        if (confirmationMethod != null && ((confirmationMethod.contains("holder") || confirmationMethod.contains("Holder")) && (keyType = sAMLGenerateCallback.getKeyType()) != null && (keyType.contains("public") || keyType.contains("Public")))) {
            try {
                Key privateOrSecretKey = keyInformation.getPrivateOrSecretKey();
                sAMLTokenImpl.setKey(61, privateOrSecretKey);
                sAMLTokenImpl.setKey(64, privateOrSecretKey);
            } catch (Exception e) {
                Tr.processException(e, clsName + ".processClientSideSAMLIssue", "624", this);
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        }
        String confirmationMethod2 = sAMLTokenImpl.getConfirmationMethod();
        if (confirmationMethod2 == null || confirmationMethod2.isEmpty()) {
            try {
                String normalizedConfirmationMethod = SamlConfigUtils.getNormalizedConfirmationMethod(sAMLGenerateCallback.getConfirmationMethod(), tokenGeneratorConfig.getType().getLocalPart());
                sAMLTokenImpl.setConfirmationMethod(normalizedConfirmationMethod);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Set Token Confirmation Method = " + normalizedConfirmationMethod);
                }
            } catch (Exception e2) {
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processClientSideSAMLIssue returns token[" + (sAMLTokenImpl == null ? AppConstants.NULL_STRING : sAMLTokenImpl.getSamlID()) + "]");
        }
        return sAMLTokenImpl;
    }

    private SAMLToken processPropagationToken(SAMLGenerateCallback sAMLGenerateCallback, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext) throws LoginException {
        SAMLTokenImpl cloneSAMLToken;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processPropagationToken");
        }
        boolean z = false;
        try {
            SAMLToken sAMLTokenFromSubject = SAMLTokenHelper.getSAMLTokenFromSubject(messageContext != null ? SAMLTokenHelper.getRunAsSubject(messageContext) : WSSContextManagerFactory.getInstance().getInvocationSubject());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAML token is " + (sAMLTokenFromSubject == null ? AppConstants.NULL_STRING : "not null"));
            }
            if (sAMLTokenFromSubject != null) {
                QName qName = null;
                if (tokenGeneratorConfig != null) {
                    qName = tokenGeneratorConfig.getType();
                } else {
                    String tokenType = sAMLGenerateCallback.getTokenType();
                    if (SAMLTokenImpl.saml11ValueType.getLocalPart().equals(tokenType)) {
                        qName = SAMLTokenImpl.saml11ValueType;
                    } else if (SAMLTokenImpl.saml20ValueType.getLocalPart().equals(tokenType)) {
                        qName = SAMLTokenImpl.saml20ValueType;
                    }
                }
                if (qName == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Propagated Token ValueType could not be determined.");
                    }
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7514E"));
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "TokenType localname from Config=" + qName.getLocalPart());
                    Tr.debug(tc, "TokenType namespace from Config=" + qName.getNamespaceURI());
                }
                QName valueType = sAMLTokenFromSubject.getValueType();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Propagated Token ValueType localname=" + valueType.getLocalPart());
                    Tr.debug(tc, "Propagated Token ValueType namespace=" + valueType.getNamespaceURI());
                }
                if (NamespaceUtil.equals(qName, valueType)) {
                    String normalizedConfirmationMethod = SamlConfigUtils.getNormalizedConfirmationMethod(sAMLGenerateCallback.getConfirmationMethod(), qName.getLocalPart());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Normalized confirmationMethod=" + normalizedConfirmationMethod);
                        Tr.debug(tc, "Token confirmationMethod=" + sAMLTokenFromSubject.getConfirmationMethod());
                    }
                    if (normalizedConfirmationMethod.equalsIgnoreCase(sAMLTokenFromSubject.getConfirmationMethod()) || sAMLTokenFromSubject.getConfirmationMethod() == null) {
                        Date samlExpires = sAMLTokenFromSubject.getSamlExpires();
                        Date date = new Date();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "expires=" + samlExpires);
                        }
                        if (samlExpires == null) {
                            z = true;
                        } else if (date.getTime() - sAMLGenerateCallback.getCacheCushion() < samlExpires.getTime()) {
                            z = true;
                        }
                        if (z) {
                            if (!sAMLGenerateCallback.getConfirmationMethod().contains("holder") && !sAMLGenerateCallback.getConfirmationMethod().contains("Holder")) {
                                cloneSAMLToken = SAMLTokenHelper.cloneSAMLToken(sAMLTokenFromSubject);
                            } else if (sAMLGenerateCallback.getKeyType().contains("public") || sAMLGenerateCallback.getKeyType().contains("Public")) {
                                cloneSAMLToken = SAMLTokenHelper.cloneSAMLToken(sAMLTokenFromSubject);
                                try {
                                    Key privateKey = getPrivateKey(sAMLGenerateCallback);
                                    cloneSAMLToken.setKey(61, privateKey);
                                    cloneSAMLToken.setKey(64, privateKey);
                                } catch (Exception e) {
                                    Tr.processException(e, clsName + ".processPropagationToken", "765", this);
                                    LoginException loginException = new LoginException(e.getMessage());
                                    loginException.initCause(e);
                                    throw loginException;
                                }
                            } else {
                                cloneSAMLToken = (SAMLTokenImpl) SAMLTokenHelper.clone(sAMLTokenFromSubject, sAMLGenerateCallback, this._context);
                            }
                            sAMLTokenFromSubject = cloneSAMLToken;
                        }
                    }
                }
            }
            if (z) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "processPropagationToken:" + (sAMLTokenFromSubject == null ? AppConstants.NULL_STRING : sAMLTokenFromSubject.getSamlID()));
                }
                return sAMLTokenFromSubject;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The propagation token is not valid for this request.");
            }
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7514E"));
        } catch (SoapSecurityException e2) {
            Tr.processException(e2, clsName + ".processPropagationToken", "786", this);
            LoginException loginException2 = new LoginException(e2.getCause() == null ? e2.getLocalizedMessage() : e2.getCause().getLocalizedMessage());
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    private SAMLToken processServerSideSAML(SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext, boolean z) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processServerSideSAML(isHok[" + z + "])");
        }
        SAMLToken sAMLTokenFromContext = SAMLTokenHelper.getSAMLTokenFromContext(messageContext);
        String sAMLTokenAssertionIDFromContext = SAMLTokenHelper.getSAMLTokenAssertionIDFromContext(messageContext);
        if (sAMLTokenAssertionIDFromContext == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No SAML assertion found.");
                Tr.debug(tc, "The assertion token cannot be retrieved because the assertion ID is missing from the requesting message context.");
            }
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7511E"));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "SAML AssertionID = " + sAMLTokenAssertionIDFromContext);
            Tr.debug(tc, "The SAML token will not be inserted in the message.");
            if (z) {
                Tr.debug(tc, "The token type is HolderOfKey.  A HolderOfKey token cannot be inserted into a response message.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "processServerSideSAML() returns samlToken[" + (sAMLTokenFromContext == null ? AppConstants.NULL_STRING : sAMLTokenFromContext.getSamlID()) + "]");
        }
        return sAMLTokenFromContext;
    }

    private SAMLTokenImpl selfIssueSAMLToken(SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext, KeyStoreManager.KeyInformation keyInformation) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "selfIssueSAMLToken()");
        }
        try {
            SAMLTokenFactory sAMLTokenFactory = SAMLTokenFactory.getInstance(tokenGeneratorConfig.getType().getLocalPart());
            RequesterConfig requesterConfig = getRequesterConfig(wSSGeneratorConfig, sAMLTokenFactory, sAMLGenerateCallback, messageContext, tokenGeneratorConfig.getType().getLocalPart());
            issuerConfigFromCustomProperties(null);
            ProviderConfig newDefaultProviderConfig = sAMLTokenFactory.newDefaultProviderConfig(null);
            SAMLToken newSAMLTokenFromSubject = (sAMLGenerateCallback.getNameId() == null || sAMLGenerateCallback.getNameId().isEmpty()) ? newSAMLTokenFromSubject(SAMLTokenHelper.getRunAsSubject(messageContext), sAMLGenerateCallback, sAMLTokenFactory, requesterConfig, newDefaultProviderConfig) : newSAMLTokenFromCallback(sAMLTokenFactory, sAMLGenerateCallback, requesterConfig, newDefaultProviderConfig);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "selfIssueSAMLToken() returns samlToken[" + (newSAMLTokenFromSubject == null ? AppConstants.NULL_STRING : ((SAMLTokenImpl) newSAMLTokenFromSubject).getSamlID()) + "]");
            }
            return (SAMLTokenImpl) newSAMLTokenFromSubject;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".selfIssueSAMLToken", "888");
            LoginException loginException = new LoginException(e.getCause() == null ? e.getLocalizedMessage() : e.getCause().getLocalizedMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    private RequesterConfig getRequesterConfig(WSSGeneratorConfig wSSGeneratorConfig, SAMLTokenFactory sAMLTokenFactory, SAMLGenerateCallback sAMLGenerateCallback, MessageContext messageContext, String str) throws LoginException {
        RequesterConfig newSymmetricHolderOfKeyTokenGenerateConfig;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRequesterConfig()");
        }
        try {
            String normalizedConfirmationMethod = SamlConfigUtils.getNormalizedConfirmationMethod(sAMLGenerateCallback.getConfirmationMethod(), str);
            if (normalizedConfirmationMethod.contains("bearer")) {
                newSymmetricHolderOfKeyTokenGenerateConfig = sAMLTokenFactory.newBearerTokenGenerateConfig();
            } else if (normalizedConfirmationMethod.contains("sender")) {
                newSymmetricHolderOfKeyTokenGenerateConfig = sAMLTokenFactory.newSenderVouchesTokenGenerateConfig();
            } else {
                if (!normalizedConfirmationMethod.contains("holder")) {
                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7512E", new String[]{normalizedConfirmationMethod}));
                }
                String keyType = sAMLGenerateCallback.getKeyType();
                if (keyType.contains("symmetric") || keyType.contains("Symmetric")) {
                    newSymmetricHolderOfKeyTokenGenerateConfig = sAMLTokenFactory.newSymmetricHolderOfKeyTokenGenerateConfig();
                    if (!ConfigUtil.hasValue(sAMLGenerateCallback.getTargetServiceAlias())) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, MessageHelper.getMessage("security.wssecurity.WSSML0001E"));
                        }
                        throw new LoginException(MessageHelper.getMessage("security.wssecurity.WSSML0001E"));
                    }
                    newSymmetricHolderOfKeyTokenGenerateConfig.setKeyAliasForAppliesTo(sAMLGenerateCallback.getTargetServiceAlias());
                    String str2 = null;
                    if (sAMLGenerateCallback.getKeySize() != null && !sAMLGenerateCallback.getKeySize().isEmpty()) {
                        str2 = sAMLGenerateCallback.getKeySize();
                        newSymmetricHolderOfKeyTokenGenerateConfig.getRSTTProperties().put(RequesterConfiguration.RSTT.KEYSIZE, str2);
                    }
                    if ((str2 == null || str2.isEmpty()) && wSSGeneratorConfig != null && (wSSGeneratorConfig instanceof PolicyOutboundConfig)) {
                        String algorithmSuite = ((PolicyOutboundConfig) wSSGeneratorConfig).getAlgorithmSuite();
                        if (algorithmSuite != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "The Algorithm Suite = " + algorithmSuite);
                            }
                            str2 = PolicyConfigUtil.getMinimumSymmetricKeyLength(algorithmSuite);
                        }
                        newSymmetricHolderOfKeyTokenGenerateConfig.getRSTTProperties().put(RequesterConfiguration.RSTT.KEYSIZE, str2);
                    }
                } else {
                    if (!keyType.contains("public") && !keyType.contains("Public")) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Unknow Confirmation Method or KeyType: " + normalizedConfirmationMethod);
                        }
                        throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7553E", new String[]{keyType, normalizedConfirmationMethod}));
                    }
                    newSymmetricHolderOfKeyTokenGenerateConfig = sAMLTokenFactory.newAsymmetricHolderOfKeyTokenGenerateConfig();
                    newSymmetricHolderOfKeyTokenGenerateConfig.setKeyAliasForRequester(sAMLGenerateCallback.getAlias());
                }
            }
            if (!sAMLGenerateCallback.isSignatureRequired()) {
                newSymmetricHolderOfKeyTokenGenerateConfig.setAssertionSignatureRequired(false);
            }
            if (sAMLGenerateCallback.getClockSkew() > 0) {
                newSymmetricHolderOfKeyTokenGenerateConfig.setClockSkew(sAMLGenerateCallback.getClockSkew());
            }
            String str3 = null;
            if (messageContext != null) {
                if (messageContext.getTo() != null) {
                    str3 = messageContext.getTo().getAddress();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The End Point Address (from mc) is: " + str3);
                    }
                } else {
                    Options options = messageContext.getOptions();
                    if (options != null) {
                        str3 = options.getTo().getAddress();
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The End Point Address (from options, from mc returns null) is: " + str3);
                    }
                }
            }
            if (sAMLGenerateCallback.getAudienceRestriction()) {
                newSymmetricHolderOfKeyTokenGenerateConfig.getRSTTProperties().put(RequesterConfiguration.RSTT.APPLIESTO_ADDRESS, str3);
            }
            newSymmetricHolderOfKeyTokenGenerateConfig.setConfirmationMethod(sAMLGenerateCallback.getConfirmationMethod());
            newSymmetricHolderOfKeyTokenGenerateConfig.setAuthenticationMethod(sAMLGenerateCallback.getAuthenticationMethod());
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getRequesterConfig()");
            }
            return newSymmetricHolderOfKeyTokenGenerateConfig;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".getRequesterConfig", "913");
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    private SAMLTokenImpl stsIssueSAMLToken(SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext, KeyStoreManager.KeyInformation keyInformation) throws LoginException {
        String address;
        com.ibm.ws.wssecurity.wssapi.OMStructure onBehalfOf;
        List<SecurityToken> issue;
        com.ibm.ws.wssecurity.wssapi.OMStructure useKey;
        Parameter parameter;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "stsIssueSAMLToken()");
        }
        SAMLTokenImpl sAMLTokenImpl = null;
        try {
            String stsURI = sAMLGenerateCallback.getStsURI();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  stsEndpointAddress:  " + stsURI);
            }
            if (messageContext.getTo() != null) {
                address = messageContext.getTo().getAddress();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The End Point Address (from mc) is: " + address);
                }
            } else {
                Options options = messageContext.getOptions();
                address = options != null ? options.getTo().getAddress() : null;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The End Point Address (from options, from mc returns null) is: " + address);
                }
            }
            String str = null;
            String str2 = null;
            String cUNameKey = ConstantsRetrieverFactory.getInstance().getCUNameKey();
            ConfigurationContext configurationContext = messageContext.getConfigurationContext();
            if (configurationContext == null) {
                throw new LoginException();
            }
            AxisConfiguration axisConfiguration = configurationContext.getAxisConfiguration();
            if (axisConfiguration == null) {
                throw new LoginException();
            }
            Parameter parameter2 = axisConfiguration.getParameter(ConstantsRetrieverFactory.getInstance().getApplicationNameKey());
            if (parameter2 != null) {
                str = (String) parameter2.getValue();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  appName:  " + str);
                }
            }
            if (cUNameKey != null && (parameter = axisConfiguration.getParameter(cUNameKey)) != null) {
                str2 = (String) parameter.getValue();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  cuName:  " + str2);
                }
            }
            if (str == null || str.isEmpty()) {
                str = "test";
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  appName:  " + str);
                }
            }
            String algorithmSuite = ((PolicyOutboundConfig) wSSGeneratorConfig).getAlgorithmSuite();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The Algorithm Suite = " + algorithmSuite);
            }
            String minimumSymmetricKeyLength = algorithmSuite != null ? PolicyConfigUtil.getMinimumSymmetricKeyLength(algorithmSuite) : null;
            if (sAMLGenerateCallback.getKeySize() != null && !sAMLGenerateCallback.getKeySize().isEmpty()) {
                minimumSymmetricKeyLength = sAMLGenerateCallback.getKeySize();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  keySizeStr:  " + minimumSymmetricKeyLength);
            }
            try {
                String wSTrustNamespace = sAMLGenerateCallback.getWSTrustNamespace();
                if (wSTrustNamespace == null) {
                    wSTrustNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  WS-Trust namespace:  " + wSTrustNamespace);
                }
                com.ibm.wsspi.wssecurity.trust.config.ProviderConfig newProviderConfig = WSSTrustClient.newProviderConfig(wSTrustNamespace, stsURI);
                newProviderConfig.setPolicySetName(sAMLGenerateCallback.getStsPolicy());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  policySetName:  " + sAMLGenerateCallback.getStsPolicy());
                }
                newProviderConfig.setBindingName(sAMLGenerateCallback.getStsBinding());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  stsBinding:  " + sAMLGenerateCallback.getStsBinding());
                }
                newProviderConfig.setApplicationName(str);
                if (cUNameKey != null && str2 != null) {
                    newProviderConfig.getProperties().put(cUNameKey, str2);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()... put cuName:  (" + cUNameKey + ", " + str2 + ")");
                    }
                }
                newProviderConfig.setBindingScope(sAMLGenerateCallback.getStsBindingScope());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  stsBindingScope:  " + sAMLGenerateCallback.getStsBindingScope());
                }
                boolean isCollectionRequest = sAMLGenerateCallback.isCollectionRequest();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  collectionRequest:  " + isCollectionRequest);
                }
                com.ibm.wsspi.wssecurity.trust.config.RequesterConfig newRequesterConfig = WSSTrustClient.newRequesterConfig(wSTrustNamespace);
                newRequesterConfig.put(RequesterConfiguration.RSTT.APPLIESTO_ADDRESS, address);
                newRequesterConfig.put(RequesterConfiguration.RSTT.KEYTYPE, sAMLGenerateCallback.getKeyType());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  keyType:  " + sAMLGenerateCallback.getKeyType());
                }
                newRequesterConfig.put(RequesterConfiguration.RSTT.TOKENTYPE, tokenGeneratorConfig.getType().getLocalPart());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  tokenType:  " + tokenGeneratorConfig.getType().getLocalPart());
                }
                if (minimumSymmetricKeyLength != null) {
                    newRequesterConfig.put(RequesterConfiguration.RSTT.KEYSIZE, minimumSymmetricKeyLength);
                }
                if (keyInformation != null && ((sAMLGenerateCallback.getKeyType().contains("public") || sAMLGenerateCallback.getKeyType().contains("Public")) && (useKey = getUseKey(keyInformation, sAMLGenerateCallback, wSTrustNamespace)) != null)) {
                    newRequesterConfig.addXML(useKey);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isOnBehalfOfRequired[" + sAMLGenerateCallback.isOnBehalfOfRequired() + "], isActAsRequired[" + sAMLGenerateCallback.isActAsRequired() + "]");
                }
                if ((sAMLGenerateCallback.isOnBehalfOfRequired() || sAMLGenerateCallback.isActAsRequired()) && (onBehalfOf = getOnBehalfOf(messageContext, sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, wSTrustNamespace, keyInformation)) != null) {
                    newRequesterConfig.addXML(onBehalfOf);
                }
                newRequesterConfig.setSOAPNamespace("http://schemas.xmlsoap.org/soap/envelope/");
                if (sAMLGenerateCallback.getStsSoapVersion() != null && sAMLGenerateCallback.getStsSoapVersion().equals("1.1")) {
                    newRequesterConfig.setSOAPNamespace("http://schemas.xmlsoap.org/soap/envelope/");
                } else if (sAMLGenerateCallback.getStsSoapVersion() != null && sAMLGenerateCallback.getStsSoapVersion().equals(WSDL2Constants.SOAP_VERSION_1_2)) {
                    newRequesterConfig.setSOAPNamespace("http://www.w3.org/2003/05/soap-envelope");
                } else if (com.ibm.ws.wssecurity.common.Constants.NS_SOAP12.equalsIgnoreCase(messageContext.getEnvelope().getNamespace().getName())) {
                    newRequesterConfig.setSOAPNamespace("http://www.w3.org/2003/05/soap-envelope");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  soapNamespace:  " + newRequesterConfig.getSOAPNamespace());
                }
                newRequesterConfig.setRSTTProperties(sAMLGenerateCallback.getRSTTProperties());
                WSSTrustClient wSSTrustClient = WSSTrustClient.getInstance(newProviderConfig);
                if (isCollectionRequest) {
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(newRequesterConfig);
                    issue = wSSTrustClient.issue(newProviderConfig, arrayList);
                } else {
                    issue = wSSTrustClient.issue(newProviderConfig, newRequesterConfig);
                }
                if (issue != null) {
                    for (SecurityToken securityToken : issue) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "response contains:  " + securityToken.getValueType().getLocalPart());
                        }
                        if (securityToken instanceof SAMLTokenImpl) {
                            sAMLTokenImpl = (SAMLTokenImpl) securityToken;
                            if (sAMLGenerateCallback.getConfirmationMethod() != null && !sAMLGenerateCallback.getConfirmationMethod().isEmpty() && sAMLTokenImpl.getConfirmationMethod() != null && !sAMLTokenImpl.getConfirmationMethod().isEmpty()) {
                                String normalizeMethod = SamlConfigUtil.normalizeMethod(sAMLGenerateCallback.getConfirmationMethod(), sAMLTokenImpl.getValueType().getLocalPart());
                                if (!normalizeMethod.equals(sAMLTokenImpl.getConfirmationMethod())) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Issued token's confirmation method:  " + sAMLTokenImpl.getConfirmationMethod());
                                        Tr.debug(tc, "Required confirmation method:  " + normalizeMethod);
                                    }
                                    throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7539E", new String[]{sAMLTokenImpl.getConfirmationMethod(), normalizeMethod}));
                                }
                            }
                        }
                    }
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "stsIssueSAMLToken() returns samlToken[" + (sAMLTokenImpl == null ? AppConstants.NULL_STRING : sAMLTokenImpl.getSamlID()) + "]");
                }
                return sAMLTokenImpl;
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "CWWSS7513E: Exception from WS-Trust client call: " + e.toString());
                    e.printStackTrace();
                }
                Tr.processException(e, clsName + ".stsIssueSAMLToken", "1219");
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        } catch (Exception e2) {
            Tr.processException(e2, clsName + ".stsIssueSAMLToken", "1029");
            LoginException loginException2 = new LoginException(e2.getMessage());
            loginException2.initCause(e2);
            throw loginException2;
        }
    }

    private SAMLTokenImpl stsIssueSAMLTokenForNonWSClient(SAMLGenerateCallback sAMLGenerateCallback) throws LoginException {
        List<SecurityToken> issue;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "stsIssueSAMLTokenForNonWSClient(SAMLGenerateCallback samlCallback)");
        }
        SAMLTokenImpl sAMLTokenImpl = null;
        try {
            String wSTrustNamespace = sAMLGenerateCallback.getWSTrustNamespace();
            if (wSTrustNamespace == null) {
                wSTrustNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  WS-Trust namespace:  " + wSTrustNamespace);
            }
            String stsURI = sAMLGenerateCallback.getStsURI();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  stsEndpointAddress:  " + stsURI);
            }
            com.ibm.wsspi.wssecurity.trust.config.ProviderConfig newProviderConfig = WSSTrustClient.newProviderConfig(wSTrustNamespace, stsURI);
            boolean isCollectionRequest = sAMLGenerateCallback.isCollectionRequest();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  collectionRequest:  " + isCollectionRequest);
            }
            com.ibm.wsspi.wssecurity.trust.config.RequesterConfig newRequesterConfig = WSSTrustClient.newRequesterConfig(wSTrustNamespace);
            newRequesterConfig.put(RequesterConfiguration.RSTT.APPLIESTO_ADDRESS, sAMLGenerateCallback.getAppliesTo());
            String keyType = sAMLGenerateCallback.getKeyType();
            if (keyType != null && !keyType.trim().isEmpty()) {
                newRequesterConfig.put(RequesterConfiguration.RSTT.KEYTYPE, keyType);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  keyType:  " + sAMLGenerateCallback.getKeyType());
            }
            newRequesterConfig.put(RequesterConfiguration.RSTT.TOKENTYPE, sAMLGenerateCallback.getTokenType());
            newRequesterConfig.setSOAPNamespace("http://schemas.xmlsoap.org/soap/envelope/");
            if (sAMLGenerateCallback.getStsSoapVersion() != null && sAMLGenerateCallback.getStsSoapVersion().equals("1.1")) {
                newRequesterConfig.setSOAPNamespace("http://schemas.xmlsoap.org/soap/envelope/");
            } else if (sAMLGenerateCallback.getStsSoapVersion() != null && sAMLGenerateCallback.getStsSoapVersion().equals(WSDL2Constants.SOAP_VERSION_1_2)) {
                newRequesterConfig.setSOAPNamespace("http://www.w3.org/2003/05/soap-envelope");
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLGenerateLoginModule.stsIssueSAMLToken()...  soapNamespace:  " + newRequesterConfig.getSOAPNamespace());
            }
            newRequesterConfig.setRSTTProperties(sAMLGenerateCallback.getRSTTProperties());
            if (sAMLGenerateCallback.getWSSConsumingContext() != null) {
                newProviderConfig.getProperties().put(com.ibm.ws.wssecurity.common.Constants.WSSAPI_CONFIG_KEY_CONSUMER, sAMLGenerateCallback.getWSSConsumingContext());
            }
            if (sAMLGenerateCallback.getWSSGenerationContext() != null) {
                newProviderConfig.getProperties().put(com.ibm.ws.wssecurity.common.Constants.WSSAPI_CONFIG_KEY_GENERATOR, sAMLGenerateCallback.getWSSGenerationContext());
            }
            WSSTrustClient wSSTrustClient = WSSTrustClient.getInstance(newProviderConfig);
            if (isCollectionRequest) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(newRequesterConfig);
                issue = wSSTrustClient.issue(newProviderConfig, arrayList);
            } else {
                issue = wSSTrustClient.issue(newProviderConfig, newRequesterConfig);
            }
            if (issue != null) {
                for (SecurityToken securityToken : issue) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "response contains:  " + securityToken.getValueType().getLocalPart());
                    }
                    if (securityToken instanceof SAMLTokenImpl) {
                        sAMLTokenImpl = (SAMLTokenImpl) securityToken;
                        if (sAMLGenerateCallback.getConfirmationMethod() != null && !sAMLGenerateCallback.getConfirmationMethod().isEmpty() && sAMLTokenImpl.getConfirmationMethod() != null && !sAMLTokenImpl.getConfirmationMethod().isEmpty()) {
                            String normalizeMethod = SamlConfigUtil.normalizeMethod(sAMLGenerateCallback.getConfirmationMethod(), sAMLTokenImpl.getValueType().getLocalPart());
                            if (!normalizeMethod.equals(sAMLTokenImpl.getConfirmationMethod())) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Issued token's confirmation method:  " + sAMLTokenImpl.getConfirmationMethod());
                                    Tr.debug(tc, "Required confirmation method:  " + normalizeMethod);
                                }
                                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7539E", new String[]{sAMLTokenImpl.getConfirmationMethod(), normalizeMethod}));
                            }
                        }
                    }
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "stsIssueSAMLTokenForNonWSClient() returns samlToken[" + (sAMLTokenImpl == null ? AppConstants.NULL_STRING : sAMLTokenImpl.getSamlID()) + "]");
            }
            return sAMLTokenImpl;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, ConfigUtil.getMessage("security.wssecurity.CWWSS7513E", new String[]{e.toString()}));
                e.printStackTrace();
            }
            Tr.processException(e, clsName + ".stsIssueSAMLTokenForNonWSClient", "1335", this);
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (this._context != null) {
            int size = this._processedTokens.size();
            for (int i = 0; i < size; i++) {
                this._securityTokenManager.addToken(this._processedTokens.get(i));
            }
            this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._processedTokens);
            this._context.put(Constants.WSSECURITY_TOKEN_TO_BE_INSERTED, this._insertedTokens);
            this._context.put(Constants.WSSECURITY_TOKENELEMENT_REFERENCED, this._referencedTokenElement);
        } else {
            SecurityToken securityToken = (SecurityToken) this._sharedState.get(SamlConstants.SAML_TOKEN);
            Set<Object> privateCredentials = this._subject.getPrivateCredentials();
            if (privateCredentials != null) {
                privateCredentials.add(securityToken);
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        return false;
    }

    public boolean logout() throws LoginException {
        return false;
    }

    private boolean requireDKT() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "requireDKT()");
        }
        KeyInfoContentGeneratorConfig keyInfoContentGeneratorConfig = (KeyInfoContentGeneratorConfig) this._context.get(KeyInfoContentGeneratorConfig.CONFIG_KEY);
        DerivedKeyInfoConfig derivedKeyInfoConfig = null;
        if (keyInfoContentGeneratorConfig != null) {
            derivedKeyInfoConfig = keyInfoContentGeneratorConfig.getDerivedKeyInfoConfig();
        }
        boolean z = false;
        if (derivedKeyInfoConfig != null) {
            z = derivedKeyInfoConfig.isRequireDerivedKeys();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "requireDKT() returns " + z);
        }
        return z;
    }

    private void populateSharedStateForDKT(SAMLToken sAMLToken) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "populateSharedStateForDKT()");
        }
        String str = Constants.WSSECURITY_KEY_ID;
        QName keyIdentifierValueType = sAMLToken.getKeyIdentifierValueType();
        String samlID = sAMLToken.getSamlID();
        byte[] holderOfKeyBytes = sAMLToken.getHolderOfKeyBytes();
        this._sharedState.put(Constants.BASE_TOKEN_REFERENCE, samlID);
        this._sharedState.put(Constants.BASE_TOKEN_IDENTIFIER_TYPE, str);
        this._sharedState.put(Constants.BASE_TOKEN_VALUE_TYPE, keyIdentifierValueType);
        this._sharedState.put(Constants.BASE_TOKEN_KEY_BYTES, holderOfKeyBytes);
        this._processedTokens.add(sAMLToken);
        this._sharedState.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._processedTokens);
        this._sharedState.put(Constants.WSSECURITY_TOKEN_TO_BE_INSERTED, this._insertedTokens);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "populateSharedStateForDKT()");
        }
    }

    private void mapKeyIdentifierToTokenValueType(SAMLToken sAMLToken) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapKeyIdentifierToTokenValueType()");
        }
        QName keyIdentifierValueType = sAMLToken.getKeyIdentifierValueType();
        if (keyIdentifierValueType != null) {
            this.messageContext.setProperty(keyIdentifierValueType.getLocalPart(), sAMLToken.getValueType());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapKeyIdentifierToTokenValueType()");
        }
    }

    private Key getPrivateKey(SAMLGenerateCallback sAMLGenerateCallback) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPrivateKey()");
        }
        Key key = null;
        try {
            key = KeyStoreManager.getInstance().getKeyInformation(sAMLGenerateCallback.getKeyStorePath(), sAMLGenerateCallback.getKeyStoreType(), SAMLTokenHelper.decodePassword(sAMLGenerateCallback.getKeyStorePassword()), sAMLGenerateCallback.getKeyStoreReference(), sAMLGenerateCallback.getAlias(), SAMLTokenHelper.decodePassword(sAMLGenerateCallback.getKeyPassword()), sAMLGenerateCallback.getKeyName()).getPrivateOrSecretKey();
        } catch (Exception e) {
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPrivateKey() returns pkey[" + (key == null ? AppConstants.NULL_STRING : "not null") + "]");
        }
        return key;
    }

    private KeyStoreManager.KeyInformation getKeyInformation(SAMLGenerateCallback sAMLGenerateCallback) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getKeyInformation()");
        }
        String keyStorePath = sAMLGenerateCallback.getKeyStorePath();
        String keyStoreType = sAMLGenerateCallback.getKeyStoreType();
        char[] decodePassword = SAMLTokenHelper.decodePassword(sAMLGenerateCallback.getKeyStorePassword());
        String keyStoreReference = sAMLGenerateCallback.getKeyStoreReference();
        String alias = sAMLGenerateCallback.getAlias();
        char[] decodePassword2 = SAMLTokenHelper.decodePassword(sAMLGenerateCallback.getKeyPassword());
        String keyName = sAMLGenerateCallback.getKeyName();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "storePath=" + keyStorePath);
            Tr.debug(tc, "alias=" + alias);
            Tr.debug(tc, "KeyName=" + keyName);
        }
        try {
            KeyStoreManager.KeyInformation keyInformation = KeyStoreManager.getInstance().getKeyInformation(keyStorePath, keyStoreType, decodePassword, keyStoreReference, alias, decodePassword2, keyName);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getKeyInformation()");
            }
            return keyInformation;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Fail to create KeyInformation:" + e.getMessage());
            }
            Tr.processException(e, clsName + ".getKeyInformation", "1543");
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    private com.ibm.ws.wssecurity.wssapi.OMStructure getUseKey(KeyStoreManager.KeyInformation keyInformation, SAMLGenerateCallback sAMLGenerateCallback, String str) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUseKey()");
        }
        String usekeyType = sAMLGenerateCallback.getUsekeyType();
        if (usekeyType == null || usekeyType.isEmpty()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getUseKey returns [null]");
            return null;
        }
        if (usekeyType.equalsIgnoreCase("KeyValue")) {
            usekeyType = "KeyValue";
        } else if (usekeyType.equalsIgnoreCase("X509Certificate")) {
            usekeyType = "X509Certificate";
        } else if (usekeyType.equalsIgnoreCase("X509IssuerSerial")) {
            usekeyType = "X509IssuerSerial";
        } else if (usekeyType.equalsIgnoreCase(KeyInfoUtil.X509SKI)) {
            usekeyType = KeyInfoUtil.X509SKI;
        } else if (usekeyType.equalsIgnoreCase(KeyInfoUtil.X509SubjectName)) {
            usekeyType = KeyInfoUtil.X509SubjectName;
        } else if (usekeyType.equalsIgnoreCase(KeyInfoUtil.Thumbprint)) {
            usekeyType = KeyInfoUtil.Thumbprint;
        }
        try {
            OMElement createKeyInfo = KeyInfoUtil.createKeyInfo(usekeyType, keyInformation, null);
            OMElement createOMElement = omFactory.createOMElement(new QName(str, "UseKey", "wst"));
            createOMElement.addChild(createKeyInfo);
            com.ibm.ws.wssecurity.wssapi.OMStructure oMStructure = new com.ibm.ws.wssecurity.wssapi.OMStructure(createOMElement);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getUseKey returns [" + (oMStructure == null ? AppConstants.NULL_STRING : "not null") + "]");
            }
            return oMStructure;
        } catch (Exception e) {
            Tr.processException(e, clsName + ".getUseKey", "1597");
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    private void createSecurityTokenReferenceElement(SAMLToken sAMLToken, TokenGeneratorConfig tokenGeneratorConfig) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createSecurityTokenReferenceElement()");
        }
        Map<Object, Object> properties = tokenGeneratorConfig.getProperties();
        String str = (String) properties.get(SamlConstants.SIGN_SAMLTOKEN_WITH_STRT);
        if (str == null || str.isEmpty() || !str.equalsIgnoreCase("true")) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createSecurityTokenReferenceElement()");
                return;
            }
            return;
        }
        String str2 = (String) properties.get(Constants.CREATE_SECURITY_TOKEN_REFERENCE);
        if (str2 != null && str2.equalsIgnoreCase("true")) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createSecurityTokenReferenceElement()");
                return;
            }
            return;
        }
        OMElement oMElement = (OMElement) this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
        OMFactory oMFactory = oMElement.getOMFactory();
        int i = 0;
        Object obj = this._context.get(com.ibm.ws.wssecurity.common.Constants.WSS_VERSION);
        if (obj != null && (obj instanceof Integer)) {
            i = ((Integer) obj).intValue();
        }
        String str3 = com.ibm.ws.wssecurity.common.Constants.NAMESPACES[0][i];
        boolean z = false;
        String str4 = null;
        if (oMElement != null) {
            str4 = DOMUtils.getNamespacePrefix(oMElement, str3);
        }
        if (str4 == null) {
            z = true;
            str4 = "wsse";
        }
        OMElement createOMElement = oMFactory.createOMElement("SecurityTokenReference", str3, str4);
        if (z) {
            createOMElement.declareNamespace(str3, "wsse");
        }
        OMElement createOMElement2 = oMFactory.createOMElement("KeyIdentifier", str3, str4);
        createOMElement2.addAttribute("ValueType", sAMLToken.getKeyIdentifierValueType().getLocalPart(), null);
        createOMElement2.setText(sAMLToken.getSamlID());
        createOMElement.addChild(createOMElement2);
        com.ibm.ws.wssecurity.wssapi.OMStructure oMStructure = new com.ibm.ws.wssecurity.wssapi.OMStructure(createOMElement);
        GenericSecurityTokenImpl genericSecurityTokenImpl = new GenericSecurityTokenImpl();
        genericSecurityTokenImpl.setXML(oMStructure);
        this._insertedTokens.add(genericSecurityTokenImpl);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createSecurityTokenReferenceElement()");
        }
    }

    private SAMLToken getSAMLTokenFromMessageContext(SAMLGenerateCallback sAMLGenerateCallback, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSAMLTokenFromMessageContext()");
        }
        SAMLToken sAMLToken = (SAMLToken) Axis2Util.getProperty(messageContext, SamlConstants.SAMLTOKEN_IN_MESSAGECONTEXT);
        boolean z = true;
        if (sAMLToken != null) {
            z = false;
            try {
                QName type = tokenGeneratorConfig.getType();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "TokenType localname from Config=" + type.getLocalPart());
                }
                QName valueType = sAMLToken.getValueType();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Token ValueType localname=" + valueType.getLocalPart());
                }
                if (NamespaceUtil.equals(type, valueType)) {
                    String normalizedConfirmationMethod = SamlConfigUtils.getNormalizedConfirmationMethod(sAMLGenerateCallback.getConfirmationMethod(), type.getLocalPart());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Normalized confirmationMethod=" + normalizedConfirmationMethod);
                        Tr.debug(tc, "Token confirmationMethod=" + sAMLToken.getConfirmationMethod());
                    }
                    if (normalizedConfirmationMethod.equalsIgnoreCase(sAMLToken.getConfirmationMethod()) || sAMLToken.getConfirmationMethod() == null) {
                        Date samlExpires = sAMLToken.getSamlExpires();
                        Date date = new Date();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "expires=" + samlExpires);
                        }
                        if (samlExpires == null) {
                            z = true;
                        } else if (sAMLGenerateCallback.isFailOverToTokenRequest()) {
                            if (date.getTime() + sAMLGenerateCallback.getCacheCushion() < samlExpires.getTime()) {
                                z = true;
                            }
                        } else if (date.getTime() - sAMLGenerateCallback.getCacheCushion() < samlExpires.getTime()) {
                            z = true;
                        }
                    }
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception while getting SAMLToken from MessageContext:" + e.getMessage());
                }
            }
        }
        if (!z) {
            if (!sAMLGenerateCallback.isFailOverToTokenRequest()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Invalid SAMLToken " + sAMLToken.getSamlID());
                }
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.CWWSS7514E"));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Invalid SAMLToken " + sAMLToken.getSamlID());
            }
            sAMLToken = null;
        }
        if (sAMLToken != null && (sAMLToken instanceof SAMLTokenImpl)) {
            SAMLTokenImpl sAMLTokenImpl = (SAMLTokenImpl) sAMLToken;
            String id = sAMLToken.getId();
            if (id == null || id.isEmpty()) {
                sAMLTokenImpl.setId(sAMLToken.getSamlID());
            }
            if ((sAMLGenerateCallback.getConfirmationMethod().contains("holder") || sAMLGenerateCallback.getConfirmationMethod().contains("Holder")) && (sAMLGenerateCallback.getKeyType().contains("public") || sAMLGenerateCallback.getKeyType().contains("Public"))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Create Key for holder-of-key");
                }
                try {
                    Key privateOrSecretKey = getKeyInformation(sAMLGenerateCallback).getPrivateOrSecretKey();
                    sAMLTokenImpl.setKey(61, privateOrSecretKey);
                    sAMLTokenImpl.setKey(64, privateOrSecretKey);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Add Key for holder-of-key of Publickey");
                    }
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Fail to process privateKey for holder-of-key." + e2.getMessage());
                    }
                    Tr.processException(e2, clsName + ".getSAMLTokenFromMessageContext", "1780");
                    LoginException loginException = new LoginException(e2.getMessage());
                    loginException.initCause(e2);
                    throw loginException;
                }
            }
            sAMLToken = sAMLTokenImpl;
        }
        if (sAMLToken != null && tc.isDebugEnabled()) {
            Tr.debug(tc, "Found valid SAMLToken from RequestContext:" + sAMLToken.getSamlID());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSAMLTokenFromMessageContext returns samlToken[" + (sAMLToken == null ? AppConstants.NULL_STRING : "not null") + "]");
        }
        return sAMLToken;
    }

    private SecurityToken newSAMLTokenFromSubject(Subject subject, SAMLGenerateCallback sAMLGenerateCallback, SAMLTokenFactory sAMLTokenFactory, RequesterConfig requesterConfig, ProviderConfig providerConfig) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newSAMLTokenFromSubject()");
        }
        try {
            requesterConfig.setIssueMode(sAMLGenerateCallback.getIssueMode());
            requesterConfig.setIncludeCredentialToken(sAMLGenerateCallback.includeCredentialToken());
            requesterConfig.setIncludeExpiration(sAMLGenerateCallback.includeExpiration());
            requesterConfig.setIncludeGroupIds(sAMLGenerateCallback.includeGroupIds());
            requesterConfig.setIncludeHostName(sAMLGenerateCallback.includeHostName());
            requesterConfig.setIncludeOID(sAMLGenerateCallback.includeOID());
            requesterConfig.setIncludePrimaryGroupId(sAMLGenerateCallback.includePrimaryGroupId());
            requesterConfig.setIncludeRealmName(sAMLGenerateCallback.includeRealmName());
            requesterConfig.setIncludeSecurityName(sAMLGenerateCallback.includeSecurityName());
            requesterConfig.setIncludeUniqueSecurityName(sAMLGenerateCallback.includeUniqueSecurityName());
            requesterConfig.setUseUniqueSecurityName(sAMLGenerateCallback.useUniqueSecurityName());
            SAMLToken newSAMLToken = sAMLTokenFactory.newSAMLToken(subject, requesterConfig, providerConfig);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "newSAMLTokenFromSubject returns samlToken[" + (newSAMLToken == null ? AppConstants.NULL_STRING : "not null") + "]");
            }
            return newSAMLToken;
        } catch (Exception e) {
            FFDCFilter.processException(e.getCause() == null ? e : e.getCause(), "com.ibm.ws.wssecurity.wssapi.token.impl.SAMLGenerateLoginModule", "newSAMLTokenFromSubject()", this);
            LoginException loginException = new LoginException(clsName + ".newSAMLTokenFromSubject():\n" + (e.getCause() == null ? e.toString() : e.getCause().toString()));
            loginException.initCause(e);
            throw loginException;
        }
    }

    private SAMLToken newSAMLTokenFromCallback(SAMLTokenFactory sAMLTokenFactory, SAMLGenerateCallback sAMLGenerateCallback, RequesterConfig requesterConfig, ProviderConfig providerConfig) throws WSSException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "newSAMLTokenFromCallback()");
        }
        CredentialConfig newCredentialConfig = sAMLTokenFactory.newCredentialConfig();
        newCredentialConfig.setRequesterNameID(sAMLGenerateCallback.getNameId());
        if (sAMLGenerateCallback.getAttributes() != null) {
            newCredentialConfig.setSAMLAttributes(sAMLGenerateCallback.getAttributes());
        }
        SAMLToken newSAMLToken = sAMLTokenFactory.newSAMLToken(newCredentialConfig, requesterConfig, providerConfig);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "newSAMLTokenFromSubject returns samlToken[" + (newSAMLToken == null ? AppConstants.NULL_STRING : "not null") + "]");
        }
        return newSAMLToken;
    }

    private SAMLToken addKeyToTokenIfRequired(SAMLToken sAMLToken, SAMLGenerateCallback sAMLGenerateCallback) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addKeyToTokenIfRequired()");
        }
        if (sAMLToken != null && (sAMLToken instanceof SAMLTokenImpl)) {
            SAMLTokenImpl sAMLTokenImpl = (SAMLTokenImpl) sAMLToken;
            String id = sAMLToken.getId();
            if (id == null || id.isEmpty()) {
                sAMLTokenImpl.setId(sAMLToken.getSamlID());
            }
            if ((sAMLGenerateCallback.getConfirmationMethod().contains("holder") || sAMLGenerateCallback.getConfirmationMethod().contains("Holder")) && (sAMLGenerateCallback.getKeyType().contains("public") || sAMLGenerateCallback.getKeyType().contains("Public"))) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Create Key for holder-of-key");
                }
                try {
                    Key privateOrSecretKey = getKeyInformation(sAMLGenerateCallback).getPrivateOrSecretKey();
                    sAMLTokenImpl.setKey(61, privateOrSecretKey);
                    sAMLTokenImpl.setKey(64, privateOrSecretKey);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Add Key for holder-of-key of Publickey");
                    }
                } catch (Exception e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Fail to process privateKey for holder-of-key." + e.getMessage());
                    }
                    Tr.processException(e, clsName + ".addKeyToTokenIfRequired", "1911", this);
                    LoginException loginException = new LoginException(e.getMessage());
                    loginException.initCause(e);
                    throw loginException;
                }
            }
            sAMLToken = sAMLTokenImpl;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addKeyToTokenIfRequired returns samlToken[" + (sAMLToken == null ? AppConstants.NULL_STRING : "not null") + "]");
        }
        return sAMLToken;
    }

    private void issuerConfigFromCustomProperties(Map map) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "issuerConfigFromCustomProperties(genContextMap" + ConfigUtil.getObjState(map) + "])");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "this._context[" + ConfigUtil.getObjState(this._context) + "], this._handler[" + ConfigUtil.getObjState(this._handler) + "]");
        }
        HashMap hashMap = new HashMap();
        if (map != null) {
            hashMap.putAll(map);
        } else {
            WSSGeneratorConfig wSSGeneratorConfig = null;
            TokenGeneratorConfig tokenGeneratorConfig = null;
            CallbackHandlerConfig callbackHandlerConfig = null;
            if (this._context != null) {
                wSSGeneratorConfig = (WSSGeneratorConfig) this._context.get("com.ibm.wsspi.wssecurity.config.wssGenerator.configKey");
                tokenGeneratorConfig = (TokenGeneratorConfig) this._context.get(TokenGeneratorConfig.CONFIG_KEY);
                callbackHandlerConfig = (CallbackHandlerConfig) this._context.get(CallbackHandlerConfig.CONFIG_KEY);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "gConfig[" + ConfigUtil.getObjState(wSSGeneratorConfig) + "], tConfig[" + ConfigUtil.getObjState(tokenGeneratorConfig) + "], chConfig[" + ConfigUtil.getObjState(callbackHandlerConfig) + "]");
            }
            if (wSSGeneratorConfig != null) {
                hashMap.putAll(wSSGeneratorConfig.getProperties());
            }
            if (tokenGeneratorConfig != null) {
                hashMap.putAll(tokenGeneratorConfig.getProperties());
            }
            if (callbackHandlerConfig != null) {
                hashMap.putAll(callbackHandlerConfig.getProperties());
            }
        }
        if (tc.isDebugEnabled()) {
            logArrayStrings(hashMap.keySet().toArray(), "configPropMap keys (configured properties)");
        }
        boolean z = false;
        List asList = Arrays.asList(sicPropertyNames);
        if (tc.isDebugEnabled()) {
            logArrayStrings(sicPropertyNames, "sicPropertyNames (allowed properties)");
        }
        if (hashMap != null) {
            Iterator it = hashMap.keySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String str = (String) it.next();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "propName[" + str + "]");
                }
                if (asList.contains(str)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "found match");
                    }
                    z = true;
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isSICExistAsCustomProperties[" + z + "]");
        }
        if (z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Setting SAML Issuer Config data from custom properties");
            }
            HashMap hashMap2 = new HashMap(25);
            for (int i = 0; i < sicPropertyNames.length; i++) {
                String str2 = sicPropertyNamesToConfigData[i][1];
                Object obj = hashMap.get(sicPropertyNamesToConfigData[i][0]);
                if (obj != null) {
                    if (tc.isDebugEnabled()) {
                        if (str2.toUpperCase().contains("PASSWORD")) {
                            Tr.debug(tc, "putting [" + str2 + ", [" + ConfigUtil.getObjState(obj) + "]]");
                        } else {
                            Tr.debug(tc, "putting [" + str2 + ", " + obj + "]");
                        }
                    }
                    hashMap2.put(str2, (String) obj);
                }
            }
            SAMLIssuerConfigDataFactory.setSamlIssuerConfigData(new SAMLIssuerConfigDataImpl(hashMap2));
        } else {
            SAMLIssuerConfigDataFactory.setSamlIssuerConfigData(null);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "issuerConfigFromCustomProperties(genContextMap)");
        }
    }

    private static void logArrayStrings(Object[] objArr, String str) {
        if (tc.isDebugEnabled()) {
            if (objArr == null) {
                Tr.debug(tc, str + "[null]");
            } else {
                Tr.debug(tc, str + Arrays.toString(objArr));
            }
        }
    }

    private SAMLToken getCustomerSamlToken(QName qName) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCustomerSamlToken");
        }
        SAMLToken sAMLToken = null;
        CallbackHandlerConfig callbackHandlerConfig = null;
        if (this._context != null) {
            callbackHandlerConfig = (CallbackHandlerConfig) this._context.get(CallbackHandlerConfig.CONFIG_KEY);
        }
        SecurityToken customerToken = TokenUtils.getCustomerToken(this.messageContext, this._sharedState, callbackHandlerConfig, qName, true);
        if (customerToken != null) {
            if (customerToken instanceof SAMLToken) {
                sAMLToken = (SAMLToken) customerToken;
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Token is not a SAMLToken; discarding.");
                }
                sAMLToken = null;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCustomerSamlToken returns [" + (sAMLToken != null ? sAMLToken.getClass().getName() : AppConstants.NULL_STRING) + "]");
        }
        return sAMLToken;
    }

    private boolean checkForHolderOfKey(SAMLGenerateCallback sAMLGenerateCallback, TokenGeneratorConfig tokenGeneratorConfig, MessageContext messageContext) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkForHolderOfKey");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Generating response SAML; check for bearer or sender-vouches.  Assuming holder-of-key for backwards compatibility.");
        }
        boolean z = true;
        String str = null;
        SAMLToken customerSamlToken = getCustomerSamlToken(tokenGeneratorConfig.getType());
        if (customerSamlToken == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Looking for confirmation method in SAML token in message context");
            }
            customerSamlToken = SAMLTokenHelper.getSAMLTokenFromContext(messageContext);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "samlToken [" + ConfigUtil.getObjState(customerSamlToken) + "]");
        }
        if (customerSamlToken != null) {
            str = customerSamlToken.getConfirmationMethod();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "method [" + str + "]");
            }
        }
        if (!ConfigUtil.hasValue(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Looking for confirmation method in the callback handler");
            }
            str = sAMLGenerateCallback.getConfirmationMethod();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "method [" + str + "]");
            }
        }
        if (ConfigUtil.hasValue(str)) {
            String upperCase = str.toUpperCase();
            if (upperCase.contains("BEARER") || upperCase.contains("VOUCHES")) {
                z = false;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Routing service provider through client generator.");
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkForHolderOfKey returns [" + z + "]");
        }
        return z;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v147, types: [com.ibm.websphere.wssecurity.wssapi.token.SecurityToken] */
    /* JADX WARN: Type inference failed for: r0v42, types: [com.ibm.websphere.wssecurity.wssapi.token.SecurityToken, java.lang.Object] */
    private com.ibm.ws.wssecurity.wssapi.OMStructure getOnBehalfOf(MessageContext messageContext, SAMLGenerateCallback sAMLGenerateCallback, WSSGeneratorConfig wSSGeneratorConfig, TokenGeneratorConfig tokenGeneratorConfig, String str, KeyStoreManager.KeyInformation keyInformation) throws LoginException {
        String actAsTokenType;
        boolean actAsReIssue;
        String str2;
        SAMLTokenImpl sAMLTokenImpl;
        SAMLTokenImpl selfIssueSAMLToken;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getOnBehalfOf(messageContext[" + ConfigUtil.getObjType(messageContext) + "], samlCallback[" + ConfigUtil.getObjState(sAMLGenerateCallback) + "], gconfig[" + ConfigUtil.getObjState(wSSGeneratorConfig) + "], config[" + ConfigUtil.getObjState(tokenGeneratorConfig) + "], wstnamespace[" + str + "], keyInfo[" + keyInformation + "])");
        }
        boolean isOnBehalfOfRequired = sAMLGenerateCallback.isOnBehalfOfRequired();
        boolean isActAsRequired = sAMLGenerateCallback.isActAsRequired();
        if (!isOnBehalfOfRequired && !isActAsRequired) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Both onBahalfOfRequired and actAsRequired are false.  No action is required");
            }
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getOnBehalfOf returns [null]");
            return null;
        }
        if (isOnBehalfOfRequired) {
            actAsTokenType = sAMLGenerateCallback.getOnBehalfOfTokenType();
            actAsReIssue = sAMLGenerateCallback.getOnBehalfOfReIssue();
        } else {
            actAsTokenType = sAMLGenerateCallback.getActAsTokenType();
            actAsReIssue = sAMLGenerateCallback.getActAsReIssue();
        }
        if (actAsTokenType == null || actAsTokenType.isEmpty()) {
            actAsTokenType = sAMLGenerateCallback.getTokenType();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "onBehalfOf[" + isOnBehalfOfRequired + "], actAs[" + isActAsRequired + "]");
            if (isOnBehalfOfRequired) {
                Tr.debug(tc, "OnBehalfOf element will be added to the message");
            } else {
                Tr.debug(tc, "ActAs element will be added to the message");
            }
            Tr.debug(tc, "tokenType[" + actAsTokenType + "], reIssue[" + actAsReIssue + "]");
        }
        new ArrayList();
        SAMLTokenImpl sAMLTokenImpl2 = null;
        if (this._sharedState != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking for onBehalfOf token on shared state");
            }
            sAMLTokenImpl2 = TokenUtils.getBehalfOfTokenFromSharedState(this._sharedState, new QName(actAsTokenType));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "sharedStateToken [" + ConfigUtil.getObjType(sAMLTokenImpl2) + "]");
        }
        if (sAMLTokenImpl2 != null) {
            str2 = "sharedState token.";
            sAMLTokenImpl = sAMLTokenImpl2;
        } else {
            try {
                ArrayList<SecurityToken> tokenFromContext = TokenUtils.getTokenFromContext(messageContext, new QName(actAsTokenType));
                if (tokenFromContext == null || tokenFromContext.isEmpty()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no required token in SharedState or RunAsSubject.");
                    }
                    throw new LoginException("No Required token in SharedState or RunAsSubject");
                }
                SecurityToken securityToken = tokenFromContext.get(0);
                if (tokenFromContext.size() > 1) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There are more than one required token in RunAsSubject.");
                    }
                    try {
                        Iterator<SecurityToken> it = tokenFromContext.iterator();
                        String stringWithConsume = ((com.ibm.ws.wssecurity.wssapi.OMStructure) tokenFromContext.get(0).getXML()).getNode().toStringWithConsume();
                        while (it.hasNext()) {
                            if (!stringWithConsume.equals(((com.ibm.ws.wssecurity.wssapi.OMStructure) it.next().getXML()).getNode().toStringWithConsume())) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "There are more than one required token in RunAsSubject.  There must be only one.");
                                }
                                throw new LoginException("More than one required token in RunAsSubject");
                            }
                        }
                    } catch (Exception e) {
                        Tr.processException(e, clsName + ".getOnBehalfOf", "2292");
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Cannot uniquely identify a token.", e.getMessage());
                        }
                        LoginException loginException = new LoginException("Cannot uniquely identify a token");
                        loginException.initCause(e);
                        throw loginException;
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "runAsToken [" + ConfigUtil.getObjType(securityToken) + "]");
                }
                str2 = "runAs token.";
                sAMLTokenImpl = securityToken;
            } catch (Exception e2) {
                throw new LoginException(e2.getMessage());
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "obtainedToken [" + ConfigUtil.getObjType(sAMLTokenImpl) + "]");
        }
        if (!actAsReIssue) {
            selfIssueSAMLToken = sAMLTokenImpl;
        } else if (!actAsReIssue || sAMLTokenImpl2 == null) {
            selfIssueSAMLToken = selfIssueSAMLToken(sAMLGenerateCallback, wSSGeneratorConfig, tokenGeneratorConfig, messageContext, keyInformation);
            str2 = "self-issued token.";
            if (selfIssueSAMLToken == null) {
                throw new LoginException("No SAML token obtained from self-issue.");
            }
        } else {
            selfIssueSAMLToken = sAMLTokenImpl;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "A token obtained from the shared-state cannot be re-issued");
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "useToken[" + ConfigUtil.getObjType(selfIssueSAMLToken) + "]");
        }
        com.ibm.ws.wssecurity.wssapi.OMStructure oMStructure = (com.ibm.ws.wssecurity.wssapi.OMStructure) selfIssueSAMLToken.getXML();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "tokenOMS[" + ConfigUtil.getObjType(oMStructure) + "]");
        }
        if (oMStructure == null) {
            throw new LoginException("No XML associated with " + str2);
        }
        OMElement node = oMStructure.getNode();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "tokenXML[" + ConfigUtil.getObjState(node) + "]");
        }
        if (node == null) {
            throw new LoginException("No XML OMElement associated with " + str2);
        }
        try {
            OMElement createOMElement = isOnBehalfOfRequired ? omFactory.createOMElement(new QName(str, "OnBehalfOf", "wst")) : omFactory.createOMElement(new QName(WS_TRUST_14, "ActAs", WS_TRUST_14_PREFIX));
            createOMElement.addChild(node);
            com.ibm.ws.wssecurity.wssapi.OMStructure oMStructure2 = new com.ibm.ws.wssecurity.wssapi.OMStructure(createOMElement);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getOnBehalfOf returns [" + ConfigUtil.getObjState(oMStructure2) + "]");
            }
            return oMStructure2;
        } catch (Exception e3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error creating OMElement [" + e3.getMessage() + "]");
            }
            Tr.processException(e3, clsName + ".getOnBehalfOf", "2370");
            throw new LoginException(e3.getMessage());
        }
    }
}
