package com.ibm.ws.security.web.saml;

import com.ibm.websphere.security.ProviderFailureException;
import com.ibm.websphere.security.UserMappingException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.ws.security.audit.utils.DataHelper;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.WSAccessManager;
import com.ibm.ws.security.ltpa.CrossRealmUtil;
import com.ibm.ws.security.web.saml.SAMLIdAssertionRule;
import com.ibm.ws.security.web.saml.util.SAMLTaiState;
import com.ibm.ws.security.web.saml.util.Util;
import com.ibm.ws.util.WSUtil;
import com.ibm.ws.wssecurity.saml.binding.saml20.PostBindingSPConfig;
import com.ibm.ws.wssecurity.saml.binding.saml20.SAMLResponseContext;
import com.ibm.ws.wssecurity.saml.binding.saml20.SAMLSpConstants;
import com.ibm.ws.wssecurity.saml.common.util.MessageHelper;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.wsspi.security.audit.AuditEventType;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.audit.AuditService;
import com.ibm.wsspi.security.audit.ContextHandler;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.security.web.saml.AuthnRequestProvider;
import com.ibm.wsspi.security.web.saml.IdentityProviderMapping;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.URLDecoder;
import java.util.Date;
import java.util.HashMap;
import java.util.Properties;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/ibm/ws/security/web/saml/ACSTrustAssociationInterceptor.class */
public class ACSTrustAssociationInterceptor implements TrustAssociationInterceptor {
    private static final String comp = "security.wssecurity";
    protected static final String INVOKED_BEFORE_SSO = "com.ibm.ws.security.web.tai.invoked.beforeSSO";
    protected static final String BOOLEAN_TRUE = "true";
    protected static final String SAMLResponse = "SAMLResponse";
    protected static final String ArtifactResponse = "ArtifactResponse";
    protected static final String ACS_APP = "WebSphereSamlSPWeb";
    private static final String ErrorPagePrefix = "ErrorPage:";
    private static final TraceComponent tc = Tr.register(ACSTrustAssociationInterceptor.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsname = ACSTrustAssociationInterceptor.class.getName();
    private static HashMap<String, ACSTrustAssociationInterceptor> _cache = new HashMap<>();
    private static boolean taiEnabled = false;
    private static boolean isInitialized = false;
    private static AuditService auditService = null;
    private static String activeUserRegistry = null;
    private static String realm = null;
    protected SAMLPostBindingConfig taiConfig = null;
    protected SecurityConfig security = null;
    private ConcurrentHashMap auditOutcome = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/ibm/ws/security/web/saml/ACSTrustAssociationInterceptor$TargetType.class */
    public enum TargetType {
        RELAY_STATE,
        DEFAULT_TARGET,
        ORIGINAL_URL
    }

    protected boolean isTaiEnabled() {
        if (!isInitialized) {
            this.security = SecurityObjectLocator.getSecurityConfig();
            taiEnabled = this.security.getTrustAssociation().getBoolean("enabled");
            isInitialized = true;
        }
        return taiEnabled;
    }

    public static synchronized ACSTrustAssociationInterceptor getInstance() {
        String domain = SecurityObjectLocator.getSecurityConfig().getDomain();
        ACSTrustAssociationInterceptor aCSTrustAssociationInterceptor = _cache.get(domain);
        if (aCSTrustAssociationInterceptor != null) {
            return aCSTrustAssociationInterceptor;
        }
        ACSTrustAssociationInterceptor aCSTrustAssociationInterceptor2 = new ACSTrustAssociationInterceptor();
        _cache.put(domain, aCSTrustAssociationInterceptor2);
        return aCSTrustAssociationInterceptor2;
    }

    public void cleanup() {
    }

    public String getType() {
        return null;
    }

    public String getVersion() {
        return null;
    }

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        if (properties == null) {
            properties = new Properties();
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize");
            if (properties != null && properties.keySet() != null) {
                for (String str : properties.keySet()) {
                    if (str.contains("Password") || str.contains("password")) {
                        Tr.debug(tc, str + "=****");
                    } else {
                        Tr.debug(tc, str + "=" + properties.getProperty(str));
                    }
                }
            }
        }
        try {
            this.taiConfig = new SAMLPostBindingConfig(properties);
            if (this.taiConfig.getAllPostBindingConfig().isEmpty()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There is no SSO partner configured.");
                }
                Tr.error(tc, "security.wssecurity.CWWSS8015E");
                throw new WebTrustAssociationFailedException("security.wssecurity.CWWSS8015E");
            }
            if (!tc.isEntryEnabled()) {
                return 0;
            }
            Tr.exit(tc, "initialize");
            return 0;
        } catch (Exception e) {
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e.getMessage());
            webTrustAssociationFailedException.initCause(e);
            throw webTrustAssociationFailedException;
        }
    }

    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTargetInterceptor");
        }
        if (!isTaiEnabled()) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isTargetInterceptor returns false");
            return false;
        }
        boolean z = false;
        if (isInvokeBeforeSSO(httpServletRequest)) {
            PostBindingConfig postBindingConfigForRequest = getPostBindingConfigForRequest(httpServletRequest);
            if (postBindingConfigForRequest == null) {
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "getPostBindingConfigForRequest returned null, so returning false");
                return false;
            }
            String charEncoding = postBindingConfigForRequest.getPostBindingSPConfig().getCharEncoding();
            if (charEncoding != null) {
                try {
                    httpServletRequest.setCharacterEncoding(charEncoding);
                } catch (Exception e) {
                    Tr.error(tc, "Error encountered setting character encoding [" + charEncoding + "] in SAML request [" + e + "]");
                }
            }
            if (isSAMLResponse(httpServletRequest)) {
                z = true;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Request contains SAMLResponse, TAI will be processed.");
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Request does not contain SAMLResponse, TAI will be skipped and deferred.");
                }
                try {
                    enforceTAICookie(postBindingConfigForRequest, httpServletRequest);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Request is scoped to this TAI.");
                    }
                } catch (Exception e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Request is not protected by this TAI:" + e2.getMessage());
                    }
                }
            }
        } else {
            PostBindingConfig postBindingConfigForRequest2 = getPostBindingConfigForRequest(httpServletRequest);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "pbc[" + ConfigUtil.getObjState(postBindingConfigForRequest2) + "]");
            }
            if (postBindingConfigForRequest2 != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isInvokeBeforeSSO enabled and there is a config that corresponds to this request.");
                }
                z = true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTargetInterceptor returns " + z);
        }
        return z;
    }

    protected void enforceTAICookie(PostBindingConfig postBindingConfig, HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "enforceTAICookie(pbc[" + ConfigUtil.getObjState(postBindingConfig) + "], req)");
        }
        if (postBindingConfig != null) {
            PostBindingSPConfig postBindingSPConfig = postBindingConfig.getPostBindingSPConfig();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "enforceTaiCookie[" + postBindingSPConfig.enforceTaiCookie() + "]");
            }
            if (postBindingSPConfig.enforceTaiCookie()) {
                String cacheKeyPrefix = Util.getCacheKeyPrefix(postBindingConfig);
                ContextManagerFactory.getInstance().put("com.ibm.ws.security.web.tai.invoked.cacheKey.prefix", cacheKeyPrefix);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Request is scoped to: " + cacheKeyPrefix);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "enforceTAICookie");
        }
    }

    protected PostBindingConfig getPostBindingConfigForRequest(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPostBindingConfigForRequest");
        }
        boolean z = false;
        PostBindingConfig postBindingConfigForIdPSelection = this.taiConfig.getPostBindingConfigForIdPSelection(httpServletRequest);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "pbc[" + postBindingConfigForIdPSelection + "]");
        }
        if (postBindingConfigForIdPSelection != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "isRequestForAdminApplication[" + isRequestForAdminApplication(httpServletRequest) + "]");
            }
            if (isRequestForAdminApplication(httpServletRequest)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "interceptAdminApp[" + postBindingConfigForIdPSelection.getPostBindingSPConfig().interceptAdminApp() + "]");
                }
                if (postBindingConfigForIdPSelection.getPostBindingSPConfig().interceptAdminApp()) {
                    z = true;
                }
            } else {
                z = true;
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, httpServletRequest.getRequestURL().toString() + " is not protected by SAML TAI.");
        }
        if (!z) {
            postBindingConfigForIdPSelection = null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Target TAI after SSO:" + z);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPostBindingConfigForRequest returns [" + ConfigUtil.getObjState(postBindingConfigForIdPSelection) + "]");
        }
        return postBindingConfigForIdPSelection;
    }

    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "negotiateValidateandEstablishTrust");
        }
        TAIResult invokeTAIbeforeSSO = isInvokeBeforeSSO(httpServletRequest) ? invokeTAIbeforeSSO(httpServletRequest, httpServletResponse) : invokeTAIafterSSO(httpServletRequest, httpServletResponse);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "negotiateValidateandEstablishTrust returns [" + ConfigUtil.getObjState(invokeTAIbeforeSSO) + "]");
        }
        return invokeTAIbeforeSSO;
    }

    static String getURI(HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getURI");
        }
        String servletPath = httpServletRequest.getServletPath();
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo != null) {
            servletPath = servletPath.concat(pathInfo);
        }
        if (servletPath == null || servletPath.length() == 0) {
            servletPath = "/";
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "URI requested: " + servletPath);
        }
        if (servletPath != null) {
            servletPath = WSUtil.resolveURI(servletPath);
            int indexOf = servletPath.indexOf(";");
            if (indexOf != -1) {
                servletPath = servletPath.substring(0, indexOf);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getURI returns [" + servletPath + "]");
        }
        return servletPath;
    }

    public UserRegistry getCurrentUserRegistry() {
        return CrossRealmUtil.getUserRegistry();
    }

    protected void sendAuditEvent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, long j, String str3, SAMLResponseContext sAMLResponseContext, TAIResult tAIResult) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "sendAuditEvent " + str);
        }
        if (auditService == null) {
            auditService = ContextManagerFactory.getInstance().getAuditService();
        }
        try {
            realm = getCurrentUserRegistry().getRealm();
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Can not get realm name");
                Tr.debug(tc, e.getMessage());
            }
        }
        activeUserRegistry = SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getType();
        String uri = getURI(httpServletRequest);
        ContextHandler contextHandler = null;
        String str4 = null;
        String[] strArr = null;
        if (auditService != null) {
            str4 = auditService.getLastTrailId();
            strArr = auditService.getEventTrailIds();
        }
        if (auditService != null) {
            contextHandler = auditService.getContextHandler();
            if (contextHandler == null) {
                Tr.error(tc, "Security audit service context handler is null");
                auditService.processAuditFailure("Security audit service context handler is null", null);
            }
        }
        if (auditService != null && (auditService.isEventRequired(AuditEventType.SECURITY_AUTHN, "DENIED") || auditService.isEventRequired(AuditEventType.SECURITY_AUTHN, "SUCCESS"))) {
            contextHandler.buildContextObject("SESSION_CONTEXT", DataHelper.buildSessionData(httpServletRequest.getSession().getId(), httpServletRequest.getRemoteAddr(), httpServletRequest.getRemoteHost(), Integer.valueOf(httpServletRequest.getRemotePort()).toString()));
            contextHandler.buildContextObject("ACCESS_CONTEXT", DataHelper.buildAccessData(uri, "webAuth", tAIResult != null ? tAIResult.getAuthenticatedPrincipal() : null, tAIResult != null ? tAIResult.getAuthenticatedPrincipal() : null, str3, httpServletRequest.getMethod(), "web", 0L, (String[]) null, (String[]) null, (String[]) null, (String[]) null));
            contextHandler.buildContextObject("EVENT_CONTEXT", DataHelper.buildEventData(str4, strArr, new Date(), 0L));
            contextHandler.buildContextObject("PROPAGATION_CONTEXT", DataHelper.buildPropagationData(auditService.getFirstCaller(), auditService.getCallerList()));
            contextHandler.buildContextObject("PROCESS_CONTEXT", DataHelper.buildProcessData(auditService.getDomain(), realm));
            contextHandler.buildContextObject("REGISTRY_CONTEXT", DataHelper.buildRegistryData(DataHelper.convertRegistryInfoType(activeUserRegistry)));
            contextHandler.buildContextObject("AUTHN_CONTEXT", DataHelper.buildAuthnData("challengeResponse"));
            contextHandler.buildContextObject("AUTHN_PROVIDER_CONTEXT", DataHelper.buildProviderData(clsname, "providerSuccess"));
            HashMap hashMap = new HashMap();
            String str5 = null;
            String str6 = null;
            String str7 = null;
            if (sAMLResponseContext != null) {
                try {
                    if (sAMLResponseContext.getResponse() != null) {
                        str5 = sAMLResponseContext.getResponse().getSAMLToken().getSamlID();
                        str6 = sAMLResponseContext.getResponse().getSAMLToken().getPrincipal();
                        str7 = sAMLResponseContext.getResponse().getSAMLToken().getSAMLIssuerName();
                    }
                } catch (SoapSecurityException e2) {
                }
            }
            hashMap.put("SAML ID", str5);
            hashMap.put("SAML Issuer", str7);
            hashMap.put("SAML NameID", str6);
            contextHandler.buildContextObject("CUSTOM_PROPERTY_CONTEXT", DataHelper.buildCustomData(hashMap));
            this.auditOutcome = DataHelper.buildOutcomeData(str, -1, -1, str2, j);
            try {
                auditService.sendEvent(AuditEventType.SECURITY_AUTHN, this.auditOutcome);
            } catch (ProviderFailureException e3) {
                Tr.error(tc, "Security audit service context handler is null");
                auditService.processAuditFailure("Security audit service context handler is null", e3);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "sendAuditEvent " + str);
        }
    }

    protected TAIResult invokeTAIbeforeSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invokeTAIbeforeSSO");
        }
        TAIResult tAIResult = null;
        if (!isSAMLResponse(httpServletRequest)) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "invokeTAIbeforeSSO has been skipped.");
            }
            throw new WebTrustAssociationFailedException(SoapSecurityException.getMessage("security.wssecurity.CWWSS8016E"));
        }
        SAMLResponseContext sAMLResponseContext = null;
        try {
            sAMLResponseContext = processSAMLResponseContext(httpServletRequest, httpServletResponse);
            tAIResult = createResult(httpServletRequest, httpServletResponse, sAMLResponseContext);
            doRedirect(httpServletRequest, httpServletResponse, sAMLResponseContext);
            sendAuditEvent(httpServletRequest, httpServletResponse, AuditOutcome.SUCCESSFUL, "SUCCESS", 5L, "authnSuccess", sAMLResponseContext, tAIResult);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "invokeTAIbeforeSSO:" + tAIResult.getAuthenticatedPrincipal());
            }
        } catch (Exception e) {
            sendAuditEvent(httpServletRequest, httpServletResponse, AuditOutcome.UNSUCCESSFUL, "ERROR", 15L, "authnFailure", sAMLResponseContext, tAIResult);
            String message = e.getMessage();
            Tr.processException(e, clsname + ".invokeTAIbeforeSSO", "585");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SAMLResponse could not be verified. [" + message + "]");
            }
            String message2 = e.getMessage();
            if (message2 == null || message2.isEmpty()) {
                message2 = SoapSecurityException.getMessage("security.wssecurity.CWWSS8018E");
            }
            String acsErrorPage = this.taiConfig.getValidPostBindingConfig(httpServletRequest).getPostBindingSPConfig().getAcsErrorPage();
            if ((e.getCause() instanceof UserMappingException) && e.getCause().getErrorPage() != null) {
                acsErrorPage = e.getCause().getErrorPage();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Receiving ErrorPage=" + acsErrorPage);
                }
            }
            if (acsErrorPage == null) {
                tAIResult = createTAIErrorResult(httpServletRequest, httpServletResponse, message2, true);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAMLResponse could not be verified. Auto Re-login. ");
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Redirecting to error page: [" + acsErrorPage + "]");
                    Tr.debug(tc, "SAMLResponse could not be verified. Display Error Page or Throw exception. ");
                }
                tAIResult = createTAISimpleErrorResult(httpServletRequest, httpServletResponse, acsErrorPage);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invokeTAIbeforeSSO:" + tAIResult.getAuthenticatedPrincipal());
        }
        return tAIResult;
    }

    protected TAIResult invokeTAIafterSSO(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        TAIResult createTAIErrorResult;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invokeTAIafterSSO");
        }
        if (isSAMLResponse(httpServletRequest)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Request contains SAMLResponse, TAI will be processed.");
            }
            createTAIErrorResult = invokeTAIbeforeSSO(httpServletRequest, httpServletResponse);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Request does not contain a SAMLResponse.");
            }
            String message = SoapSecurityException.getMessage("security.wssecurity.CWWSS8017E");
            SAMLTaiState.saveReqURL(httpServletRequest, httpServletResponse, this.security);
            createTAIErrorResult = createTAIErrorResult(httpServletRequest, httpServletResponse, message, false);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "invokeTAIafterSSO");
            }
        }
        return createTAIErrorResult;
    }

    protected TAIResult createTAIErrorResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, boolean z) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createTAIErrorResult(req[" + ConfigUtil.getObjType(httpServletRequest) + "], res[" + ConfigUtil.getObjType(httpServletResponse) + "], msg[" + str + "], before[" + z + "])");
        }
        httpServletResponse.setStatus(401);
        boolean z2 = false;
        HashMap<String, String> hashMap = null;
        try {
            String str2 = null;
            PostBindingConfig postBindingConfigForIdPSelection = this.taiConfig.getPostBindingConfigForIdPSelection(httpServletRequest);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "pbc [" + ConfigUtil.getObjState(postBindingConfigForIdPSelection) + "]");
            }
            if (postBindingConfigForIdPSelection != null) {
                IdentityProviderMapping identityProviderMapping = postBindingConfigForIdPSelection.getIdentityProviderMapping();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "idProvider [" + ConfigUtil.getObjState(identityProviderMapping) + "]");
                }
                if (identityProviderMapping != null) {
                    if (identityProviderMapping instanceof AuthnRequestProvider) {
                        hashMap = ((AuthnRequestProvider) identityProviderMapping).getAuthnRequest(httpServletRequest, null, postBindingConfigForIdPSelection.getPostBindingSPConfig().getAssertionConsumerService(), postBindingConfigForIdPSelection.getSingleSignOnServiceURLs());
                        str2 = hashMap.get(AuthnRequestProvider.AUTHN_REQUEST);
                        z2 = true;
                    } else {
                        str2 = identityProviderMapping.getIdentityProviderOrErrorURL(httpServletRequest, null, postBindingConfigForIdPSelection.getPostBindingSPConfig().getAssertionConsumerService(), postBindingConfigForIdPSelection.getSingleSignOnServiceURLs());
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Resolved re-login page:" + str2);
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "idProvider.getIdentityProviderOrErrorURL() [" + str2 + "]");
                }
                if (str2 == null) {
                    PostBindingSPConfig postBindingSPConfig = postBindingConfigForIdPSelection.getPostBindingSPConfig();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "pbspc [" + postBindingSPConfig + "]");
                    }
                    if (postBindingSPConfig != null) {
                        str2 = postBindingSPConfig.getLoginErrorPage();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "pbspc.getLoginErrorPage() [" + str2 + "]");
                        }
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved error page [" + str2 + "]");
            }
            if (str2 == null) {
                throw new WebTrustAssociationFailedException(str);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "spInitiated [" + z2 + "]");
            }
            if (z2) {
                postToIdp(httpServletRequest, httpServletResponse, hashMap, postBindingConfigForIdPSelection.getPostBindingSPConfig().getAssertionConsumerService());
            } else if (postBindingConfigForIdPSelection.getPostBindingSPConfig().doServerSideRedirect()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Sending redirect");
                }
                httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(str2));
            } else {
                doClientSideRedirect(httpServletResponse, httpServletResponse.encodeRedirectURL(str2));
            }
            TAIResult create = TAIResult.create(403);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createTAIErrorResult");
            }
            return create;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "createTAIErrorResult:" + e.getMessage());
            }
            SAMLTaiState.destroyREFERER_URLCookie(httpServletResponse);
            SAMLTaiState.deletePOSTPARAM(httpServletRequest, httpServletResponse, this.security);
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e.getMessage());
            webTrustAssociationFailedException.initCause(e);
            throw webTrustAssociationFailedException;
        }
    }

    private void doClientSideRedirect(HttpServletResponse httpServletResponse, String str) throws IOException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doClientSideRedirect(response, loginURL[" + str + "])");
        }
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        httpServletResponse.setStatus(200);
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("<html xmlns=\"http://www.w3.org/1999/xhtml\">");
        writer.println("<head>");
        writer.println(createJavaScripts(str));
        writer.println("<title>Redirect To Login</title> ");
        writer.println("</head>");
        writer.println("<body></body>");
        writer.println("</html>");
        writer.close();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "doClientSideRedirect");
        }
    }

    private String createJavaScripts(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createJavaScripts(loginURL[" + str + "])");
        }
        StringBuilder sb = new StringBuilder();
        sb.append("<script type=\"text/javascript\" language=\"javascript\">").append("var loc=window.location.href;").append("document.cookie=\"").append("WasSamlSpReqURL=\"").append("+loc+").append("\"; path=/\"").append("</script>");
        sb.append("<script type=\"text/javascript\" language=\"javascript\">").append("window.location.replace(\"" + str + "\")").append("</script>");
        String sb2 = sb.toString();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createJavaScripts returns [" + sb2 + "]");
        }
        return sb2;
    }

    protected void postToIdp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap hashMap, String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "postToIdp");
        }
        Util.saveReqID(httpServletRequest, httpServletResponse, hashMap, str);
        String str2 = (String) hashMap.get(AuthnRequestProvider.RELAY_STATE);
        String str3 = (String) hashMap.get(AuthnRequestProvider.AUTHN_REQUEST);
        String str4 = (String) hashMap.get(AuthnRequestProvider.SSO_URL);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "relayState[" + str2 + "], authnRequest[" + str3 + "], idp[" + str4 + "]");
        }
        if (str2 == null || str3 == null || str4 == null) {
            throw new WebTrustAssociationFailedException("RelayState, Single-Sign-On URL, or AuthnRequest must be provided");
        }
        httpServletResponse.setContentType("text/html");
        try {
            PrintWriter writer = httpServletResponse.getWriter();
            writer.println("<HTML xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\">");
            writer.println("<BODY onload=\"document.forms[0].submit()\">");
            writer.println("<form action=\"" + str4 + "\" method=\"post\">");
            writer.println("<div><input type=\"hidden\" name=\"RelayState\" value=\"" + str2 + "\"/>");
            writer.println("<input type=\"hidden\" name=\"SAMLRequest\" value=\"" + str3 + "\"/></div>");
            writer.println("<noscript><div>");
            writer.println("<input type=\"submit\" value=\"Continue\"/>");
            writer.println("</div></noscript>");
            writer.println("</form></body></html>");
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "postToIdp");
            }
        } catch (Exception e) {
            throw new WebTrustAssociationFailedException(e.getMessage());
        }
    }

    protected TAIResult createTAISimpleErrorResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createTAISimpleErrorResult([req,res,error[" + str + "])");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "setting response status to [401]");
        }
        httpServletResponse.setStatus(401);
        try {
            httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(str));
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "creating TAIResult with [403]");
            }
            TAIResult create = TAIResult.create(403);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createTAISimpleErrorResult");
            }
            return create;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "createTAIErrorResult:" + e.getMessage());
            }
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e.getMessage());
            webTrustAssociationFailedException.initCause(e);
            throw webTrustAssociationFailedException;
        }
    }

    protected SAMLResponseContext processSAMLResponseContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "processSAMLResponseContext");
        }
        SAMLResponseContext buildInitSAMLResponseContext = SAMLRequestResponseContextBuilder.buildInitSAMLResponseContext(this.taiConfig, httpServletRequest);
        if (ConfigUtil.hasValue(httpServletRequest.getParameter("RelayState"))) {
            buildInitSAMLResponseContext.set("ID", Util.getAndRemoveReqID(httpServletRequest, httpServletResponse, buildInitSAMLResponseContext.getPostBindingSPConfig().getAssertionConsumerService()));
        }
        try {
            SAMLResponseProcessor.process(buildInitSAMLResponseContext, httpServletRequest, httpServletResponse);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "processSAMLResponseContext");
            }
            return buildInitSAMLResponseContext;
        } catch (Exception e) {
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e.getMessage());
            webTrustAssociationFailedException.initCause(e);
            throw webTrustAssociationFailedException;
        }
    }

    protected TAIResult createResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLResponseContext sAMLResponseContext) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createResult");
        }
        Subject subject = new Subject();
        TAIResult tAIResult = null;
        try {
            SAMLToken sAMLToken = sAMLResponseContext.getResponse().getSAMLToken();
            PostBindingConfig validPostBindingConfig = this.taiConfig.getValidPostBindingConfig(httpServletRequest);
            SAMLIdAssertionRule sAMLIdAssertionRule = validPostBindingConfig.getSAMLIdAssertionRule();
            SAMLIdAssertionRule.IDMapOption iDMapOption = sAMLIdAssertionRule.getIDMapOption();
            if (iDMapOption.equals(SAMLIdAssertionRule.IDMapOption.ASSERTION)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IDMapOption is ASSERTION");
                }
                tAIResult = CredentialMapUtil.getInstance().doIdAssertion(sAMLToken, subject, sAMLIdAssertionRule, validPostBindingConfig, httpServletRequest, httpServletResponse);
            } else if (iDMapOption.equals(SAMLIdAssertionRule.IDMapOption.LOCAL_REALM)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IDMapOption is LOCAL_REALM");
                }
                tAIResult = CredentialMapUtil.getInstance().doNameIdMapping(sAMLToken, subject, sAMLIdAssertionRule, validPostBindingConfig, httpServletRequest, httpServletResponse);
            } else if (iDMapOption.equals(SAMLIdAssertionRule.IDMapOption.LOCAL_REALM_THEN_ASSERTION)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IDMapOption is LOCAL_REALM_THEN_ASSERTION");
                }
                tAIResult = CredentialMapUtil.getInstance().doNameIdMapping(sAMLToken, subject, sAMLIdAssertionRule, validPostBindingConfig, httpServletRequest, httpServletResponse);
            } else if (iDMapOption.equals(SAMLIdAssertionRule.IDMapOption.LOCAL_REALM_THEN_ASSERTION_ADD_LOCAL_GROUP)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IDMapOption is LOCAL_REALM_THEN_ASSERTION_ADD_LOCAL_GROUP");
                }
                tAIResult = CredentialMapUtil.getInstance().doNameIdMapping(sAMLToken, subject, sAMLIdAssertionRule, validPostBindingConfig, httpServletRequest, httpServletResponse);
            } else if (iDMapOption.equals(SAMLIdAssertionRule.IDMapOption.ASSERTION_ADD_LOCAL_GROUP)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IDMapOption is ASSERTION_ADD_LOCAL_GROUP");
                }
                tAIResult = CredentialMapUtil.getInstance().doIdAssertion(sAMLToken, subject, sAMLIdAssertionRule, validPostBindingConfig, httpServletRequest, httpServletResponse);
            } else if (iDMapOption.equals(SAMLIdAssertionRule.IDMapOption.LOCAL_REALM_THEN_ASSERTION_AND_LOCAL_GROUP)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IDMapOption is LOCAL_REALM_THEN_ASSERTION_AND_LOCAL_GROUP");
                }
                tAIResult = CredentialMapUtil.getInstance().doNameIdMapping(sAMLToken, subject, sAMLIdAssertionRule, validPostBindingConfig, httpServletRequest, httpServletResponse);
            } else if (iDMapOption.equals(SAMLIdAssertionRule.IDMapOption.ASSERTION_AND_LOCAL_GROUP)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IDMapOption is ASSERTION_AND_LOCAL_GROUP");
                }
                tAIResult = CredentialMapUtil.getInstance().doIdAssertion(sAMLToken, subject, sAMLIdAssertionRule, validPostBindingConfig, httpServletRequest, httpServletResponse);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createResult");
            }
            return tAIResult;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "createResult with Exception:" + e.getMessage());
            }
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e.getMessage());
            webTrustAssociationFailedException.initCause(e);
            throw webTrustAssociationFailedException;
        }
    }

    protected void doRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLResponseContext sAMLResponseContext) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doRedirect");
        }
        PostBindingSPConfig postBindingSPConfig = this.taiConfig.getValidPostBindingConfig(httpServletRequest).getPostBindingSPConfig();
        String defaultTargetUrl = postBindingSPConfig.getDefaultTargetUrl();
        String relayState = sAMLResponseContext.getRelayState();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "spCfg [" + postBindingSPConfig + "]");
            Tr.debug(tc, "defaultTargetUrl [" + defaultTargetUrl + "]");
            Tr.debug(tc, "relayStateUri [" + relayState + "]");
            Tr.debug(tc, "isUseRelayStateAsTargetUrl [" + postBindingSPConfig.isUseRelayStateAsTargetUrl() + "]");
        }
        if (relayState != null) {
            try {
                relayState = URLDecoder.decode(relayState, "UTF-8");
                if (!relayState.startsWith(SAMLSpConstants.HTTP_PREFIX)) {
                    if (!relayState.startsWith(SAMLSpConstants.HTTPS_PREFIX)) {
                        relayState = null;
                    }
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The RelayState is not a URL. Use TAI's default target URL.");
                }
            }
        }
        String str = null;
        TargetType targetType = TargetType.RELAY_STATE;
        if (ConfigUtil.hasValue(relayState)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Setting target to the value for relayState [" + relayState + "]");
            }
            str = relayState;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isUseRelayStateAsTargetUrl[" + postBindingSPConfig.isUseRelayStateAsTargetUrl() + "], targetUrl[" + str + "]");
        }
        if (!postBindingSPConfig.isUseRelayStateAsTargetUrl() || str == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "overriding targetUrl with defaultTargetUrl [" + defaultTargetUrl + "]");
            }
            targetType = TargetType.DEFAULT_TARGET;
            str = defaultTargetUrl;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The target URL is [" + str + "]");
            Tr.debug(tc, "preserveRequestState [" + postBindingSPConfig.preserveRequestState() + "]");
        }
        if (postBindingSPConfig.preserveRequestState()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "preserving the request state");
            }
            String restoreReqURL = SAMLTaiState.restoreReqURL(httpServletRequest, httpServletResponse, str);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "originalUrl [" + restoreReqURL + "]");
            }
            if (ConfigUtil.hasValue(restoreReqURL)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Restoring post parameters");
                }
                SAMLTaiState.restorePostParams(httpServletRequest, httpServletResponse, this.security);
                str = restoreReqURL;
                targetType = TargetType.ORIGINAL_URL;
            }
        }
        if (str == null || str.isEmpty()) {
            str = SAMLSpConstants.TARGET_URL_NO_SET;
        }
        checkRedirectTarget(httpServletRequest, str, targetType, postBindingSPConfig.isUseRelayStateAsTargetUrl());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "setting [" + SAMLSpConstants.RESOLVED_TARGET_URL + "] to [" + str + "] on the request.");
            Tr.debug(tc, "setting [com.ibm.ws.security.web.saml.disableDecodeURL] to [" + postBindingSPConfig.getDisableDecodeUrl() + "] on the request.");
        }
        httpServletRequest.setAttribute(SAMLSpConstants.RESOLVED_TARGET_URL, str);
        httpServletRequest.setAttribute(SecurityConfig.DISABLE_SAML_DECODE_REDIRECT_URL, Boolean.toString(postBindingSPConfig.getDisableDecodeUrl()));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "doRedirect");
        }
    }

    protected boolean isInvokeBeforeSSO(HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isInvokeBeforeSSO");
        }
        boolean z = false;
        String str = (String) ContextManagerFactory.getInstance().get(INVOKED_BEFORE_SSO);
        if ("true".equals(str)) {
            z = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "[com.ibm.ws.security.web.tai.invoked.beforeSSO] is set to [" + str + "]");
            Tr.debug(tc, "isFirstPass[" + z + "]");
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isInvokeBeforeSSO returns [" + z + "]");
        }
        return z;
    }

    protected boolean isSAMLResponse(HttpServletRequest httpServletRequest) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSAMLResponse");
        }
        boolean z = false;
        if (httpServletRequest.getMethod().equalsIgnoreCase("post")) {
            String parameter = httpServletRequest.getParameter(SAMLResponse);
            String parameter2 = httpServletRequest.getParameter(ArtifactResponse);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "authnResponse[" + parameter + "], SAMLArt[" + parameter2 + "]");
            }
            if (parameter != null) {
                z = true;
            }
            if (parameter2 != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "HTTP Artifact binding is not supported.");
                }
                throw new WebTrustAssociationFailedException(SoapSecurityException.getMessage("security.wssecurity.CWWSS8019E"));
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Method is not POST, skipping.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isSAMLResponse:" + z);
        }
        return z;
    }

    protected boolean isRequestForAdminApplication(HttpServletRequest httpServletRequest) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isRequestForAdminApplication");
        }
        boolean z = false;
        String application = Util.getApplication(httpServletRequest);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "appName [" + application + "]");
        }
        if (isAdminApp(application)) {
            z = true;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "admin application Name:" + application);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isRequestForAdminApplication returns [" + z + "]");
        }
        return z;
    }

    protected boolean isAdminApp(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isAdminApp");
        }
        boolean checkIfAdminApp = WSAccessManager.checkIfAdminApp(str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isAdminApp returns [" + checkIfAdminApp + "]");
        }
        return checkIfAdminApp;
    }

    private void checkRedirectTarget(HttpServletRequest httpServletRequest, String str, TargetType targetType, boolean z) throws WebTrustAssociationFailedException {
        PostBindingSPConfig postBindingSPConfig;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkRedirectTarget(req[" + ConfigUtil.getObjState(httpServletRequest) + "], targetUrl[" + str + "], targetType[" + targetType + "], useRelayStateForTarget[" + z + "])");
        }
        PostBindingConfig postBindingConfigForIdPSelection = this.taiConfig.getPostBindingConfigForIdPSelection(httpServletRequest);
        if (postBindingConfigForIdPSelection != null && (postBindingSPConfig = postBindingConfigForIdPSelection.getPostBindingSPConfig()) != null) {
            String assertionConsumerService = postBindingSPConfig.getAssertionConsumerService();
            if (ConfigUtil.hasValue(assertionConsumerService)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "acsrul[" + assertionConsumerService + "]");
                }
                if (str.trim().equals(assertionConsumerService.trim()) && assertionConsumerService.contains("/samlsps/")) {
                    String message = MessageHelper.getMessage("security.wssecurity.CWSML7033E", new String[]{str});
                    String message2 = MessageHelper.getMessage("security.wssecurity.CWSML7030E", new String[]{str, "sso_<id>.sp.acsUrl"});
                    String str2 = null;
                    if (targetType == TargetType.DEFAULT_TARGET) {
                        String[] strArr = new String[4];
                        strArr[0] = "targetUrl";
                        strArr[1] = "sso_<id>.sp.targetUrl";
                        strArr[2] = "sso_<id>.sp.useRelayStateForTarget";
                        strArr[3] = z ? "true" : "false";
                        str2 = MessageHelper.getMessage("security.wssecurity.CWSML7032I", strArr);
                    } else if (targetType == TargetType.RELAY_STATE) {
                        str2 = MessageHelper.getMessage("security.wssecurity.CWSML7031I", new String[]{AuthnRequestProvider.RELAY_STATE});
                    } else if (targetType == TargetType.ORIGINAL_URL) {
                        str2 = MessageHelper.getMessage("security.wssecurity.CWSML7034I");
                    }
                    Tr.error(tc, message);
                    Tr.error(tc, message2 + " " + str2);
                    Exception exc = new Exception(message2 + " " + str2);
                    WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(message);
                    webTrustAssociationFailedException.initCause(exc);
                    throw webTrustAssociationFailedException;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkRedirectTarget");
        }
    }
}
