package org.springframework.security.context;

import java.io.IOException;
import java.lang.reflect.Method;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.AuthenticationTrustResolver;
import org.springframework.security.AuthenticationTrustResolverImpl;
import org.springframework.security.ui.FilterChainOrder;
import org.springframework.security.ui.SpringSecurityFilter;
import org.springframework.util.Assert;
import org.springframework.util.ReflectionUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-core-2.0.7.RELEASE.jar:org/springframework/security/context/HttpSessionContextIntegrationFilter.class */
public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter implements InitializingBean {
    static final String FILTER_APPLIED = "__spring_security_session_integration_filter_applied";
    public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
    private Class contextClass;
    private Object contextObject;
    private boolean allowSessionCreation;
    private boolean forceEagerSessionCreation;
    private boolean cloneFromHttpSession;
    private AuthenticationTrustResolver authenticationTrustResolver;
    static Class class$org$springframework$security$context$SecurityContextImpl;
    static Class class$org$springframework$security$context$SecurityContext;
    static Class class$java$lang$Cloneable;

    /* loaded from: input_file:WEB-INF/lib/spring-security-core-2.0.7.RELEASE.jar:org/springframework/security/context/HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.class */
    private class OnRedirectUpdateSessionResponseWrapper extends HttpServletResponseWrapper {
        HttpServletRequest request;
        boolean httpSessionExistedAtStartOfRequest;
        int contextHashBeforeChainExecution;
        boolean sessionUpdateDone;
        private final HttpSessionContextIntegrationFilter this$0;

        public OnRedirectUpdateSessionResponseWrapper(HttpSessionContextIntegrationFilter httpSessionContextIntegrationFilter, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, boolean z, int i) {
            super(httpServletResponse);
            this.this$0 = httpSessionContextIntegrationFilter;
            this.sessionUpdateDone = false;
            this.request = httpServletRequest;
            this.httpSessionExistedAtStartOfRequest = z;
            this.contextHashBeforeChainExecution = i;
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i) throws IOException {
            doSessionUpdate();
            super.sendError(i);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendError(int i, String str) throws IOException {
            doSessionUpdate();
            super.sendError(i, str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public void sendRedirect(String str) throws IOException {
            doSessionUpdate();
            super.sendRedirect(str);
        }

        private void doSessionUpdate() {
            if (this.sessionUpdateDone) {
                return;
            }
            this.this$0.storeSecurityContextInSession(SecurityContextHolder.getContext(), this.request, this.httpSessionExistedAtStartOfRequest, this.contextHashBeforeChainExecution);
            this.sessionUpdateDone = true;
        }

        public boolean isSessionUpdateDone() {
            return this.sessionUpdateDone;
        }
    }

    public boolean isCloneFromHttpSession() {
        return this.cloneFromHttpSession;
    }

    public void setCloneFromHttpSession(boolean z) {
        this.cloneFromHttpSession = z;
    }

    public HttpSessionContextIntegrationFilter() throws ServletException {
        Class cls;
        if (class$org$springframework$security$context$SecurityContextImpl == null) {
            cls = class$("org.springframework.security.context.SecurityContextImpl");
            class$org$springframework$security$context$SecurityContextImpl = cls;
        } else {
            cls = class$org$springframework$security$context$SecurityContextImpl;
        }
        this.contextClass = cls;
        this.allowSessionCreation = true;
        this.forceEagerSessionCreation = false;
        this.cloneFromHttpSession = false;
        this.authenticationTrustResolver = new AuthenticationTrustResolverImpl();
        this.contextObject = generateNewContext();
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        Class cls;
        if (this.contextClass != null) {
            if (class$org$springframework$security$context$SecurityContext == null) {
                cls = class$("org.springframework.security.context.SecurityContext");
                class$org$springframework$security$context$SecurityContext = cls;
            } else {
                cls = class$org$springframework$security$context$SecurityContext;
            }
            if (cls.isAssignableFrom(this.contextClass)) {
                if (this.forceEagerSessionCreation && !this.allowSessionCreation) {
                    throw new IllegalArgumentException("If using forceEagerSessionCreation, you must set allowSessionCreation to also be true");
                }
                this.contextObject = generateNewContext();
                return;
            }
        }
        throw new IllegalArgumentException(new StringBuffer().append("context must be defined and implement SecurityContext (typically use org.springframework.security.context.SecurityContextImpl; existing class is ").append(this.contextClass).append(")").toString());
    }

    @Override // org.springframework.security.ui.SpringSecurityFilter
    public void doFilterHttp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (httpServletRequest.getAttribute(FILTER_APPLIED) != null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        HttpSession safeGetSession = safeGetSession(httpServletRequest, this.forceEagerSessionCreation);
        boolean z = safeGetSession != null;
        SecurityContext readSecurityContextFromSession = readSecurityContextFromSession(safeGetSession);
        if (readSecurityContextFromSession == null) {
            readSecurityContextFromSession = generateNewContext();
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("New SecurityContext instance will be associated with SecurityContextHolder");
            }
        } else if (this.logger.isDebugEnabled()) {
            this.logger.debug(new StringBuffer().append("Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT to associate with SecurityContextHolder: '").append(readSecurityContextFromSession).append("'").toString());
        }
        int hashCode = readSecurityContextFromSession.hashCode();
        httpServletRequest.setAttribute(FILTER_APPLIED, Boolean.TRUE);
        OnRedirectUpdateSessionResponseWrapper onRedirectUpdateSessionResponseWrapper = new OnRedirectUpdateSessionResponseWrapper(this, httpServletResponse, httpServletRequest, z, hashCode);
        try {
            SecurityContextHolder.setContext(readSecurityContextFromSession);
            filterChain.doFilter(httpServletRequest, onRedirectUpdateSessionResponseWrapper);
            SecurityContext context = SecurityContextHolder.getContext();
            SecurityContextHolder.clearContext();
            httpServletRequest.removeAttribute(FILTER_APPLIED);
            if (!onRedirectUpdateSessionResponseWrapper.isSessionUpdateDone()) {
                storeSecurityContextInSession(context, httpServletRequest, z, hashCode);
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("SecurityContextHolder now cleared, as request processing completed");
            }
        } catch (Throwable th) {
            SecurityContext context2 = SecurityContextHolder.getContext();
            SecurityContextHolder.clearContext();
            httpServletRequest.removeAttribute(FILTER_APPLIED);
            if (!onRedirectUpdateSessionResponseWrapper.isSessionUpdateDone()) {
                storeSecurityContextInSession(context2, httpServletRequest, z, hashCode);
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("SecurityContextHolder now cleared, as request processing completed");
            }
            throw th;
        }
    }

    private SecurityContext readSecurityContextFromSession(HttpSession httpSession) {
        Class cls;
        if (httpSession == null) {
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug("No HttpSession currently exists");
            return null;
        }
        Object attribute = httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY);
        if (attribute == null) {
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug("HttpSession returned null object for SPRING_SECURITY_CONTEXT");
            return null;
        }
        if (this.cloneFromHttpSession) {
            if (class$java$lang$Cloneable == null) {
                cls = class$("java.lang.Cloneable");
                class$java$lang$Cloneable = cls;
            } else {
                cls = class$java$lang$Cloneable;
            }
            Assert.isInstanceOf(cls, attribute, "Context must implement Clonable and provide a Object.clone() method");
            try {
                Method method = attribute.getClass().getMethod("clone", new Class[0]);
                if (!method.isAccessible()) {
                    method.setAccessible(true);
                }
                attribute = method.invoke(attribute, new Object[0]);
            } catch (Exception e) {
                ReflectionUtils.handleReflectionException(e);
            }
        }
        if (attribute instanceof SecurityContext) {
            return (SecurityContext) attribute;
        }
        if (!this.logger.isWarnEnabled()) {
            return null;
        }
        this.logger.warn(new StringBuffer().append("SPRING_SECURITY_CONTEXT did not contain a SecurityContext but contained: '").append(attribute).append("'; are you improperly modifying the HttpSession directly ").append("(you should always use SecurityContextHolder) or using the HttpSession attribute ").append("reserved for this class?").toString());
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void storeSecurityContextInSession(SecurityContext securityContext, HttpServletRequest httpServletRequest, boolean z, int i) {
        HttpSession safeGetSession = safeGetSession(httpServletRequest, false);
        if (safeGetSession == null) {
            if (z) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
                }
            } else if (this.allowSessionCreation) {
                if (!this.contextObject.equals(securityContext)) {
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("HttpSession being created as SecurityContextHolder contents are non-default");
                    }
                    safeGetSession = safeGetSession(httpServletRequest, true);
                } else if (this.logger.isDebugEnabled()) {
                    this.logger.debug(new StringBuffer().append("HttpSession is null, but SecurityContextHolder has not changed from default: ' ").append(securityContext).append("'; not creating HttpSession or storing SecurityContextHolder contents").toString());
                }
            } else if (this.logger.isDebugEnabled()) {
                this.logger.debug("The HttpSession is currently null, and the HttpSessionContextIntegrationFilter is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request");
            }
        }
        if (safeGetSession == null || securityContext.hashCode() == i) {
            return;
        }
        if (this.authenticationTrustResolver.isAnonymous(securityContext.getAuthentication())) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("SecurityContext contents are anonymous - context will not be stored in HttpSession. ");
            }
        } else {
            safeGetSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(new StringBuffer().append("SecurityContext stored to HttpSession: '").append(securityContext).append("'").toString());
            }
        }
    }

    private HttpSession safeGetSession(HttpServletRequest httpServletRequest, boolean z) {
        try {
            return httpServletRequest.getSession(z);
        } catch (IllegalStateException e) {
            return null;
        }
    }

    public SecurityContext generateNewContext() throws ServletException {
        try {
            return (SecurityContext) this.contextClass.newInstance();
        } catch (IllegalAccessException e) {
            throw new ServletException(e);
        } catch (InstantiationException e2) {
            throw new ServletException(e2);
        }
    }

    public boolean isAllowSessionCreation() {
        return this.allowSessionCreation;
    }

    public void setAllowSessionCreation(boolean z) {
        this.allowSessionCreation = z;
    }

    protected Class getContextClass() {
        return this.contextClass;
    }

    public void setContextClass(Class cls) {
        this.contextClass = cls;
    }

    public boolean isForceEagerSessionCreation() {
        return this.forceEagerSessionCreation;
    }

    public void setForceEagerSessionCreation(boolean z) {
        this.forceEagerSessionCreation = z;
    }

    @Override // org.springframework.security.ui.SpringSecurityFilter, org.springframework.core.Ordered
    public int getOrder() {
        return FilterChainOrder.HTTP_SESSION_CONTEXT_FILTER;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }
}
