package com.sun.identity.wss.security.handler;

import com.iplanet.security.x509.CertUtils;
import com.iplanet.services.naming.URLNotFoundException;
import com.iplanet.services.naming.WebtopNaming;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.X509CertificateCallback;
import com.sun.identity.common.SystemConfigurationUtil;
import com.sun.identity.liberty.ws.security.SecurityAssertion;
import com.sun.identity.liberty.ws.soapbinding.Message;
import com.sun.identity.saml.assertion.Assertion;
import com.sun.identity.saml.assertion.Attribute;
import com.sun.identity.saml.assertion.AttributeStatement;
import com.sun.identity.saml.assertion.AuthenticationStatement;
import com.sun.identity.saml.assertion.NameIdentifier;
import com.sun.identity.saml.assertion.Statement;
import com.sun.identity.saml.assertion.SubjectConfirmation;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import com.sun.identity.wss.logging.LogUtil;
import com.sun.identity.wss.provider.ProviderConfig;
import com.sun.identity.wss.security.AssertionToken;
import com.sun.identity.wss.security.BinarySecurityToken;
import com.sun.identity.wss.security.FAMSecurityToken;
import com.sun.identity.wss.security.KerberosConfiguration;
import com.sun.identity.wss.security.PasswordCredential;
import com.sun.identity.wss.security.SAML2Token;
import com.sun.identity.wss.security.SAML2TokenUtils;
import com.sun.identity.wss.security.SecurityException;
import com.sun.identity.wss.security.SecurityMechanism;
import com.sun.identity.wss.security.SecurityPrincipal;
import com.sun.identity.wss.security.SecurityToken;
import com.sun.identity.wss.security.UserNameToken;
import com.sun.identity.wss.security.WSSConstants;
import com.sun.identity.wss.security.WSSUtils;
import com.sun.identity.wss.sts.FAMSTSException;
import com.sun.identity.wss.sts.TrustAuthorityClient;
import com.sun.xml.ws.security.jgss.XWSSProvider;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.logging.Level;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.w3c.dom.Element;
import sun.security.krb5.EncryptionKey;

/* loaded from: input_file:com/sun/identity/wss/security/handler/DefaultAuthenticator.class */
public class DefaultAuthenticator implements MessageAuthenticator {
    private static ResourceBundle bundle = WSSUtils.bundle;
    private static Debug debug = WSSUtils.debug;
    public static final String WSS_CACHE_PLUGIN = "com.sun.identity.wss.security.cache.plugin";
    private static Class cacheClass;
    private ProviderConfig config = null;
    private String kerberosPrincipal = null;

    @Override // com.sun.identity.wss.security.handler.MessageAuthenticator
    public Object authenticate(Subject subject, SecurityMechanism securityMechanism, SecurityToken securityToken, ProviderConfig providerConfig, Object obj, boolean z) throws SecurityException {
        debug.message("DefaultAuthenticator.authenticate: start");
        this.config = providerConfig;
        HashMap hashMap = new HashMap();
        String str = null;
        if (providerConfig != null) {
            str = providerConfig.getAuthenticationChain();
        }
        if (z) {
            return authenticateLibertyMessage(obj, subject, hashMap);
        }
        if (securityMechanism == null) {
            throw new SecurityException(bundle.getString("nullInputParameter"));
        }
        String uri = securityMechanism.getURI();
        if (SecurityMechanism.WSS_NULL_USERNAME_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_TLS_USERNAME_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_USERNAME_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_NULL_USERNAME_TOKEN_PLAIN_URI.equals(uri) || SecurityMechanism.WSS_TLS_USERNAME_TOKEN_PLAIN_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_USERNAME_TOKEN_PLAIN_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("DefaultAuthenticator.authenticate:: username token authentication");
                debug.message("authenticate: authChain : " + str);
            }
            UserNameToken userNameToken = (UserNameToken) securityToken;
            if (str == null || str.length() == 0 || str.equals("none")) {
                if (providerConfig != null && !validateUser(userNameToken, subject)) {
                    if (debug.warningEnabled()) {
                        debug.warning("DefaultAuthenticator. authentication failed.");
                    }
                    throw new SecurityException(bundle.getString("authenticationFailed"));
                }
            } else if (!authenticateUser(userNameToken, subject, str)) {
                throw new SecurityException(bundle.getString("authenticationFailed"));
            }
        } else if (SecurityMechanism.WSS_NULL_X509_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_TLS_X509_TOKEN_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_X509_TOKEN_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("DefaultAuthenticator.authenticate:: x509 token authentication");
                debug.message("authenticate: authChain : " + str);
            }
            X509Certificate messageCertificate = ((SecureSOAPMessage) obj).getMessageCertificate();
            if (messageCertificate == null) {
                debug.error("DefaultAuthenticator.authenticate:: X509 auth could not find the message certificate.");
                throw new SecurityException(bundle.getString("authenticationFailed"));
            }
            String certificateAlias = WSSUtils.getXMLSignatureManager().getKeyProvider().getCertificateAlias(messageCertificate);
            if (debug.messageEnabled()) {
                debug.message("DefaultAuthenticator.authenticate: cert : " + messageCertificate);
                debug.message("DefaultAuthenticator.authenticate: certAlias : " + certificateAlias);
            }
            if (str != null && str.length() != 0 && !str.equals("none") && !authenticateCert(certificateAlias, str, messageCertificate, subject)) {
                throw new SecurityException(bundle.getString("authenticationFailed"));
            }
            String subjectName = CertUtils.getSubjectName(messageCertificate);
            subject = addPrincipal(subjectName, subject);
            subject.getPublicCredentials().add(messageCertificate);
            WSSUtils.setRoles(subject, subjectName);
        } else if (SecurityMechanism.WSS_NULL_SAML_HK_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML_HK_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML_HK_URI.equals(uri) || SecurityMechanism.WSS_NULL_SAML_SV_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML_SV_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML_SV_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("DefaultAuthenticator.authenticate:: saml token authentication");
            }
            AssertionToken assertionToken = (AssertionToken) securityToken;
            if (str == null || str.length() == 0 || str.equals("none")) {
                if (!validateAssertion(assertionToken.getAssertion(), subject, hashMap)) {
                    throw new SecurityException(bundle.getString("authenticationFailed"));
                }
            } else if (!authenticateAssertion(assertionToken.toDocumentElement(), providerConfig, subject)) {
                throw new SecurityException(bundle.getString("authenticationFailed"));
            }
        } else if (SecurityMechanism.WSS_NULL_SAML2_HK_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML2_HK_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML2_HK_URI.equals(uri) || SecurityMechanism.WSS_NULL_SAML2_SV_URI.equals(uri) || SecurityMechanism.WSS_TLS_SAML2_SV_URI.equals(uri) || SecurityMechanism.WSS_CLIENT_TLS_SAML2_SV_URI.equals(uri)) {
            if (debug.messageEnabled()) {
                debug.message("DefaultAuthenticator.authenticate:: saml2 token authentication");
            }
            SAML2Token sAML2Token = (SAML2Token) securityToken;
            if (str == null || str.length() == 0 || str.equals("none")) {
                if (!SAML2TokenUtils.validateAssertion(sAML2Token.getAssertion(), subject, hashMap)) {
                    throw new SecurityException(bundle.getString("authenticationFailed"));
                }
            } else if (!authenticateAssertion(sAML2Token.toDocumentElement(), providerConfig, subject)) {
                throw new SecurityException(bundle.getString("authenticationFailed"));
            }
        } else {
            if (!SecurityMechanism.WSS_NULL_KERBEROS_TOKEN_URI.equals(uri) && !SecurityMechanism.WSS_TLS_KERBEROS_TOKEN_URI.equals(uri) && !SecurityMechanism.WSS_CLIENT_TLS_KERBEROS_TOKEN_URI.equals(uri)) {
                debug.error("DefaultAuthenticator.authenticate:: Invalid security mechanism");
                LogUtil.error(Level.INFO, LogUtil.AUTHENTICATION_FAILED, new String[]{uri}, null);
                throw new SecurityException(bundle.getString("authenticationFailed"));
            }
            if (debug.messageEnabled()) {
                debug.message("DefaultAuthenticator.authenticate:: kerberos token authentication");
            }
            validateKerberosToken(Base64.decode(((BinarySecurityToken) securityToken).getTokenValue()), subject);
        }
        if (securityToken != null) {
            subject.getPublicCredentials().add(securityToken.toDocumentElement());
        }
        if (securityMechanism != null) {
            hashMap.put(WSSConstants.AUTH_METHOD, uri);
            subject.getPublicCredentials().add(hashMap);
        }
        return subject;
    }

    private boolean validateUser(UserNameToken userNameToken, Subject subject) throws SecurityException {
        String userName = userNameToken.getUserName();
        String password = userNameToken.getPassword();
        if (userName == null || password == null) {
            return false;
        }
        List users = this.config.getUsers();
        if (users == null || users.isEmpty()) {
            debug.error("DefaultAuthenticator.validateUser:: users are not  configured in the providers.");
            return false;
        }
        Iterator it = users.iterator();
        String str = null;
        String str2 = null;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            PasswordCredential passwordCredential = (PasswordCredential) it.next();
            str = passwordCredential.getUserName();
            if (str.equals(userName)) {
                str2 = passwordCredential.getPassword();
                break;
            }
        }
        if (str == null || str2 == null) {
            debug.error("DefaultAuthenticator.validateUser:: configured user  does not have the password.");
            return false;
        }
        String passwordType = userNameToken.getPasswordType();
        if (passwordType != null && passwordType.equals(WSSConstants.PASSWORD_DIGEST_TYPE)) {
            String nonce = userNameToken.getNonce();
            String created = userNameToken.getCreated();
            if (!validateUserTokenTime(created)) {
                return false;
            }
            if (!UserNameToken.getPasswordDigest(str2, nonce, created).equals(password) || !str.equals(userName)) {
                debug.error("DefaultAuthenticator.validateUser:: Password does not match");
                return false;
            }
            if (this.config.isUserTokenDetectReplayEnabled()) {
                cacheNonce(created, nonce);
            }
        } else if (!str2.equals(password) || !str.equals(userName)) {
            debug.error("DefaultAuthenticator.validateUser:: Password does not match");
            return false;
        }
        WSSUtils.setRoles(addPrincipal(userName, subject), userName);
        return true;
    }

    private boolean authenticateUser(UserNameToken userNameToken, Subject subject, String str) throws SecurityException {
        String userName = userNameToken.getUserName();
        String password = userNameToken.getPassword();
        if (userName == null || password == null) {
            return false;
        }
        String nonce = userNameToken.getNonce();
        String created = userNameToken.getCreated();
        if (!validateUserTokenTime(created)) {
            return false;
        }
        if (WSSConstants.PASSWORD_DIGEST_TYPE.equals(userNameToken.getPasswordType().trim())) {
            password = "PasswordDigest=" + password + ";Nonce=" + nonce + ";Timestamp=" + created;
        }
        AuthContext.IndexType indexType = AuthContext.IndexType.SERVICE;
        try {
            AuthContext authContext = new AuthContext("/");
            debug.message("authenticateUser: Obtained AuthContext");
            authContext.login(indexType, str);
            while (authContext.hasMoreRequirements()) {
                Callback[] requirements = authContext.getRequirements();
                if (requirements != null) {
                    try {
                        addLoginCallbackMessage(requirements, userName, password, null);
                        authContext.submitRequirements(requirements);
                    } catch (Exception e) {
                        debug.error("authenticateUser: Submit error : " + e.getMessage());
                        return false;
                    }
                }
            }
            SSOToken sSOToken = null;
            if (authContext.getStatus() != AuthContext.Status.SUCCESS) {
                if (authContext.getStatus() == AuthContext.Status.FAILED) {
                    debug.error("authenticateUser: Login Failed.");
                    return false;
                }
                debug.error("authenticateUser: Unknown status : " + authContext.getStatus());
                return false;
            }
            debug.message("authenticateUser: Login success!!");
            try {
                sSOToken = authContext.getSSOToken();
                debug.message("authenticateUser: got SSOToken successfully");
            } catch (Exception e2) {
                if (debug.messageEnabled()) {
                    debug.message("authenticateUser: SSOToken error : " + e2.getMessage());
                }
            }
            if (this.config.isUserTokenDetectReplayEnabled()) {
                cacheNonce(created, nonce);
            }
            Subject addPrincipal = addPrincipal(userName, subject);
            WSSUtils.setRoles(addPrincipal, userName);
            addSSOToken(sSOToken, addPrincipal);
            return true;
        } catch (AuthLoginException e3) {
            debug.error("authenticateUser: Login error : " + e3.getMessage());
            return false;
        }
    }

    private boolean authenticateCert(String str, String str2, X509Certificate x509Certificate, Subject subject) throws SecurityException {
        if (str == null || str.length() == 0) {
            return false;
        }
        if (debug.messageEnabled()) {
            debug.message("authenticateCert: certAlias : " + str);
        }
        AuthContext.IndexType indexType = AuthContext.IndexType.SERVICE;
        try {
            AuthContext authContext = new AuthContext("/", str);
            debug.message("authenticateCert: Obtained AuthContext");
            authContext.login(indexType, str2);
            while (authContext.hasMoreRequirements()) {
                Callback[] requirements = authContext.getRequirements();
                if (requirements != null) {
                    try {
                        addLoginCallbackMessage(requirements, null, null, x509Certificate);
                        authContext.submitRequirements(requirements);
                    } catch (Exception e) {
                        debug.error("authenticateCert: Submit error : " + e.getMessage());
                        return false;
                    }
                }
            }
            SSOToken sSOToken = null;
            if (authContext.getStatus() != AuthContext.Status.SUCCESS) {
                if (authContext.getStatus() == AuthContext.Status.FAILED) {
                    debug.error("authenticateCert: Login Failed.");
                    return false;
                }
                debug.error("authenticateCert: Unknown status : " + authContext.getStatus());
                return false;
            }
            debug.message("authenticateCert: Login success!!");
            try {
                sSOToken = authContext.getSSOToken();
                debug.message("authenticateCert: got SSOToken successfully");
            } catch (Exception e2) {
                if (debug.messageEnabled()) {
                    debug.message("authenticateCert: SSOToken error : " + e2.getMessage());
                }
            }
            addSSOToken(sSOToken, subject);
            return true;
        } catch (AuthLoginException e3) {
            debug.error("authenticateCert: Login error : " + e3.getMessage());
            return false;
        }
    }

    private boolean validateAssertion(Assertion assertion, Subject subject, Map map) throws SecurityException {
        if (assertion.getConditions() != null && !assertion.getConditions().checkDateValidity(System.currentTimeMillis() + WSSUtils.getTimeSkew())) {
            if (!debug.messageEnabled()) {
                return false;
            }
            debug.message("DefaultAuthenticator.validateAssertionToken::  assertion time is not valid");
            return false;
        }
        com.sun.identity.saml.assertion.Subject subject2 = null;
        Iterator it = assertion.getStatement().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AttributeStatement attributeStatement = (Statement) it.next();
            if (1 == attributeStatement.getStatementType()) {
                subject2 = ((AuthenticationStatement) attributeStatement).getSubject();
                Element keyInfo = subject2.getSubjectConfirmation().getKeyInfo();
                if (keyInfo != null) {
                    subject.getPublicCredentials().add(WSSUtils.getCertificate(keyInfo));
                }
            } else if (3 == attributeStatement.getStatementType()) {
                AttributeStatement attributeStatement2 = attributeStatement;
                subject2 = attributeStatement2.getSubject();
                SubjectConfirmation subjectConfirmation = null;
                Element keyInfo2 = 0 != 0 ? subjectConfirmation.getKeyInfo() : null;
                if (keyInfo2 != null) {
                    subject.getPublicCredentials().add(WSSUtils.getCertificate(keyInfo2));
                }
                List<Attribute> attribute = attributeStatement2.getAttribute();
                if (!attribute.isEmpty()) {
                    for (Attribute attribute2 : attribute) {
                        try {
                            map.put(attribute2.getAttributeName(), attribute2.getAttributeValue());
                        } catch (Exception e) {
                            throw new SecurityException(e.getMessage());
                        }
                    }
                }
            }
        }
        if (subject2 == null) {
            if (!debug.messageEnabled()) {
                return false;
            }
            debug.message("DefaultAuthenticator.validateAssertionToken:: Assertion does not have subject");
            return false;
        }
        NameIdentifier nameIdentifier = subject2.getNameIdentifier();
        if (nameIdentifier == null) {
            return false;
        }
        WSSUtils.setRoles(addPrincipal(nameIdentifier.getName(), subject), nameIdentifier.getName());
        return true;
    }

    private Object authenticateLibertyMessage(Object obj, Subject subject, Map map) throws SecurityException {
        if (obj == null || subject == null) {
            throw new IllegalArgumentException(bundle.getString("nullInput"));
        }
        Message message = (Message) obj;
        SecurityAssertion assertion = message.getAssertion();
        if (assertion != null) {
            if (validateAssertion(assertion, subject, map)) {
                return subject;
            }
            throw new SecurityException(bundle.getString("authenticationFailed"));
        }
        X509Certificate messageCertificate = message.getMessageCertificate();
        if (messageCertificate == null) {
            throw new SecurityException(bundle.getString("authenticationFailed"));
        }
        subject.getPrincipals().add(new SecurityPrincipal(messageCertificate.getSubjectDN().getName()));
        return subject;
    }

    private void addSSOToken(final SSOToken sSOToken, final Subject subject) throws SecurityException {
        if (sSOToken != null) {
            try {
                AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.identity.wss.security.handler.DefaultAuthenticator.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        subject.getPrivateCredentials().add(sSOToken);
                        return null;
                    }
                });
                debug.message("Set SSOToken in Subject successfully");
            } catch (Exception e) {
                debug.message("Can not set SSOToken in Subject");
                throw new SecurityException(e.getMessage());
            }
        }
    }

    private Subject addPrincipal(String str, Subject subject) {
        subject.getPrincipals().add(new SecurityPrincipal(str));
        return subject;
    }

    static void addLoginCallbackMessage(Callback[] callbackArr, String str, String str2, X509Certificate x509Certificate) throws UnsupportedCallbackException {
        for (int i = 0; i < callbackArr.length; i++) {
            try {
                if (callbackArr[i] instanceof NameCallback) {
                    ((NameCallback) callbackArr[i]).setName(str.trim());
                } else if (callbackArr[i] instanceof PasswordCallback) {
                    ((PasswordCallback) callbackArr[i]).setPassword(str2.toCharArray());
                } else if (callbackArr[i] instanceof X509CertificateCallback) {
                    X509CertificateCallback x509CertificateCallback = (X509CertificateCallback) callbackArr[i];
                    try {
                        x509CertificateCallback.setReqSignature(false);
                        x509CertificateCallback.setCertificate(x509Certificate);
                    } catch (Exception e) {
                        if (debug.messageEnabled()) {
                            debug.message("createX509CertificateCallback : " + e.toString());
                        }
                    }
                }
            } catch (Exception e2) {
                throw new UnsupportedCallbackException(callbackArr[i], "Callback exception: " + e2);
            }
        }
    }

    private boolean validateKerberosToken(final byte[] bArr, Subject subject) throws SecurityException {
        Subject serverSubject = getServerSubject();
        try {
            Subject.doAs(serverSubject, new PrivilegedExceptionAction() { // from class: com.sun.identity.wss.security.handler.DefaultAuthenticator.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    final GSSManager gSSManager = GSSManager.getInstance();
                    final Oid oid = new Oid("1.2.840.113554.1.2.2");
                    AccessController.doPrivileged(new PrivilegedAction() { // from class: com.sun.identity.wss.security.handler.DefaultAuthenticator.2.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            try {
                                gSSManager.addProviderAtFront(new XWSSProvider(), oid);
                                return null;
                            } catch (GSSException e) {
                                WSSUtils.debug.error("BinarySecurityToken.validateKerberosToken", e);
                                return null;
                            }
                        }
                    });
                    GSSContext createContext = gSSManager.createContext((GSSCredential) null);
                    createContext.acceptSecContext(bArr, 0, bArr.length);
                    DefaultAuthenticator.this.kerberosPrincipal = createContext.getSrcName().toString();
                    return null;
                }
            });
            Iterator<Object> it = serverSubject.getPrivateCredentials().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Object next = it.next();
                if (next instanceof EncryptionKey) {
                    subject.getPublicCredentials().add(new SecretKeySpec(((EncryptionKey) next).getBytes(), "DES"));
                    break;
                }
            }
            addPrincipal(this.kerberosPrincipal, subject);
            return true;
        } catch (Exception e) {
            debug.error("BinarySecurityToken.getKerberosToken: GSS Error", e);
            throw new SecurityException(e.getMessage());
        }
    }

    private Subject getServerSubject() throws SecurityException {
        KerberosConfiguration kerberosConfiguration;
        String kDCDomain = this.config.getKDCDomain();
        String kDCServer = this.config.getKDCServer();
        System.setProperty("java.security.krb5.realm", kDCDomain);
        System.setProperty("java.security.krb5.kdc", kDCServer);
        System.setProperty("java.security.auth.login.config", "/dev/null");
        Configuration configuration = Configuration.getConfiguration();
        if (configuration instanceof KerberosConfiguration) {
            kerberosConfiguration = (KerberosConfiguration) configuration;
            kerberosConfiguration.setRefreshConfig("true");
            kerberosConfiguration.setPrincipalName(this.config.getKerberosServicePrincipal());
            kerberosConfiguration.setKeyTab(this.config.getKeyTabFile());
        } else {
            kerberosConfiguration = new KerberosConfiguration(configuration);
            kerberosConfiguration.setPrincipalName(this.config.getKerberosServicePrincipal());
            kerberosConfiguration.setKeyTab(this.config.getKeyTabFile());
        }
        Configuration.setConfiguration(kerberosConfiguration);
        try {
            LoginContext loginContext = new LoginContext(KerberosConfiguration.WSP_CONFIGURATION);
            loginContext.login();
            return loginContext.getSubject();
        } catch (LoginException e) {
            throw new SecurityException(e.getMessage());
        }
    }

    private boolean authenticateAssertion(Element element, ProviderConfig providerConfig, Subject subject) throws SecurityException {
        try {
            String property = SystemConfigurationUtil.getProperty("com.iplanet.am.server.protocol");
            String property2 = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
            String property3 = SystemConfigurationUtil.getProperty("com.iplanet.am.server.port");
            String property4 = SystemConfigurationUtil.getProperty("com.iplanet.am.services.deploymentDescriptor");
            URL serviceURL = WebtopNaming.getServiceURL("sts", property, property2, property3, property4);
            URL serviceURL2 = WebtopNaming.getServiceURL("sts-mex", property, property2, property3, property4);
            TrustAuthorityClient trustAuthorityClient = new TrustAuthorityClient();
            String tokenConversionType = providerConfig.getTokenConversionType();
            String str = tokenConversionType;
            if (tokenConversionType != null) {
                if (tokenConversionType.equals(SecurityToken.WSS_SAML_TOKEN)) {
                    str = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
                } else if (tokenConversionType.equals(SecurityToken.WSS_SAML2_TOKEN)) {
                    str = "urn:oasis:names:tc:SAML:2.0:assertion";
                }
            }
            SecurityToken securityToken = trustAuthorityClient.getSecurityToken(providerConfig.getWSPEndpoint(), serviceURL.toString(), serviceURL2.toString(), element, SecurityMechanism.STS_SECURITY_URI, str, null);
            if (!securityToken.getTokenType().equals(SecurityToken.WSS_FAM_SSO_TOKEN)) {
                subject.getPublicCredentials().add(securityToken.toDocumentElement());
                return true;
            }
            SSOToken createSSOToken = SSOTokenManager.getInstance().createSSOToken(((FAMSecurityToken) securityToken).getTokenID());
            addSSOToken(createSSOToken, subject);
            addPrincipal(createSSOToken.getPrincipal().getName(), subject);
            return true;
        } catch (SSOException e) {
            throw new SecurityException(e.getMessage());
        } catch (URLNotFoundException e2) {
            throw new SecurityException(e2.getMessage());
        } catch (FAMSTSException e3) {
            throw new SecurityException(e3.getMessage());
        }
    }

    private boolean validateUserTokenTime(String str) {
        try {
            return (new Date().getTime() + WSSUtils.getTimeSkew()) - DateUtils.stringToDate(str).getTime() >= 0;
        } catch (ParseException e) {
            WSSUtils.debug.error("DefaultAuthenticator.validateUserTokenTime: parse error", e);
            return false;
        }
    }

    private void cacheNonce(String str, String str2) throws SecurityException {
        Set set = (Set) WSSCache.nonceCache.get(str);
        WSSCacheRepository wSSCacheRepository = WSSUtils.getWSSCacheRepository();
        if ((set == null || set.isEmpty()) && wSSCacheRepository != null) {
            set = wSSCacheRepository.retrieveUserTokenNonce(str, this.config.getProviderName());
        }
        if (set == null || set.isEmpty()) {
            HashSet hashSet = new HashSet();
            hashSet.add(str2);
            WSSCache.nonceCache.put(str, hashSet);
            if (wSSCacheRepository != null) {
                wSSCacheRepository.saveUserTokenNonce(str, hashSet, this.config.getProviderName());
                return;
            }
            return;
        }
        if (set.contains(str2)) {
            throw new SecurityException(WSSUtils.bundle.getString("replayAttackDetected"));
        }
        set.add(str2);
        WSSCache.nonceCache.put(str, set);
        if (wSSCacheRepository != null) {
            wSSCacheRepository.saveUserTokenNonce(str, set, this.config.getProviderName());
        }
    }
}
