package com.sun.identity.wss.security.handler;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.services.util.Crypt;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.util.ISAuthConstants;
import com.sun.identity.common.PeriodicCleanUpMap;
import com.sun.identity.common.SystemConfigurationUtil;
import com.sun.identity.liberty.ws.authnsvc.AuthnSvcClient;
import com.sun.identity.liberty.ws.authnsvc.AuthnSvcException;
import com.sun.identity.liberty.ws.authnsvc.protocol.SASLRequest;
import com.sun.identity.liberty.ws.authnsvc.protocol.SASLResponse;
import com.sun.identity.liberty.ws.disco.ResourceOffering;
import com.sun.identity.liberty.ws.security.SecurityAssertion;
import com.sun.identity.liberty.ws.soapbinding.SOAPBindingConstants;
import com.sun.identity.liberty.ws.soapbinding.SOAPBindingException;
import com.sun.identity.saml.assertion.NameIdentifier;
import com.sun.identity.saml.common.SAMLUtilsCommon;
import com.sun.identity.saml.xmlsig.KeyProvider;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.assertion.NameID;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.wss.logging.LogUtil;
import com.sun.identity.wss.provider.ProviderConfig;
import com.sun.identity.wss.provider.ProviderException;
import com.sun.identity.wss.provider.STSConfig;
import com.sun.identity.wss.provider.TrustAuthorityConfig;
import com.sun.identity.wss.security.AssertionToken;
import com.sun.identity.wss.security.AssertionTokenSpec;
import com.sun.identity.wss.security.BinarySecurityToken;
import com.sun.identity.wss.security.KerberosTokenSpec;
import com.sun.identity.wss.security.PasswordCredential;
import com.sun.identity.wss.security.SAML2Token;
import com.sun.identity.wss.security.SAML2TokenSpec;
import com.sun.identity.wss.security.SecurityException;
import com.sun.identity.wss.security.SecurityMechanism;
import com.sun.identity.wss.security.SecurityToken;
import com.sun.identity.wss.security.SecurityTokenFactory;
import com.sun.identity.wss.security.UserNameTokenSpec;
import com.sun.identity.wss.security.WSSConstants;
import com.sun.identity.wss.security.WSSUtils;
import com.sun.identity.wss.security.X509TokenSpec;
import com.sun.identity.wss.sts.FAMSTSException;
import com.sun.identity.wss.sts.TrustAuthorityClient;
import com.sun.identity.wss.sts.config.STSRemoteConfig;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.Key;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.logging.Level;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPFault;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPHeaderElement;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/wss/security/handler/SOAPRequestHandler.class */
public class SOAPRequestHandler implements SOAPRequestHandlerInterface {
    private String providerName = null;
    private String PROVIDER_NAME = "providername";
    private static Debug debug = WSSUtils.debug;
    private static ResourceBundle bundle = WSSUtils.bundle;
    private static String BACK_SLASH = "\\";
    private static String FORWARD_SLASH = "/";
    private static MessageAuthenticator authenticator = null;
    private static MessageAuthorizer authorizer = null;
    private static final String WSS_AUTHENTICATOR = "com.sun.identity.wss.security.authenticator";
    private static final String WSS_AUTHORIZER = "com.sun.identity.wss.security.authorizer";
    private static final String LIBERTY_AUTHN_URL = "com.sun.identity.liberty.authnsvc.url";
    private static final String MECHANISM_SSOTOKEN = "SSOTOKEN";
    private static final String ASSERTION_ISSUER = "com.sun.identity.wss.security.samlassertion.issuer";
    private static final String CLIENT_CERT = "AuthnSubjectCertificate";
    private static final String CLIENT_CERT_ALIAS = "AuthnClientCertAlias";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/wss/security/handler/SOAPRequestHandler$SubjectSecurity.class */
    public class SubjectSecurity {
        SSOToken ssoToken;
        ResourceOffering discoRO;
        List discoCredentials;
        List userCredentials;

        private SubjectSecurity() {
            this.ssoToken = null;
            this.discoRO = null;
            this.discoCredentials = null;
            this.userCredentials = null;
        }
    }

    @Override // com.sun.identity.wss.security.handler.SOAPRequestHandlerInterface
    public void init(Map map) throws SecurityException {
        if (debug.messageEnabled()) {
            debug.message("SOAPRequestHandler.Init map:");
        }
        this.providerName = (String) map.get(this.PROVIDER_NAME);
    }

    @Override // com.sun.identity.wss.security.handler.SOAPRequestHandlerInterface
    public Object validateRequest(SOAPMessage sOAPMessage, Subject subject, Map map, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws SecurityException {
        ProviderConfig wSPConfig;
        if (debug.messageEnabled()) {
            debug.message("SOAPRequestHandler.validateRequest: Received SOAP message Before validation: " + WSSUtils.print(sOAPMessage.getSOAPPart()));
        }
        try {
            if (sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault()) {
                SOAPFault fault = sOAPMessage.getSOAPPart().getEnvelope().getBody().getFault();
                String faultCode = fault.getFaultCode();
                String faultString = fault.getFaultString();
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.validateRequest - SOAPFault code : " + faultCode);
                    debug.message("SOAPRequestHandler.validateRequest - SOAPFault errorString : " + faultString);
                }
                throw new SecurityException(bundle.getString("notAuthorizedByServer"));
            }
            if (map == null || map.isEmpty()) {
                map = new HashMap();
            }
            if (LogUtil.isLogEnabled()) {
                LogUtil.access(Level.FINE, LogUtil.REQUEST_TO_BE_VALIDATED, new String[]{WSSUtils.print(sOAPMessage.getSOAPPart())}, null);
            }
            Boolean bool = (Boolean) map.get("IS_TRUST_MSG");
            boolean booleanValue = bool != null ? bool.booleanValue() : false;
            if (booleanValue) {
                debug.message("ValidateRequest: This is WS-Trust Request");
                wSPConfig = getSTSProviderConfig(new STSRemoteConfig());
            } else {
                wSPConfig = getWSPConfig();
            }
            if (isLibertyMessage(sOAPMessage)) {
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.validateRequest:: Incoming SOAPMessage is of liberty message type.");
                }
                try {
                    new MessageProcessor(wSPConfig).validateRequest(sOAPMessage, subject, map, httpServletRequest);
                    removeValidatedHeaders(wSPConfig, sOAPMessage);
                    return subject;
                } catch (SOAPBindingException e) {
                    debug.error("SOAPRequestHandler.validateRequest:: SOAPBindingException:: ", e);
                    throw new SecurityException(e.getMessage());
                }
            }
            SecureSOAPMessage secureSOAPMessage = new SecureSOAPMessage(sOAPMessage, false);
            SecurityContext securityContext = new SecurityContext();
            securityContext.setDecryptionAlias(wSPConfig.getKeyAlias());
            String clientDnsClaim = secureSOAPMessage.getClientDnsClaim();
            if (clientDnsClaim != null) {
                ProviderConfig configByDnsClaim = WSSUtils.getConfigByDnsClaim(clientDnsClaim, ProviderConfig.WSC);
                if (configByDnsClaim != null) {
                    String keyAlias = configByDnsClaim.getKeyAlias();
                    securityContext.setVerificationCertAlias(keyAlias);
                    map.put(CLIENT_CERT_ALIAS, keyAlias);
                }
            } else {
                securityContext.setVerificationCertAlias(wSPConfig.getPublicKeyAlias());
            }
            secureSOAPMessage.setSecurityContext(securityContext);
            if (wSPConfig != null && (wSPConfig.isRequestEncryptEnabled() || wSPConfig.isRequestHeaderEncryptEnabled())) {
                secureSOAPMessage.decrypt(wSPConfig.getKeyAlias(), wSPConfig.isRequestEncryptEnabled(), wSPConfig.isRequestHeaderEncryptEnabled());
                sOAPMessage = secureSOAPMessage.getSOAPMessage();
                secureSOAPMessage = new SecureSOAPMessage(sOAPMessage, false);
                secureSOAPMessage.setSecurityContext(securityContext);
            }
            secureSOAPMessage.parseSecurityHeader(secureSOAPMessage.getSecurityHeaderElement());
            String messageID = secureSOAPMessage.getMessageID();
            if (messageID != null && wSPConfig.isMessageReplayDetectionEnabled() && checkForReplay(messageID, wSPConfig.getProviderName())) {
                throw new SecurityException(bundle.getString("replayAttackDetected"));
            }
            String uri = secureSOAPMessage.getSecurityMechanism().getURI();
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.validateRequest: soap message security mechanism: " + uri);
            }
            if (wSPConfig != null && wSPConfig.isRequestSignEnabled() && !uri.equals(SecurityMechanism.WSS_NULL_KERBEROS_TOKEN_URI)) {
                if (!secureSOAPMessage.verifySignature()) {
                    if (debug.warningEnabled()) {
                        debug.warning("SOAPRequestHandler.validateRequest:: Signature verification failed.");
                    }
                    throw new SecurityException(bundle.getString("signatureValidationFailed"));
                }
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.validateRequest: Signature verification successful");
                }
            }
            List list = null;
            if (wSPConfig != null) {
                list = wSPConfig.getSecurityMechanisms();
            }
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.validateRequest: list of accepted SecurityMechanisms : " + list);
            }
            if (!list.contains(uri)) {
                if (list.contains(SecurityMechanism.WSS_NULL_ANONYMOUS_URI) || list.contains(SecurityMechanism.WSS_TLS_ANONYMOUS_URI) || list.contains(SecurityMechanism.WSS_CLIENT_TLS_ANONYMOUS_URI)) {
                    if (debug.messageEnabled()) {
                        debug.message("SOAPRequestHandler.validateRequest:: provider is not configured for the incoming message  level type but allows anonymous");
                    }
                    return subject;
                }
                if (debug.warningEnabled()) {
                    debug.warning("SOAPRequestHandler.validateRequest: unsupported security mechanism");
                }
                throw new SecurityException(bundle.getString("unsupportedSecurityMechanism"));
            }
            if (SecurityMechanism.WSS_NULL_ANONYMOUS_URI.equals(uri) || SecurityMechanism.WSS_TLS_ANONYMOUS_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_ANONYMOUS_URI.equals(uri)) {
                return subject;
            }
            Subject subject2 = (Subject) getAuthenticator().authenticate(subject, secureSOAPMessage.getSecurityMechanism(), secureSOAPMessage.getSecurityToken(), wSPConfig, secureSOAPMessage, false);
            if (messageID == null && wSPConfig.isMessageReplayDetectionEnabled() && checkForReplay(subject2, secureSOAPMessage.getMessageTimestamp(), wSPConfig.getProviderName())) {
                throw new SecurityException(bundle.getString("replayAttackDetected"));
            }
            if (uri.equals(SecurityMechanism.WSS_NULL_KERBEROS_TOKEN_URI) && wSPConfig.isValidateKerberosSignature()) {
                Key key = null;
                Iterator<Object> it = subject2.getPublicCredentials().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Object next = it.next();
                    if (next instanceof Key) {
                        key = (Key) next;
                        break;
                    }
                }
                if (!secureSOAPMessage.verifyKerberosTokenSignature(key)) {
                    debug.error("SOAPRequestHandler.validateRequest::Signatureverification failed.");
                    throw new SecurityException(bundle.getString("signatureValidationFailed"));
                }
            }
            removeValidatedHeaders(wSPConfig, sOAPMessage);
            if (!booleanValue) {
                ThreadLocalService.setSubject(subject2);
            }
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.validateRequest:** SOAP message at the end of Validate request **");
                debug.message(WSSUtils.print(sOAPMessage.getSOAPPart()));
            }
            if (LogUtil.isLogEnabled()) {
                LogUtil.access(Level.INFO, LogUtil.SUCCESS_VALIDATE_REQUEST, new String[]{this.providerName, uri}, null);
            }
            if (getAuthorizer().authorize(subject2, secureSOAPMessage, secureSOAPMessage.getSecurityMechanism(), secureSOAPMessage.getSecurityToken(), wSPConfig, false)) {
                updateSharedState(subject2, map);
                return subject2;
            }
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.validateRequest:  Unauthorized. ");
            }
            throw new SecurityException(bundle.getString("notAuthorized"));
        } catch (SOAPException e2) {
            throw new SecurityException(e2.getMessage());
        }
    }

    @Override // com.sun.identity.wss.security.handler.SOAPRequestHandlerInterface
    public SOAPMessage secureResponse(SOAPMessage sOAPMessage, Map map) throws SecurityException {
        ProviderConfig wSPConfig;
        if (debug.messageEnabled()) {
            debug.message("SOAPRequestHandler.secureResponse - Input SOAP message before securing : " + WSSUtils.print(sOAPMessage.getSOAPPart()));
        }
        try {
            if (sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault()) {
                SOAPFault fault = sOAPMessage.getSOAPPart().getEnvelope().getBody().getFault();
                String faultCode = fault.getFaultCode();
                String faultString = fault.getFaultString();
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.secureResponse - SOAPFault code : " + faultCode);
                    debug.message("SOAPRequestHandler.secureResponse - SOAPFault errorString : " + faultString);
                }
                throw new SecurityException(bundle.getString("notAuthorizedByServer"));
            }
            if (map == null || map.isEmpty()) {
                map = new HashMap();
            }
            if (LogUtil.isLogEnabled()) {
                LogUtil.access(Level.FINE, LogUtil.RESPONSE_TO_BE_SECURED, new String[]{WSSUtils.print(sOAPMessage.getSOAPPart())}, null);
            }
            STSRemoteConfig sTSRemoteConfig = null;
            Boolean bool = (Boolean) map.get("IS_TRUST_MSG");
            if (bool != null ? bool.booleanValue() : false) {
                debug.message("SecureResponse: This is WS-Trust Response");
                sTSRemoteConfig = new STSRemoteConfig();
                wSPConfig = getSTSProviderConfig(sTSRemoteConfig);
            } else {
                ThreadLocalService.removeSubject();
                wSPConfig = getWSPConfig();
            }
            if (map.get(SOAPBindingConstants.LIBERTY_REQUEST) != null) {
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.secureResponse: liberty req:");
                }
                try {
                    return new MessageProcessor(wSPConfig).secureResponse(sOAPMessage, map);
                } catch (SOAPBindingException e) {
                    debug.error("SOAPRequestHandler.secureResponse:: SOAPBindingException.", e);
                    throw new SecurityException(e.getMessage());
                }
            }
            SecurityContext securityContext = new SecurityContext();
            SecureSOAPMessage secureSOAPMessage = new SecureSOAPMessage(sOAPMessage, true, wSPConfig.getSignedElements());
            try {
                secureSOAPMessage.getSOAPMessage().saveChanges();
                if (wSPConfig != null && !wSPConfig.isResponseSignEnabled() && !wSPConfig.isResponseEncryptEnabled()) {
                    return sOAPMessage;
                }
                SecurityTokenFactory securityTokenFactory = SecurityTokenFactory.getInstance(WSSUtils.getAdminToken());
                String property = SystemConfigurationUtil.getProperty("com.sun.identity.saml.xmlsig.certalias");
                String str = null;
                if (wSPConfig != null) {
                    property = wSPConfig.getKeyAlias();
                    str = wSPConfig.getPublicKeyAlias();
                } else if (sTSRemoteConfig != null) {
                    property = sTSRemoteConfig.getPrivateKeyAlias();
                    str = sTSRemoteConfig.getPublicKeyAlias();
                }
                securityContext.setSigningCertAlias(property);
                securityContext.setSigningRef(wSPConfig.getSigningRefType());
                SecurityToken securityToken = securityTokenFactory.getSecurityToken(new X509TokenSpec(new String[]{property}, BinarySecurityToken.X509V3, BinarySecurityToken.BASE64BINARY));
                secureSOAPMessage.setSecurityContext(securityContext);
                secureSOAPMessage.setSecurityToken(securityToken);
                secureSOAPMessage.setSecurityMechanism(SecurityMechanism.WSS_NULL_X509_TOKEN);
                secureSOAPMessage.setSignedElements(wSPConfig.getSignedElements());
                if (wSPConfig != null && wSPConfig.isResponseSignEnabled()) {
                    secureSOAPMessage.sign();
                }
                if (wSPConfig != null && wSPConfig.isResponseEncryptEnabled()) {
                    KeyProvider keyProvider = WSSUtils.getXMLSignatureManager().getKeyProvider();
                    X509Certificate x509Certificate = (X509Certificate) map.get(CLIENT_CERT);
                    String str2 = str;
                    if (x509Certificate != null) {
                        str2 = keyProvider.getCertificateAlias(x509Certificate);
                    } else {
                        String str3 = (String) map.get(CLIENT_CERT_ALIAS);
                        if (str3 != null) {
                            str2 = str3;
                        }
                    }
                    secureSOAPMessage.encrypt(str2, wSPConfig.getEncryptionAlgorithm(), wSPConfig.getEncryptionStrength(), true, false);
                }
                SOAPMessage sOAPMessage2 = secureSOAPMessage.getSOAPMessage();
                if (LogUtil.isLogEnabled()) {
                    LogUtil.access(Level.INFO, LogUtil.SUCCESS_SECURE_RESPONSE, new String[]{this.providerName}, null);
                }
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.secureResponse - Secured SOAP response : " + WSSUtils.print(sOAPMessage2.getSOAPPart()));
                }
                return sOAPMessage2;
            } catch (SOAPException e2) {
                throw new SecurityException(e2.getMessage());
            }
        } catch (SOAPException e3) {
            throw new SecurityException(e3.getMessage());
        }
    }

    @Override // com.sun.identity.wss.security.handler.SOAPRequestHandlerInterface
    public SOAPMessage secureRequest(SOAPMessage sOAPMessage, Subject subject, Map map) throws SecurityException {
        SecureSOAPMessage secureSOAPMessage;
        SecurityToken securityToken;
        Subject authenticatedSubject;
        if (LogUtil.isLogEnabled()) {
            LogUtil.access(Level.FINE, LogUtil.REQUEST_TO_BE_SECURED, new String[]{WSSUtils.print(sOAPMessage.getSOAPPart())}, null);
        }
        ProviderConfig providerConfig = getProviderConfig(map);
        if (providerConfig == null) {
            if (WSSUtils.debug.messageEnabled()) {
                WSSUtils.debug.message("SOAPRequestHandler.secureRequest: Provider configuration from shared map is null");
            }
            providerConfig = getWSCConfig();
        }
        List securityMechanisms = providerConfig.getSecurityMechanisms();
        if (securityMechanisms == null || securityMechanisms.isEmpty()) {
            throw new SecurityException(bundle.getString("securityMechNotConfigured"));
        }
        SecurityMechanism securityMechanism = SecurityMechanism.getSecurityMechanism((String) securityMechanisms.iterator().next());
        SecurityContext securityContext = new SecurityContext();
        String keyAlias = providerConfig.getKeyAlias();
        if (keyAlias == null) {
            keyAlias = SystemConfigurationUtil.getProperty("com.sun.identity.saml.xmlsig.certalias");
        }
        if (keyAlias != null) {
            securityContext.setSigningCertAlias(keyAlias);
            securityContext.setKeyType(SecurityContext.ASYMMETRIC_KEY);
        }
        securityContext.setEncryptionKeyAlias(providerConfig.getPublicKeyAlias());
        securityContext.setSigningRef(providerConfig.getSigningRefType());
        String uri = securityMechanism.getURI();
        if (SecurityMechanism.WSS_NULL_ANONYMOUS_URI.equals(uri) || SecurityMechanism.WSS_TLS_ANONYMOUS_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_ANONYMOUS_URI.equals(uri)) {
            secureSOAPMessage = new SecureSOAPMessage(sOAPMessage, true, providerConfig.getSignedElements());
        } else {
            if (securityMechanism.isTALookupRequired()) {
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.secureRequest :using STS for security tokens");
                }
                if (providerConfig.usePassThroughSecurityToken() && (authenticatedSubject = getAuthenticatedSubject()) != null) {
                    if (debug.messageEnabled()) {
                        debug.message("SOAPRequestHandler.secureRequest : using the authenticated subject");
                    }
                    subject = authenticatedSubject;
                }
                SSOToken sSOToken = getSubjectSecurity(subject).ssoToken;
                if (sSOToken == null) {
                    if (debug.messageEnabled()) {
                        debug.message("SOAPRequestHandler.secureRequest:: using thread local for SSOToken");
                    }
                    sSOToken = (SSOToken) ThreadLocalService.getSSOToken();
                }
                if (debug.messageEnabled() && sSOToken != null) {
                    debug.message("SOAPequestHandler.secureRequest: ssoToken is available. ");
                }
                if (securityMechanism.getURI().equals(SecurityMechanism.LIBERTY_DS_SECURITY_URI)) {
                    if (sSOToken == null) {
                        throw new SecurityException(bundle.getString("invalidSSOToken"));
                    }
                    if (debug.messageEnabled()) {
                        debug.message("SOAPRequestHandler.secureRequest:  using liberty security");
                    }
                    return getSecureMessageFromLiberty(sSOToken, subject, sOAPMessage, map, providerConfig);
                }
                try {
                    TrustAuthorityClient trustAuthorityClient = new TrustAuthorityClient();
                    String name = providerConfig.getTrustAuthorityConfig().getName();
                    if (name != null) {
                        ThreadLocalService.setServiceName(name);
                    }
                    Object customCredential = getCustomCredential(subject);
                    if (customCredential == null) {
                        if (debug.messageEnabled()) {
                            debug.message("SOAPRequestHandler.secureRequest: using sso token as OBOToken");
                        }
                        securityToken = trustAuthorityClient.getSecurityToken(providerConfig, sSOToken);
                    } else {
                        if (debug.messageEnabled()) {
                            debug.message("SOAPRequestHandler.secureRequest: using custom token as OBOToken");
                        }
                        securityToken = trustAuthorityClient.getSecurityToken(providerConfig, customCredential);
                    }
                    if (trustAuthorityClient.getSecretKey() != null) {
                        securityContext.setSigningKey(trustAuthorityClient.getSecretKey());
                        securityContext.setKeyType("SymmetricKey");
                    }
                } catch (FAMSTSException e) {
                    debug.error("SOAPRequestHandler.secureRequest: exceptionin obtaining STS Token", e);
                    throw new SecurityException(e.getMessage());
                }
            } else {
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.secureRequest:  Generate security tokens locally");
                }
                securityToken = getSecurityToken(securityMechanism, providerConfig, subject);
            }
            secureSOAPMessage = new SecureSOAPMessage(sOAPMessage, true, providerConfig.getSignedElements());
            String dNSClaim = providerConfig.getDNSClaim();
            if (dNSClaim != null) {
                secureSOAPMessage.setSenderIdentity(dNSClaim);
            }
            String signingRefType = providerConfig.getSigningRefType();
            if (!securityMechanism.getURI().equals(SecurityMechanism.WSS_NULL_X509_TOKEN_URI) || signingRefType == null || "DirectReference".equals(signingRefType)) {
                secureSOAPMessage.setSecurityToken(securityToken);
            }
        }
        secureSOAPMessage.setSecurityMechanism(securityMechanism);
        secureSOAPMessage.setSecurityContext(securityContext);
        if (providerConfig.isRequestSignEnabled()) {
            secureSOAPMessage.sign();
        }
        if (providerConfig.isRequestEncryptEnabled() || providerConfig.isRequestHeaderEncryptEnabled()) {
            secureSOAPMessage.encrypt(providerConfig.getPublicKeyAlias(), providerConfig.getEncryptionAlgorithm(), providerConfig.getEncryptionStrength(), providerConfig.isRequestEncryptEnabled(), providerConfig.isRequestHeaderEncryptEnabled());
        }
        SOAPMessage sOAPMessage2 = secureSOAPMessage.getSOAPMessage();
        if (LogUtil.isLogEnabled()) {
            LogUtil.access(Level.INFO, LogUtil.SUCCESS_SECURE_REQUEST, new String[]{this.providerName, uri}, null);
        }
        if (debug.messageEnabled()) {
            debug.message("SOAPRequestHandler.secureRequest:  SOAP message after securing: " + WSSUtils.print(sOAPMessage2.getSOAPPart()));
        }
        return sOAPMessage2;
    }

    @Override // com.sun.identity.wss.security.handler.SOAPRequestHandlerInterface
    public void validateResponse(SOAPMessage sOAPMessage, Map map) throws SecurityException {
        if (debug.messageEnabled()) {
            debug.message("SOAPRequestHandler.validateResponse - Input SOAP message : " + WSSUtils.print(sOAPMessage.getSOAPPart()));
        }
        try {
            if (sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault()) {
                SOAPFault fault = sOAPMessage.getSOAPPart().getEnvelope().getBody().getFault();
                String faultCode = fault.getFaultCode();
                String faultString = fault.getFaultString();
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.validateResponse - SOAPFault code : " + faultCode);
                    debug.message("SOAPRequestHandler.validateResponse - SOAPFault errorString : " + faultString);
                }
                throw new SecurityException(bundle.getString("notAuthorizedByServer"));
            }
            if (LogUtil.isLogEnabled()) {
                LogUtil.access(Level.FINE, LogUtil.RESPONSE_TO_BE_VALIDATED, new String[]{WSSUtils.print(sOAPMessage.getSOAPPart())}, null);
            }
            ProviderConfig providerConfig = getProviderConfig(map);
            if (providerConfig == null) {
                if (WSSUtils.debug.messageEnabled()) {
                    WSSUtils.debug.message("SOAPRequestHandler.validateResponse: Provider configuration from shared map is null");
                }
                providerConfig = getWSCConfig();
            }
            if (isLibertyMessage(sOAPMessage)) {
                try {
                    new MessageProcessor(providerConfig).validateResponse(sOAPMessage, map);
                    removeValidatedHeaders(providerConfig, sOAPMessage);
                    return;
                } catch (SOAPBindingException e) {
                    debug.error("SOAPRequestHandler.validateResponse:: SOAPBindingException. ", e);
                    throw new SecurityException(e.getMessage());
                }
            }
            if (providerConfig.isResponseEncryptEnabled() || providerConfig.isResponseSignEnabled()) {
                SecureSOAPMessage secureSOAPMessage = new SecureSOAPMessage(sOAPMessage, false);
                SecurityContext securityContext = new SecurityContext();
                securityContext.setDecryptionAlias(providerConfig.getKeyAlias());
                securityContext.setVerificationCertAlias(providerConfig.getPublicKeyAlias());
                if (providerConfig.isResponseEncryptEnabled()) {
                    secureSOAPMessage.decrypt(providerConfig.getKeyAlias(), providerConfig.isResponseEncryptEnabled(), false);
                    sOAPMessage = secureSOAPMessage.getSOAPMessage();
                }
                secureSOAPMessage.parseSecurityHeader(secureSOAPMessage.getSecurityHeaderElement());
                secureSOAPMessage.setSecurityContext(securityContext);
                if (providerConfig.isResponseSignEnabled() && !secureSOAPMessage.verifySignature()) {
                    debug.error("SOAPRequestHandler.validateResponse:: Signature Verification failed");
                    throw new SecurityException(bundle.getString("signatureValidationFailed"));
                }
            }
            removeValidatedHeaders(providerConfig, sOAPMessage);
            if (LogUtil.isLogEnabled()) {
                LogUtil.access(Level.INFO, LogUtil.SUCCESS_VALIDATE_RESPONSE, new String[]{this.providerName}, null);
            }
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.validateResponse - SOAP message after validation : " + WSSUtils.print(sOAPMessage.getSOAPPart()));
            }
        } catch (SOAPException e2) {
            throw new SecurityException(e2.getMessage());
        }
    }

    private void initializeSystemProperties(ProviderConfig providerConfig) throws IOException {
        String keyStoreFile = providerConfig.getKeyStoreFile();
        String keyStoreEncryptedPasswd = providerConfig.getKeyStoreEncryptedPasswd();
        String keyEncryptedPassword = providerConfig.getKeyEncryptedPassword();
        String keyAlias = providerConfig.getKeyAlias();
        if (keyStoreFile == null || keyStoreEncryptedPasswd == null) {
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.initSystemProperties:: Provider config does not have keystore information. Will fallback to the default configuration in AMConfig.");
                return;
            }
            return;
        }
        if (keyStoreFile.indexOf(BACK_SLASH) != -1) {
            keyStoreFile.replaceAll(BACK_SLASH, FORWARD_SLASH);
        }
        int lastIndexOf = keyStoreFile.lastIndexOf(FORWARD_SLASH);
        String str = keyStoreFile.substring(0, lastIndexOf) + "/.storepassfile";
        String str2 = keyStoreFile.substring(0, lastIndexOf) + "/.keypassfile";
        if (debug.messageEnabled()) {
            debug.message("SOAPRequestHandler.initSystemProperties:: \nKeyStoreFile: " + keyStoreFile + "\nEncrypted keystore password: " + keyStoreEncryptedPasswd + "\nEncrypted key password: " + keyEncryptedPassword + "\nLocation of the store encrypted password: " + str + "\nLocation of the key encrypted password: " + str2);
        }
        if (keyEncryptedPassword == null) {
            keyEncryptedPassword = keyStoreEncryptedPasswd;
        }
        FileOutputStream fileOutputStream = new FileOutputStream(new File(str2));
        fileOutputStream.write(keyEncryptedPassword.getBytes());
        fileOutputStream.flush();
        FileOutputStream fileOutputStream2 = new FileOutputStream(new File(str));
        fileOutputStream2.write(keyStoreEncryptedPasswd.getBytes());
        fileOutputStream2.flush();
        SystemProperties.initializeProperties("com.sun.identity.saml.xmlsig.keystore", keyStoreFile);
        SystemProperties.initializeProperties("com.sun.identity.saml.xmlsig.storepass", str);
        SystemProperties.initializeProperties("com.sun.identity.saml.xmlsig.keypass", str2);
        SystemProperties.initializeProperties("com.sun.identity.saml.xmlsig.certalias", keyAlias);
    }

    private ProviderConfig getWSPConfig() throws SecurityException {
        ProviderConfig provider;
        if (this.providerName == null || this.providerName.length() == 0) {
            this.providerName = SystemConfigurationUtil.getProperty("com.sun.identity.wss.provider.defaultWSP", "wsp");
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getWSPConfig: default provider name:" + this.providerName);
            }
        }
        try {
            if (ProviderConfig.isProviderExists(this.providerName, ProviderConfig.WSP)) {
                provider = ProviderConfig.getProvider(this.providerName, ProviderConfig.WSP);
            } else {
                provider = ProviderConfig.getProviderByEndpoint(this.providerName, ProviderConfig.WSP);
                if (!ProviderConfig.isProviderExists(this.providerName, ProviderConfig.WSP, true)) {
                    this.providerName = SystemConfigurationUtil.getProperty("com.sun.identity.wss.provider.defaultWSP", "wsp");
                    provider = ProviderConfig.getProvider(this.providerName, ProviderConfig.WSP);
                }
            }
            if (!provider.useDefaultKeyStore()) {
                initializeSystemProperties(provider);
            }
            return provider;
        } catch (ProviderException e) {
            debug.error("SOAPRequestHandler.getWSPConfig:: Provider configuration read failure", e);
            throw new SecurityException(bundle.getString("cannotInitializeProvider"));
        } catch (IOException e2) {
            debug.error("SOAPRequestHandler.getWSPConfig:: Provider configuration read failure", e2);
            throw new SecurityException(bundle.getString("cannotInitializeProvider"));
        }
    }

    private ProviderConfig getWSCConfig() throws SecurityException {
        ProviderConfig provider;
        try {
            if (ProviderConfig.isProviderExists(this.providerName, ProviderConfig.WSC)) {
                provider = ProviderConfig.getProvider(this.providerName, ProviderConfig.WSC);
            } else {
                this.providerName = SystemConfigurationUtil.getProperty("com.sun.identity.wss.provider.defaultWSC", "wsc");
                provider = ProviderConfig.getProvider(this.providerName, ProviderConfig.WSC);
            }
            if (!provider.useDefaultKeyStore()) {
                initializeSystemProperties(provider);
            }
            return provider;
        } catch (ProviderException e) {
            debug.error("SOAPRequestHandler.getWSCConfig:: Provider configuration read failure", e);
            throw new SecurityException(bundle.getString("cannotInitializeProvider"));
        } catch (IOException e2) {
            debug.error("SOAPRequestHandler.getWSCConfig:: Provider configuration read failure", e2);
            throw new SecurityException(bundle.getString("cannotInitializeProvider"));
        }
    }

    private SecurityToken getSecurityToken(SecurityMechanism securityMechanism, ProviderConfig providerConfig, Subject subject) throws SecurityException {
        SecurityToken securityToken;
        NameIdentifier nameIdentifier;
        Map<QName, List<String>> membershipAttributes;
        String uri = securityMechanism.getURI();
        String property = SystemConfigurationUtil.getProperty("com.sun.identity.saml.xmlsig.certalias");
        if (!providerConfig.useDefaultKeyStore()) {
            property = providerConfig.getKeyAlias();
        }
        SecurityToken securityToken2 = null;
        if (debug.messageEnabled()) {
            debug.message("getSecurityToken: SecurityMechanism URI : " + uri);
        }
        SecurityTokenFactory securityTokenFactory = SecurityTokenFactory.getInstance(WSSUtils.getAdminToken());
        if (SecurityMechanism.WSS_NULL_X509_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_TLS_X509_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_X509_TOKEN_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getSecurityToken:: creating X509 token");
            }
            securityToken = securityTokenFactory.getSecurityToken(new X509TokenSpec(new String[]{property}, BinarySecurityToken.X509V3, BinarySecurityToken.BASE64BINARY));
        } else if (SecurityMechanism.WSS_NULL_SAML_HK_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML_HK_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML_HK_URI.equals(uri) || SecurityMechanism.WSS_NULL_SAML_SV_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML_SV_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML_SV_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getSecurityToken:: creating SAML token");
            }
            if (providerConfig.usePassThroughSecurityToken()) {
                securityToken2 = getSecurityTokenFromSubject(subject);
            }
            if (securityToken2 != null) {
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.getSecurityToken::security token from subject is not null");
                }
                return securityToken2;
            }
            String property2 = SystemConfigurationUtil.getProperty(ASSERTION_ISSUER);
            HashMap hashMap = new HashMap();
            try {
                SSOToken sSOToken = getSubjectSecurity(subject).ssoToken;
                if (sSOToken == null) {
                    if (debug.messageEnabled()) {
                        debug.message("SOAPRequestHandler.getSecurityToken:: using thread local for SSOToken");
                    }
                    sSOToken = (SSOToken) ThreadLocalService.getSSOToken();
                }
                if (sSOToken != null) {
                    String name = sSOToken.getPrincipal().getName();
                    String nameIDMapper = providerConfig.getNameIDMapper();
                    nameIdentifier = (nameIDMapper == null || nameIDMapper.length() == 0) ? new NameIdentifier(name) : new NameIdentifier(WSSUtils.getUserPseduoName(name, nameIDMapper));
                    Map<QName, List<String>> sAMLAttributes = WSSUtils.getSAMLAttributes(name, providerConfig.getSAMLAttributeMapping(), providerConfig.getSAMLAttributeNamespace(), sSOToken);
                    if (sAMLAttributes != null) {
                        hashMap.putAll(sAMLAttributes);
                    }
                    if (providerConfig.shouldIncludeMemberships() && (membershipAttributes = WSSUtils.getMembershipAttributes(name, providerConfig.getSAMLAttributeNamespace())) != null) {
                        hashMap.putAll(membershipAttributes);
                    }
                } else {
                    nameIdentifier = (property2 == null || property2.length() == 0) ? new NameIdentifier(SystemConfigurationUtil.getProperty("com.iplanet.am.server.host")) : new NameIdentifier(property2);
                }
                AssertionTokenSpec assertionTokenSpec = new AssertionTokenSpec(nameIdentifier, securityMechanism, property);
                if (property2 != null && property2.length() != 0) {
                    assertionTokenSpec.setIssuer(property2);
                }
                if (!hashMap.isEmpty()) {
                    assertionTokenSpec.setClaimedAttributes(hashMap);
                }
                assertionTokenSpec.setSigningAlias(property);
                String wSPEndpoint = providerConfig.getWSPEndpoint();
                if (wSPEndpoint != null) {
                    assertionTokenSpec.setAppliesTo(wSPEndpoint);
                }
                assertionTokenSpec.setAssertionID(SAMLUtilsCommon.generateID());
                securityToken = securityTokenFactory.getSecurityToken(assertionTokenSpec);
            } catch (Exception e) {
                debug.error("SOAPRequestHandler.getSecurityToken: Failed in creating SAML tokens", e);
                throw new SecurityException(e.getMessage());
            }
        } else if (SecurityMechanism.WSS_NULL_USERNAME_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_TLS_USERNAME_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_USERNAME_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_NULL_USERNAME_TOKEN_PLAIN_URI.equals(uri) || SecurityMechanism.WSS_TLS_USERNAME_TOKEN_PLAIN_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_USERNAME_TOKEN_PLAIN_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getSecurityToken:: creating UserName token");
            }
            List list = null;
            try {
                SubjectSecurity subjectSecurity = getSubjectSecurity(subject);
                list = getUserCredentialsFromSSOToken(subjectSecurity.ssoToken);
                if (list == null || list.isEmpty()) {
                    list = subjectSecurity.userCredentials;
                }
            } catch (Exception e2) {
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.getSecurityToken:: getSubjectSecurity error :" + e2.getMessage());
                }
            }
            if (list == null || list.isEmpty()) {
                list = providerConfig.getUsers();
            }
            if (list == null || list.isEmpty()) {
                debug.error("SOAPRequestHandler.getSecurityToken:: No users  are configured.");
                throw new SecurityException(bundle.getString("nousers"));
            }
            PasswordCredential passwordCredential = (PasswordCredential) list.iterator().next();
            UserNameTokenSpec userNameTokenSpec = new UserNameTokenSpec();
            if (SecurityMechanism.WSS_NULL_USERNAME_TOKEN_PLAIN_URI.equals(uri) || SecurityMechanism.WSS_TLS_USERNAME_TOKEN_PLAIN_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_USERNAME_TOKEN_PLAIN_URI.equals(uri)) {
                userNameTokenSpec.setPasswordType(WSSConstants.PASSWORD_PLAIN_TYPE);
            } else {
                userNameTokenSpec.setNonce(true);
                userNameTokenSpec.setPasswordType(WSSConstants.PASSWORD_DIGEST_TYPE);
            }
            userNameTokenSpec.setCreateTimeStamp(true);
            userNameTokenSpec.setUserName(passwordCredential.getUserName());
            userNameTokenSpec.setPassword(passwordCredential.getPassword());
            securityToken = securityTokenFactory.getSecurityToken(userNameTokenSpec);
        } else if (SecurityMechanism.WSS_NULL_SAML2_HK_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML2_HK_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML2_HK_URI.equals(uri) || SecurityMechanism.WSS_NULL_SAML2_SV_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML2_SV_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML2_SV_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getSecurityToken:: creating SAML2 token");
            }
            if (providerConfig.usePassThroughSecurityToken()) {
                securityToken2 = getSecurityTokenFromSubject(subject);
            }
            if (securityToken2 != null) {
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.getSecurityToken::security token from subject is not null");
                }
                return securityToken2;
            }
            String property3 = SystemConfigurationUtil.getProperty(ASSERTION_ISSUER);
            HashMap hashMap2 = new HashMap();
            try {
                NameID createNameID = AssertionFactory.getInstance().createNameID();
                SSOToken sSOToken2 = getSubjectSecurity(subject).ssoToken;
                if (sSOToken2 == null) {
                    if (debug.messageEnabled()) {
                        debug.message("SOAPRequestHandler.getSecurityToken:: using thread local for SSOToken");
                    }
                    sSOToken2 = (SSOToken) ThreadLocalService.getSSOToken();
                }
                if (sSOToken2 != null) {
                    String name2 = sSOToken2.getPrincipal().getName();
                    String nameIDMapper2 = providerConfig.getNameIDMapper();
                    if (nameIDMapper2 == null) {
                        createNameID.setValue(name2);
                    } else {
                        createNameID.setValue(WSSUtils.getUserPseduoName(name2, nameIDMapper2));
                    }
                    Map<QName, List<String>> sAMLAttributes2 = WSSUtils.getSAMLAttributes(name2, providerConfig.getSAMLAttributeMapping(), providerConfig.getSAMLAttributeNamespace(), sSOToken2);
                    if (sAMLAttributes2 != null) {
                        hashMap2.putAll(sAMLAttributes2);
                    }
                    Map<QName, List<String>> membershipAttributes2 = WSSUtils.getMembershipAttributes(name2, providerConfig.getSAMLAttributeNamespace());
                    if (membershipAttributes2 != null) {
                        hashMap2.putAll(membershipAttributes2);
                    }
                } else if (property3 == null || property3.length() == 0) {
                    createNameID.setValue(SystemConfigurationUtil.getProperty("com.iplanet.am.server.host"));
                } else {
                    createNameID.setValue(property3);
                }
                SAML2TokenSpec sAML2TokenSpec = new SAML2TokenSpec(createNameID, securityMechanism, property);
                if (property3 != null && property3.length() != 0) {
                    sAML2TokenSpec.setIssuer(property3);
                }
                if (!hashMap2.isEmpty()) {
                    sAML2TokenSpec.setClaimedAttributes(hashMap2);
                }
                String wSPEndpoint2 = providerConfig.getWSPEndpoint();
                if (wSPEndpoint2 != null) {
                    sAML2TokenSpec.setAppliesTo(wSPEndpoint2);
                }
                sAML2TokenSpec.setSigningAlias(property);
                sAML2TokenSpec.setAssertionID(SAMLUtilsCommon.generateID());
                securityToken = securityTokenFactory.getSecurityToken(sAML2TokenSpec);
            } catch (Exception e3) {
                throw new SecurityException(e3.getMessage());
            }
        } else {
            if (!SecurityMechanism.WSS_NULL_KERBEROS_TOKEN_URI.equals(uri) && !SecurityMechanism.WSS_TLS_KERBEROS_TOKEN_URI.equals(uri) && !SecurityMechanism.WSS_CLIENT_TLS_KERBEROS_TOKEN_URI.equals(uri)) {
                throw new SecurityException(bundle.getString("unsupportedSecurityMechanism"));
            }
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getSecurityToken:: creating Kerberos token");
            }
            KerberosTokenSpec kerberosTokenSpec = new KerberosTokenSpec();
            kerberosTokenSpec.setKDCDomain(providerConfig.getKDCDomain());
            kerberosTokenSpec.setKDCServer(providerConfig.getKDCServer());
            kerberosTokenSpec.setServicePrincipal(providerConfig.getKerberosServicePrincipal());
            kerberosTokenSpec.setTicketCacheDir(providerConfig.getKerberosTicketCacheDir());
            securityToken = securityTokenFactory.getSecurityToken(kerberosTokenSpec);
        }
        return securityToken;
    }

    private SubjectSecurity getSubjectSecurity(final Subject subject) {
        final SubjectSecurity subjectSecurity = new SubjectSecurity();
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.identity.wss.security.handler.SOAPRequestHandler.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                List list;
                Set<Object> privateCredentials = subject.getPrivateCredentials();
                if (privateCredentials == null || privateCredentials.isEmpty()) {
                    return null;
                }
                for (Object obj : privateCredentials) {
                    if (obj instanceof SSOToken) {
                        subjectSecurity.ssoToken = (SSOToken) obj;
                    } else if (obj instanceof ResourceOffering) {
                        subjectSecurity.discoRO = (ResourceOffering) obj;
                    } else if ((obj instanceof List) && (list = (List) obj) != null && list.size() > 0) {
                        if (list.get(0) instanceof SecurityAssertion) {
                            subjectSecurity.discoCredentials = list;
                        } else if (list.get(0) instanceof PasswordCredential) {
                            subjectSecurity.userCredentials = list;
                        }
                    }
                }
                return null;
            }
        });
        return subjectSecurity;
    }

    public static MessageAuthenticator getAuthenticator() throws SecurityException {
        if (authenticator != null) {
            return authenticator;
        }
        try {
            authenticator = (MessageAuthenticator) Class.forName(SystemConfigurationUtil.getProperty(WSS_AUTHENTICATOR, "com.sun.identity.wss.security.handler.DefaultAuthenticator")).newInstance();
            return authenticator;
        } catch (Exception e) {
            debug.error("SOAPRequestHandler.getAuthenticator:: Unable to get the authenticator", e);
            throw new SecurityException(bundle.getString("authenticatorNotFound"));
        }
    }

    public static MessageAuthorizer getAuthorizer() throws SecurityException {
        if (authorizer != null) {
            return authorizer;
        }
        try {
            authorizer = (MessageAuthorizer) Class.forName(SystemConfigurationUtil.getProperty(WSS_AUTHORIZER, "com.sun.identity.wss.security.handler.DefaultAuthorizer")).newInstance();
            return authorizer;
        } catch (Exception e) {
            debug.error("SOAPRequestHandler.getAuthenticator:: Unable to get the authorizer", e);
            throw new SecurityException(bundle.getString("authorizerInitFailed"));
        }
    }

    private SOAPMessage getSecureMessageFromLiberty(SSOToken sSOToken, Subject subject, SOAPMessage sOAPMessage, Map map, ProviderConfig providerConfig) throws SecurityException {
        try {
            SSOTokenManager.getInstance().validateToken(sSOToken);
            ResourceOffering discoveryResourceOffering = getDiscoveryResourceOffering(subject, sSOToken);
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getSecureMessageFromLiberty:: Discovery service resource offering. " + discoveryResourceOffering.toString());
            }
            return new MessageProcessor(providerConfig).secureRequest(discoveryResourceOffering, getDiscoveryCredentials(subject), providerConfig.getServiceType(), sOAPMessage, map);
        } catch (SSOException e) {
            debug.error("SOAPRequestHandler.getSecureMessageFromLiberty:: Invalid sso token", e);
            throw new SecurityException(bundle.getString("invalidSSOToken"));
        } catch (SOAPBindingException e2) {
            debug.error("SOAPRequestHandler.getSecureMessageFromLiberty::  SOAPBinding exception", e2);
            throw new SecurityException(e2.getMessage());
        }
    }

    private ResourceOffering getDiscoveryResourceOffering(final Subject subject, SSOToken sSOToken) throws SecurityException {
        SubjectSecurity subjectSecurity = getSubjectSecurity(subject);
        if (subjectSecurity.discoRO != null) {
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getDiscoveryResourceOffering:: subject contains resource offering.");
            }
            return subjectSecurity.discoRO;
        }
        SASLResponse sASLResponse = getSASLResponse(sSOToken);
        if (sASLResponse == null) {
            debug.error("SOAPRequestHandler.getDiscoveryResourceOffering:: SASL Response is null");
            throw new SecurityException(bundle.getString("SASLFailure"));
        }
        final ResourceOffering resourceOffering = sASLResponse.getResourceOffering();
        if (resourceOffering == null) {
            throw new SecurityException(bundle.getString("resourceOfferingMissing"));
        }
        final List credentials = sASLResponse.getCredentials();
        if (resourceOffering != null) {
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.identity.wss.security.handler.SOAPRequestHandler.2
                @Override // java.security.PrivilegedAction
                public Object run() {
                    subject.getPrivateCredentials().add(resourceOffering);
                    ArrayList arrayList = new ArrayList();
                    if (credentials == null || credentials.isEmpty()) {
                        return null;
                    }
                    Iterator it = credentials.iterator();
                    while (it.hasNext()) {
                        try {
                            arrayList.add(new SecurityAssertion((Element) it.next()));
                        } catch (Exception e) {
                            if (SOAPRequestHandler.debug.warningEnabled()) {
                                SOAPRequestHandler.debug.warning("SOAPRequestHandler.getDiscoveryResourceOffering: ", e);
                            }
                        }
                        if (arrayList != null && !arrayList.isEmpty()) {
                            subject.getPrivateCredentials().add(arrayList);
                        }
                    }
                    return null;
                }
            });
        }
        return resourceOffering;
    }

    private List getDiscoveryCredentials(Subject subject) {
        return getSubjectSecurity(subject).discoCredentials;
    }

    private SASLResponse getSASLResponse(SSOToken sSOToken) throws SecurityException {
        SASLRequest sASLRequest = new SASLRequest(MECHANISM_SSOTOKEN);
        try {
            String property = SystemConfigurationUtil.getProperty(LIBERTY_AUTHN_URL);
            if (property == null) {
                debug.error("SOAPRequestHandler.getSASLResponse:: AuthnURL  not present in the configuration.");
                throw new SecurityException(bundle.getString("authnURLMissing"));
            }
            SASLResponse sendRequest = AuthnSvcClient.sendRequest(sASLRequest, property);
            if (!sendRequest.getStatusCode().equals(SASLResponse.CONTINUE)) {
                debug.error("SOAPRequestHandler.getSASLResponse:: ABORT");
                throw new SecurityException(bundle.getString("SASLFailure"));
            }
            SASLRequest sASLRequest2 = new SASLRequest(sendRequest.getServerMechanism());
            sASLRequest2.setData(sSOToken.getTokenID().toString().getBytes("UTF-8"));
            sASLRequest2.setRefToMessageID(sendRequest.getMessageID());
            SASLResponse sendRequest2 = AuthnSvcClient.sendRequest(sASLRequest2, property);
            if (sendRequest2.getStatusCode().equals("OK")) {
                return sendRequest2;
            }
            debug.error("SOAPRequestHandler.getSASLResponse:: SASL Failure");
            throw new SecurityException(bundle.getString("SASLFailure"));
        } catch (AuthnSvcException e) {
            debug.error("SOAPRequestHandler.getSASLResponse:: Exception", e);
            throw new SecurityException(bundle.getString("SASLFailure"));
        } catch (UnsupportedEncodingException e2) {
            debug.error("SOAPRequestHandler.getSASLResponse:: Exception", e2);
            throw new SecurityException(bundle.getString("SASLFailure"));
        }
    }

    private boolean isLibertyMessage(SOAPMessage sOAPMessage) throws SecurityException {
        NodeList childNodes;
        try {
            SOAPHeader header = sOAPMessage.getSOAPPart().getEnvelope().getHeader();
            if (header == null || (childNodes = header.getChildNodes()) == null || childNodes.getLength() == 0) {
                return false;
            }
            for (int i = 0; i < childNodes.getLength(); i++) {
                Node item = childNodes.item(i);
                if (item.getNodeType() == 1 && SOAPBindingConstants.TAG_CORRELATION.equals(item.getLocalName()) && SOAPBindingConstants.NS_SOAP_BINDING.equals(item.getNamespaceURI())) {
                    return true;
                }
            }
            return false;
        } catch (SOAPException e) {
            debug.error("SOAPRequest.isLibertyRequest:: SOAPException", e);
            throw new SecurityException(e.getMessage());
        }
    }

    private ProviderConfig getProviderConfig(Map map) {
        if (map == null || map.isEmpty()) {
            return null;
        }
        try {
            String serviceName = ThreadLocalService.getServiceName();
            if (serviceName == null) {
                String serviceName2 = getServiceName(map);
                if (debug.messageEnabled()) {
                    debug.message("SOAPRequestHandler.getServiceName: Service Name from javax.xml.ws.wsdl.service : " + serviceName2);
                }
                if (!ProviderConfig.isProviderExists(serviceName2, ProviderConfig.WSC)) {
                    return null;
                }
                ProviderConfig provider = ProviderConfig.getProvider(serviceName2, ProviderConfig.WSC);
                if (!provider.useDefaultKeyStore()) {
                    initializeSystemProperties(provider);
                }
                return provider;
            }
            if (debug.messageEnabled()) {
                debug.message("SOAPRequestHandler.getProviderConfig: Service Name found in thread local" + serviceName);
            }
            ThreadLocalService.removeServiceName(serviceName);
            STSConfig sTSConfig = (STSConfig) TrustAuthorityConfig.getConfig(serviceName, TrustAuthorityConfig.STS_TRUST_AUTHORITY);
            ProviderConfig provider2 = ProviderConfig.getProvider(serviceName, ProviderConfig.WSC);
            provider2.setSecurityMechanisms(sTSConfig.getSecurityMech());
            provider2.setRequestSignEnabled(sTSConfig.isRequestSignEnabled());
            provider2.setRequestEncryptEnabled(sTSConfig.isRequestEncryptEnabled());
            provider2.setDefaultKeyStore(true);
            provider2.setUsers(sTSConfig.getUsers());
            provider2.setWSPEndpoint(sTSConfig.getEndpoint());
            provider2.setKDCDomain(sTSConfig.getKDCDomain());
            provider2.setKDCServer(sTSConfig.getKDCServer());
            provider2.setKerberosServicePrincipal(provider2.getKerberosServicePrincipal());
            provider2.setKerberosTicketCacheDir(sTSConfig.getKerberosTicketCacheDir());
            provider2.setEncryptionAlgorithm(sTSConfig.getEncryptionAlgorithm());
            provider2.setEncryptionStrength(sTSConfig.getEncryptionStrength());
            provider2.setSigningRefType(sTSConfig.getSigningRefType());
            provider2.setSAMLAttributeMapping(sTSConfig.getSAMLAttributeMapping());
            provider2.setSAMLAttributeNamespace(sTSConfig.getSAMLAttributeNamespace());
            provider2.setIncludeMemberships(sTSConfig.shouldIncludeMemberships());
            provider2.setNameIDMapper(sTSConfig.getNameIDMapper());
            provider2.setDNSClaim(sTSConfig.getDNSClaim());
            provider2.setSignedElements(sTSConfig.getSignedElements());
            return provider2;
        } catch (ProviderException e) {
            WSSUtils.debug.error("SOAPRequestHandler.getProviderConfig: fromshared map: Exception", e);
            return null;
        } catch (IOException e2) {
            WSSUtils.debug.error("SOAPRequestHandler.getProviderConfig: fromshared map: IOException", e2);
            return null;
        }
    }

    private String getServiceName(Map map) {
        QName qName;
        if (map == null || map.isEmpty() || (qName = (QName) map.get("javax.xml.ws.wsdl.service")) == null) {
            return null;
        }
        return qName.getLocalPart();
    }

    @Override // com.sun.identity.wss.security.handler.SOAPRequestHandlerInterface
    public String print(Node node) {
        return WSSUtils.print(node);
    }

    private void removeValidatedHeaders(ProviderConfig providerConfig, SOAPMessage sOAPMessage) {
        SOAPHeader sOAPHeader = null;
        try {
            sOAPHeader = sOAPMessage.getSOAPPart().getEnvelope().getHeader();
        } catch (SOAPException e) {
            WSSUtils.debug.error("SOAPRequestHandler.removeValidateHeaders: Failed to read the SOAP Header.");
        }
        if (sOAPHeader != null) {
            Iterator examineAllHeaderElements = sOAPHeader.examineAllHeaderElements();
            while (examineAllHeaderElements.hasNext()) {
                SOAPHeaderElement sOAPHeaderElement = (SOAPHeaderElement) examineAllHeaderElements.next();
                if ((providerConfig == null || !providerConfig.preserveSecurityHeader()) && "Security".equalsIgnoreCase(sOAPHeaderElement.getElementName().getLocalName())) {
                    sOAPHeaderElement.detachNode();
                }
                if (SOAPBindingConstants.TAG_CORRELATION.equalsIgnoreCase(sOAPHeaderElement.getElementName().getLocalName())) {
                    sOAPHeaderElement.detachNode();
                }
            }
        }
    }

    private ProviderConfig getSTSProviderConfig(STSRemoteConfig sTSRemoteConfig) throws SecurityException {
        if (sTSRemoteConfig == null) {
            return null;
        }
        try {
            ProviderConfig provider = ProviderConfig.getProvider(sTSRemoteConfig.getIssuer(), ProviderConfig.WSP, false);
            provider.setKDCDomain(sTSRemoteConfig.getKDCDomain());
            provider.setKDCServer(sTSRemoteConfig.getKDCServer());
            provider.setKerberosServicePrincipal(sTSRemoteConfig.getKerberosServicePrincipal());
            provider.setKeyTabFile(sTSRemoteConfig.getKeyTabFile());
            provider.setValidateKerberosSignature(sTSRemoteConfig.isValidateKerberosSignature());
            provider.setSecurityMechanisms(sTSRemoteConfig.getSecurityMechanisms());
            provider.setUsers(sTSRemoteConfig.getUsers());
            provider.setRequestEncryptEnabled(sTSRemoteConfig.isRequestEncryptEnabled());
            provider.setRequestHeaderEncryptEnabled(sTSRemoteConfig.isRequestHeaderEncryptEnabled());
            provider.setRequestSignEnabled(sTSRemoteConfig.isRequestSignEnabled());
            provider.setResponseEncryptEnabled(sTSRemoteConfig.isResponseEncryptEnabled());
            provider.setResponseSignEnabled(sTSRemoteConfig.isResponseSignEnabled());
            provider.setPreserveSecurityHeader(false);
            provider.setPublicKeyAlias(sTSRemoteConfig.getPublicKeyAlias());
            provider.setKeyAlias(sTSRemoteConfig.getPrivateKeyAlias());
            provider.setEncryptionAlgorithm(sTSRemoteConfig.getEncryptionAlgorithm());
            provider.setEncryptionStrength(sTSRemoteConfig.getEncryptionStrength());
            provider.setSigningRefType(sTSRemoteConfig.getSigningRefType());
            provider.setAuthenticationChain(sTSRemoteConfig.getAuthenticationChain());
            provider.setDetectUserTokenReplay(sTSRemoteConfig.isUserTokenDetectReplayEnabled());
            provider.setMessageReplayDetection(sTSRemoteConfig.isMessageReplayDetectionEnabled());
            provider.setDNSClaim(sTSRemoteConfig.getIssuer());
            provider.setSignedElements(sTSRemoteConfig.getSignedElements());
            return provider;
        } catch (ProviderException e) {
            throw new SecurityException(e.getMessage());
        }
    }

    private SecurityToken getSecurityTokenFromSubject(Subject subject) throws SecurityException {
        String namespaceURI;
        Object subject2;
        SecurityToken securityToken = null;
        Subject subject3 = subject;
        if (subject3.getPublicCredentials().isEmpty() && (subject2 = ThreadLocalService.getSubject()) != null) {
            subject3 = (Subject) subject2;
        }
        for (Object obj : subject3.getPublicCredentials()) {
            if (obj instanceof Element) {
                Element element = (Element) obj;
                if (element.getLocalName().equals("Assertion") && (namespaceURI = element.getNamespaceURI()) != null) {
                    try {
                        if (namespaceURI.equals("urn:oasis:names:tc:SAML:1.0:assertion")) {
                            securityToken = new AssertionToken(element);
                        } else if (namespaceURI.equals("urn:oasis:names:tc:SAML:2.0:assertion")) {
                            securityToken = new SAML2Token(element);
                        }
                    } catch (Exception e) {
                        WSSUtils.debug.error("SOAPRequestHandler.getSecurityTokenFromSubject:: exception", e);
                        throw new SecurityException(e.getMessage());
                    }
                }
            }
        }
        return securityToken;
    }

    private Subject getAuthenticatedSubject() {
        Subject subject = (Subject) ThreadLocalService.getSubject();
        if (subject == null || subject.getPrivateCredentials().isEmpty()) {
            return null;
        }
        return subject;
    }

    private Object getCustomCredential(Subject subject) {
        Set<Object> publicCredentials = subject.getPublicCredentials();
        if (publicCredentials == null || publicCredentials.isEmpty()) {
            return null;
        }
        for (Object obj : publicCredentials) {
            if (obj instanceof Map) {
                Map map = (Map) obj;
                if (map.containsKey(WSSConstants.CUSTOM_TOKEN)) {
                    return map.get(WSSConstants.CUSTOM_TOKEN);
                }
            }
        }
        return null;
    }

    private List getUserCredentialsFromSSOToken(SSOToken sSOToken) {
        String decrypt;
        if (sSOToken == null) {
            if (!debug.messageEnabled()) {
                return null;
            }
            debug.message("SOAPRequestHandler.getUserCredentialsFromSSOToken. ssotoken is null");
            return null;
        }
        try {
            if (!SSOTokenManager.getInstance().isValidToken(sSOToken)) {
                return null;
            }
            if (Boolean.valueOf(SystemConfigurationUtil.getProperty("com.sun.identity.wss.security.useHashedPassword", "true")).booleanValue()) {
                decrypt = sSOToken.getProperty(WSSConstants.HASHED_USER_PASSWORD);
            } else {
                String property = sSOToken.getProperty(WSSConstants.ENCRYPTED_USER_PASSWORD);
                if (property == null) {
                    if (!debug.messageEnabled()) {
                        return null;
                    }
                    debug.message("SOAPRequestHandler.getUserCredentialsFromSSOToken. encrypted password is null");
                    return null;
                }
                decrypt = Crypt.decrypt(property);
            }
            if (decrypt == null) {
                if (!debug.messageEnabled()) {
                    return null;
                }
                debug.message("SOAPRequestHandler.getUserCredentialsFromSSOToken. password is null");
                return null;
            }
            String property2 = sSOToken.getProperty(ISAuthConstants.USER_ID);
            ArrayList arrayList = new ArrayList();
            arrayList.add(new PasswordCredential(property2, decrypt));
            return arrayList;
        } catch (SSOException e) {
            if (!debug.warningEnabled()) {
                return null;
            }
            debug.warning("SOAPRequestHandler.getUserCredentialsFromSSOToken. ssoexception", e);
            return null;
        }
    }

    private boolean checkForReplay(String str, String str2) {
        if (str == null) {
            return false;
        }
        PeriodicCleanUpMap periodicCleanUpMap = WSSCache.messageIDMap;
        long j = WSSCache.cacheTimeoutInterval * 1000;
        WSSCacheRepository wSSCacheRepository = WSSUtils.getWSSCacheRepository();
        Long l = (Long) periodicCleanUpMap.get(str);
        if (l == null && wSSCacheRepository != null) {
            l = wSSCacheRepository.retrieveMessageTimestamp(str, str2);
        }
        long currentTimeMillis = System.currentTimeMillis();
        if (l != null && currentTimeMillis - l.longValue() < j) {
            if (!WSSUtils.debug.warningEnabled()) {
                return true;
            }
            WSSUtils.debug.warning("SOAPRequestHandler.checkForReplay: replay attack detected");
            return true;
        }
        periodicCleanUpMap.put(str, new Long(currentTimeMillis));
        if (wSSCacheRepository == null) {
            return false;
        }
        wSSCacheRepository.saveMessageTimestamp(str, new Long(currentTimeMillis), str2);
        return false;
    }

    private boolean checkForReplay(Subject subject, long j, String str) {
        return checkForReplay(subject.getPrincipals().iterator().next().getName() + new Long(j).toString(), str);
    }

    private void updateSharedState(Subject subject, Map map) {
        X509Certificate x509Certificate;
        Set<Object> publicCredentials = subject.getPublicCredentials();
        if (publicCredentials != null && !publicCredentials.isEmpty()) {
            Object next = publicCredentials.iterator().next();
            if (next instanceof X509Certificate) {
                map.put(CLIENT_CERT, (X509Certificate) next);
            }
        }
        if (map.get(CLIENT_CERT) != null || (x509Certificate = (X509Certificate) ThreadLocalService.getClientCertificate()) == null) {
            return;
        }
        map.put(CLIENT_CERT, x509Certificate);
        ThreadLocalService.removeClientCertificate();
    }
}
