package org.springframework.security.config.http;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import org.springframework.beans.BeanMetadataElement;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.BeanReference;
import org.springframework.beans.factory.config.RuntimeBeanReference;
import org.springframework.beans.factory.parsing.BeanComponentDefinition;
import org.springframework.beans.factory.parsing.CompositeComponentDefinition;
import org.springframework.beans.factory.support.AbstractBeanDefinition;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
import org.springframework.beans.factory.support.BeanDefinitionRegistry;
import org.springframework.beans.factory.support.ManagedList;
import org.springframework.beans.factory.support.ManagedMap;
import org.springframework.beans.factory.support.RootBeanDefinition;
import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.access.vote.AuthenticatedVoter;
import org.springframework.security.access.vote.RoleVoter;
import org.springframework.security.config.Elements;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator;
import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.access.channel.InsecureChannelProcessor;
import org.springframework.security.web.access.channel.RetryWithHttpEntryPoint;
import org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint;
import org.springframework.security.web.access.channel.SecureChannelProcessor;
import org.springframework.security.web.access.expression.WebExpressionVoter;
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.access.intercept.RequestKey;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.session.ConcurrentSessionFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher;
import org.springframework.util.StringUtils;
import org.springframework.util.xml.DomUtils;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/spring-security-config-3.0.0.RELEASE.jar:org/springframework/security/config/http/HttpConfigurationBuilder.class */
class HttpConfigurationBuilder {
    private static final String ATT_CREATE_SESSION = "create-session";
    private static final String OPT_CREATE_SESSION_NEVER = "never";
    private static final String DEF_CREATE_SESSION_IF_REQUIRED = "ifRequired";
    private static final String OPT_CREATE_SESSION_ALWAYS = "always";
    private static final String ATT_SESSION_FIXATION_PROTECTION = "session-fixation-protection";
    private static final String OPT_SESSION_FIXATION_NO_PROTECTION = "none";
    private static final String OPT_SESSION_FIXATION_MIGRATE_SESSION = "migrateSession";
    private static final String ATT_INVALID_SESSION_URL = "invalid-session-url";
    private static final String ATT_SESSION_AUTH_STRATEGY_REF = "session-authentication-strategy-ref";
    private static final String ATT_SESSION_AUTH_ERROR_URL = "session-authentication-error-url";
    private static final String ATT_SECURITY_CONTEXT_REPOSITORY = "security-context-repository-ref";
    private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting";
    private static final String ATT_ACCESS_MGR = "access-decision-manager-ref";
    private static final String ATT_ONCE_PER_REQUEST = "once-per-request";
    private final Element httpElt;
    private final ParserContext pc;
    private final UrlMatcher matcher;
    private final Boolean convertPathsToLowerCase;
    private final boolean allowSessionCreation;
    private final List<Element> interceptUrls;
    private List<String> emptyFilterChainPaths;
    private ManagedMap<String, List<BeanMetadataElement>> filterChainMap;
    private BeanDefinition cpf;
    private BeanDefinition securityContextPersistenceFilter;
    private BeanReference contextRepoRef;
    private BeanReference sessionRegistryRef;
    private BeanDefinition concurrentSessionFilter;
    private BeanReference sessionStrategyRef;
    private RootBeanDefinition sfpf;
    private BeanDefinition servApiFilter;
    private String portMapperName;
    private BeanReference fsi;
    static final /* synthetic */ boolean $assertionsDisabled;

    public HttpConfigurationBuilder(Element element, ParserContext parserContext, UrlMatcher urlMatcher, String str) {
        this.httpElt = element;
        this.pc = parserContext;
        this.portMapperName = str;
        this.matcher = urlMatcher;
        this.convertPathsToLowerCase = Boolean.valueOf((urlMatcher instanceof AntUrlPathMatcher) && urlMatcher.requiresLowerCaseUrl());
        this.interceptUrls = DomUtils.getChildElementsByTagName(element, Elements.INTERCEPT_URL);
        this.allowSessionCreation = !"never".equals(element.getAttribute(ATT_CREATE_SESSION));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void parseInterceptUrlsForEmptyFilterChains() {
        this.emptyFilterChainPaths = new ArrayList();
        this.filterChainMap = new ManagedMap<>();
        for (Element element : this.interceptUrls) {
            String attribute = element.getAttribute("pattern");
            if (!StringUtils.hasText(attribute)) {
                this.pc.getReaderContext().error("path attribute cannot be empty or null", element);
            }
            if (this.convertPathsToLowerCase.booleanValue()) {
                attribute = attribute.toLowerCase();
            }
            String attribute2 = element.getAttribute("filters");
            if (StringUtils.hasText(attribute2)) {
                if (!attribute2.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
                    this.pc.getReaderContext().error("Currently only 'none' is supported as the custom filters attribute", element);
                }
                this.emptyFilterChainPaths.add(attribute);
                this.filterChainMap.put(attribute, Collections.emptyList());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createSecurityContextPersistenceFilter() {
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(SecurityContextPersistenceFilter.class);
        String attribute = this.httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY);
        String attribute2 = this.httpElt.getAttribute(ATT_CREATE_SESSION);
        String attribute3 = this.httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
        if (!StringUtils.hasText(attribute)) {
            BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);
            if ("always".equals(attribute2)) {
                rootBeanDefinition2.addPropertyValue("allowSessionCreation", Boolean.TRUE);
                rootBeanDefinition.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
            } else if ("never".equals(attribute2)) {
                rootBeanDefinition2.addPropertyValue("allowSessionCreation", Boolean.FALSE);
                rootBeanDefinition.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
            } else {
                rootBeanDefinition2.addPropertyValue("allowSessionCreation", Boolean.TRUE);
                rootBeanDefinition.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
            }
            if ("true".equals(attribute3)) {
                rootBeanDefinition2.addPropertyValue("disableUrlRewriting", Boolean.TRUE);
            }
            AbstractBeanDefinition beanDefinition = rootBeanDefinition2.getBeanDefinition();
            attribute = this.pc.getReaderContext().registerWithGeneratedName(beanDefinition);
            this.pc.registerBeanComponent(new BeanComponentDefinition(beanDefinition, attribute));
        } else if ("always".equals(attribute2)) {
            rootBeanDefinition.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
        } else if (StringUtils.hasText(attribute2)) {
            this.pc.getReaderContext().error("If using security-context-repository-ref, the only value you can set for 'create-session' is 'always'. Other session creation logic should be handled by the SecurityContextRepository", this.httpElt);
        }
        this.contextRepoRef = new RuntimeBeanReference(attribute);
        rootBeanDefinition.addPropertyValue("securityContextRepository", this.contextRepoRef);
        this.securityContextPersistenceFilter = rootBeanDefinition.getBeanDefinition();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createSessionManagementFilters() {
        BeanDefinitionBuilder rootBeanDefinition;
        Element childElementByTagName = DomUtils.getChildElementByTagName(this.httpElt, Elements.SESSION_MANAGEMENT);
        Element element = null;
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (childElementByTagName != null) {
            str = childElementByTagName.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
            str2 = childElementByTagName.getAttribute(ATT_INVALID_SESSION_URL);
            str3 = childElementByTagName.getAttribute(ATT_SESSION_AUTH_STRATEGY_REF);
            str4 = childElementByTagName.getAttribute(ATT_SESSION_AUTH_ERROR_URL);
            element = DomUtils.getChildElementByTagName(childElementByTagName, Elements.CONCURRENT_SESSIONS);
            if (element != null) {
                if (StringUtils.hasText(str3)) {
                    this.pc.getReaderContext().error("session-authentication-strategy-ref attribute cannot be used in combination with <concurrency-control>", this.pc.extractSource(element));
                }
                createConcurrencyControlFilterAndSessionRegistry(element);
            }
        }
        if (!StringUtils.hasText(str)) {
            str = OPT_SESSION_FIXATION_MIGRATE_SESSION;
        } else if (StringUtils.hasText(str3)) {
            this.pc.getReaderContext().error("session-fixation-protection attribute cannot be used in combination with session-authentication-strategy-ref", this.pc.extractSource(element));
        }
        boolean z = !str.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
        if (element != null) {
            if (!$assertionsDisabled && this.sessionRegistryRef == null) {
                throw new AssertionError();
            }
            rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControlStrategy.class);
            rootBeanDefinition.addConstructorArgValue(this.sessionRegistryRef);
            String attribute = element.getAttribute("max-sessions");
            if (StringUtils.hasText(attribute)) {
                rootBeanDefinition.addPropertyValue("maximumSessions", attribute);
            }
            String attribute2 = element.getAttribute("error-if-maximum-exceeded");
            if (StringUtils.hasText(attribute2)) {
                rootBeanDefinition.addPropertyValue("exceptionIfMaximumExceeded", attribute2);
            }
        } else {
            if (!z && !StringUtils.hasText(str2) && !StringUtils.hasText(str3)) {
                this.sfpf = null;
                return;
            }
            rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionStrategy.class);
        }
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
        RootBeanDefinition rootBeanDefinition3 = new RootBeanDefinition(SimpleUrlAuthenticationFailureHandler.class);
        if (StringUtils.hasText(str4)) {
            rootBeanDefinition3.getPropertyValues().addPropertyValue("defaultFailureUrl", str4);
        }
        rootBeanDefinition2.addPropertyValue("authenticationFailureHandler", rootBeanDefinition3);
        rootBeanDefinition2.addConstructorArgValue(this.contextRepoRef);
        if (!StringUtils.hasText(str3)) {
            AbstractBeanDefinition beanDefinition = rootBeanDefinition.getBeanDefinition();
            if (z) {
                rootBeanDefinition.addPropertyValue("migrateSessionAttributes", Boolean.valueOf(str.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
            }
            str3 = this.pc.getReaderContext().registerWithGeneratedName(beanDefinition);
            this.pc.registerBeanComponent(new BeanComponentDefinition(beanDefinition, str3));
        }
        if (StringUtils.hasText(str2)) {
            rootBeanDefinition2.addPropertyValue("invalidSessionUrl", str2);
        }
        rootBeanDefinition2.addPropertyReference("sessionAuthenticationStrategy", str3);
        this.sfpf = (RootBeanDefinition) rootBeanDefinition2.getBeanDefinition();
        this.sessionStrategyRef = new RuntimeBeanReference(str3);
    }

    private void createConcurrencyControlFilterAndSessionRegistry(Element element) {
        this.pc.pushContainingComponent(new CompositeComponentDefinition(element.getTagName(), this.pc.extractSource(element)));
        BeanDefinitionRegistry registry = this.pc.getRegistry();
        String attribute = element.getAttribute("session-registry-ref");
        if (!StringUtils.hasText(attribute)) {
            RootBeanDefinition rootBeanDefinition = new RootBeanDefinition(SessionRegistryImpl.class);
            attribute = this.pc.getReaderContext().registerWithGeneratedName(rootBeanDefinition);
            this.pc.registerComponent(new BeanComponentDefinition(rootBeanDefinition, attribute));
        }
        String attribute2 = element.getAttribute("session-registry-alias");
        if (StringUtils.hasText(attribute2)) {
            registry.registerAlias(attribute, attribute2);
        }
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionFilter.class);
        rootBeanDefinition2.addPropertyReference("sessionRegistry", attribute);
        Object extractSource = this.pc.extractSource(element);
        rootBeanDefinition2.getRawBeanDefinition().setSource(extractSource);
        rootBeanDefinition2.setRole(2);
        String attribute3 = element.getAttribute("expired-url");
        if (StringUtils.hasText(attribute3)) {
            WebConfigUtils.validateHttpRedirect(attribute3, this.pc, extractSource);
            rootBeanDefinition2.addPropertyValue("expiredUrl", attribute3);
        }
        this.pc.popAndRegisterContainingComponent();
        this.concurrentSessionFilter = rootBeanDefinition2.getBeanDefinition();
        this.sessionRegistryRef = new RuntimeBeanReference(attribute);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createServletApiFilter() {
        String attribute = this.httpElt.getAttribute("servlet-api-provision");
        if (!StringUtils.hasText(attribute)) {
            attribute = "true";
        }
        if ("true".equals(attribute)) {
            this.servApiFilter = new RootBeanDefinition(SecurityContextHolderAwareRequestFilter.class);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createChannelProcessingFilter() {
        ManagedMap<BeanDefinition, BeanDefinition> parseInterceptUrlsForChannelSecurity = parseInterceptUrlsForChannelSecurity();
        if (parseInterceptUrlsForChannelSecurity.isEmpty()) {
            return;
        }
        RootBeanDefinition rootBeanDefinition = new RootBeanDefinition(ChannelProcessingFilter.class);
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
        rootBeanDefinition2.addConstructorArgValue(this.matcher);
        rootBeanDefinition2.addConstructorArgValue(parseInterceptUrlsForChannelSecurity);
        rootBeanDefinition2.addPropertyValue("stripQueryStringFromUrls", Boolean.valueOf(this.matcher instanceof AntUrlPathMatcher));
        rootBeanDefinition.getPropertyValues().addPropertyValue("securityMetadataSource", rootBeanDefinition2.getBeanDefinition());
        RootBeanDefinition rootBeanDefinition3 = new RootBeanDefinition(ChannelDecisionManagerImpl.class);
        ManagedList managedList = new ManagedList(3);
        RootBeanDefinition rootBeanDefinition4 = new RootBeanDefinition(SecureChannelProcessor.class);
        RootBeanDefinition rootBeanDefinition5 = new RootBeanDefinition(RetryWithHttpEntryPoint.class);
        RootBeanDefinition rootBeanDefinition6 = new RootBeanDefinition(RetryWithHttpsEntryPoint.class);
        RuntimeBeanReference runtimeBeanReference = new RuntimeBeanReference(this.portMapperName);
        rootBeanDefinition5.getPropertyValues().addPropertyValue("portMapper", runtimeBeanReference);
        rootBeanDefinition6.getPropertyValues().addPropertyValue("portMapper", runtimeBeanReference);
        rootBeanDefinition4.getPropertyValues().addPropertyValue("entryPoint", rootBeanDefinition6);
        RootBeanDefinition rootBeanDefinition7 = new RootBeanDefinition(InsecureChannelProcessor.class);
        rootBeanDefinition7.getPropertyValues().addPropertyValue("entryPoint", rootBeanDefinition5);
        managedList.add(rootBeanDefinition4);
        managedList.add(rootBeanDefinition7);
        rootBeanDefinition3.getPropertyValues().addPropertyValue("channelProcessors", managedList);
        rootBeanDefinition.getPropertyValues().addPropertyValue("channelDecisionManager", new RuntimeBeanReference(this.pc.getReaderContext().registerWithGeneratedName(rootBeanDefinition3)));
        this.cpf = rootBeanDefinition;
    }

    private ManagedMap<BeanDefinition, BeanDefinition> parseInterceptUrlsForChannelSecurity() {
        ManagedMap<BeanDefinition, BeanDefinition> managedMap = new ManagedMap<>();
        for (Element element : this.interceptUrls) {
            String attribute = element.getAttribute("pattern");
            if (!StringUtils.hasText(attribute)) {
                this.pc.getReaderContext().error("path attribute cannot be empty or null", element);
            }
            if (this.convertPathsToLowerCase.booleanValue()) {
                attribute = attribute.toLowerCase();
            }
            String attribute2 = element.getAttribute("requires-channel");
            if (StringUtils.hasText(attribute2)) {
                RootBeanDefinition rootBeanDefinition = new RootBeanDefinition(RequestKey.class);
                rootBeanDefinition.getConstructorArgumentValues().addGenericArgumentValue(attribute);
                RootBeanDefinition rootBeanDefinition2 = new RootBeanDefinition(ChannelAttributeFactory.class);
                rootBeanDefinition2.getConstructorArgumentValues().addGenericArgumentValue(attribute2);
                rootBeanDefinition2.setFactoryMethodName("createChannelAttributes");
                managedMap.put(rootBeanDefinition, rootBeanDefinition2);
            }
        }
        return managedMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createFilterSecurityInterceptor(BeanReference beanReference) {
        boolean isUseExpressions = FilterInvocationSecurityMetadataSourceParser.isUseExpressions(this.httpElt);
        BeanDefinition createSecurityMetadataSource = FilterInvocationSecurityMetadataSourceParser.createSecurityMetadataSource(this.interceptUrls, this.httpElt, this.pc);
        ManagedList managedList = new ManagedList(2);
        if (isUseExpressions) {
            managedList.add(new RootBeanDefinition(WebExpressionVoter.class));
        } else {
            managedList.add(new RootBeanDefinition(RoleVoter.class));
            managedList.add(new RootBeanDefinition(AuthenticatedVoter.class));
        }
        RootBeanDefinition rootBeanDefinition = new RootBeanDefinition(AffirmativeBased.class);
        rootBeanDefinition.getPropertyValues().addPropertyValue("decisionVoters", managedList);
        rootBeanDefinition.setSource(this.pc.extractSource(this.httpElt));
        String attribute = this.httpElt.getAttribute(ATT_ACCESS_MGR);
        if (!StringUtils.hasText(attribute)) {
            attribute = this.pc.getReaderContext().registerWithGeneratedName(rootBeanDefinition);
            this.pc.registerBeanComponent(new BeanComponentDefinition(rootBeanDefinition, attribute));
        }
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class);
        rootBeanDefinition2.addPropertyReference("accessDecisionManager", attribute);
        rootBeanDefinition2.addPropertyValue("authenticationManager", beanReference);
        if ("false".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
            rootBeanDefinition2.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
        }
        rootBeanDefinition2.addPropertyValue("securityMetadataSource", createSecurityMetadataSource);
        AbstractBeanDefinition beanDefinition = rootBeanDefinition2.getBeanDefinition();
        String registerWithGeneratedName = this.pc.getReaderContext().registerWithGeneratedName(beanDefinition);
        this.pc.registerBeanComponent(new BeanComponentDefinition(beanDefinition, registerWithGeneratedName));
        RootBeanDefinition rootBeanDefinition3 = new RootBeanDefinition(DefaultWebInvocationPrivilegeEvaluator.class);
        rootBeanDefinition3.getConstructorArgumentValues().addGenericArgumentValue(new RuntimeBeanReference(registerWithGeneratedName));
        this.pc.registerBeanComponent(new BeanComponentDefinition(rootBeanDefinition3, this.pc.getReaderContext().registerWithGeneratedName(rootBeanDefinition3)));
        this.fsi = new RuntimeBeanReference(registerWithGeneratedName);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BeanReference getSessionStrategy() {
        return this.sessionStrategyRef;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAllowSessionCreation() {
        return this.allowSessionCreation;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<String> getEmptyFilterChainPaths() {
        return this.emptyFilterChainPaths;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<OrderDecorator> getFilters() {
        ArrayList arrayList = new ArrayList();
        if (this.cpf != null) {
            arrayList.add(new OrderDecorator(this.cpf, SecurityFilters.CHANNEL_FILTER));
        }
        if (this.concurrentSessionFilter != null) {
            arrayList.add(new OrderDecorator(this.concurrentSessionFilter, SecurityFilters.CONCURRENT_SESSION_FILTER));
        }
        arrayList.add(new OrderDecorator(this.securityContextPersistenceFilter, SecurityFilters.SECURITY_CONTEXT_FILTER));
        if (this.servApiFilter != null) {
            arrayList.add(new OrderDecorator(this.servApiFilter, SecurityFilters.SERVLET_API_SUPPORT_FILTER));
        }
        if (this.sfpf != null) {
            arrayList.add(new OrderDecorator(this.sfpf, SecurityFilters.SESSION_MANAGEMENT_FILTER));
        }
        arrayList.add(new OrderDecorator(this.fsi, SecurityFilters.FILTER_SECURITY_INTERCEPTOR));
        return arrayList;
    }

    static {
        $assertionsDisabled = !HttpConfigurationBuilder.class.desiredAssertionStatus();
    }
}
