package org.alfresco.web.site.servlet;

import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.RealmCallback;
import javax.servlet.FilterChain;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.jlan.server.auth.kerberos.KerberosDetails;
import org.alfresco.jlan.server.auth.ntlm.NTLM;
import org.alfresco.jlan.server.auth.ntlm.NTLMLogonDetails;
import org.alfresco.jlan.server.auth.ntlm.NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type1NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type2NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type3NTLMMessage;
import org.alfresco.jlan.server.auth.spnego.NegTokenInit;
import org.alfresco.jlan.server.auth.spnego.NegTokenTarg;
import org.alfresco.jlan.server.auth.spnego.OID;
import org.alfresco.jlan.server.auth.spnego.SPNEGO;
import org.alfresco.util.Pair;
import org.alfresco.util.log.NDC;
import org.alfresco.web.site.SlingshotPageView;
import org.alfresco.web.site.servlet.config.KerberosConfigElement;
import org.apache.chemistry.opencmis.commons.endpoints.CmisAuthentication;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.extensions.config.ConfigService;
import org.springframework.extensions.config.RemoteConfigElement;
import org.springframework.extensions.surf.RequestContext;
import org.springframework.extensions.surf.RequestContextUtil;
import org.springframework.extensions.surf.UserFactory;
import org.springframework.extensions.surf.exception.ConnectorServiceException;
import org.springframework.extensions.surf.exception.PlatformRuntimeException;
import org.springframework.extensions.surf.mvc.PageViewResolver;
import org.springframework.extensions.surf.site.AuthenticationUtil;
import org.springframework.extensions.surf.types.Page;
import org.springframework.extensions.webscripts.Description;
import org.springframework.extensions.webscripts.connector.Connector;
import org.springframework.extensions.webscripts.connector.ConnectorContext;
import org.springframework.extensions.webscripts.connector.ConnectorService;
import org.springframework.extensions.webscripts.connector.Response;
import org.springframework.extensions.webscripts.servlet.DependencyInjectedFilter;
import org.springframework.web.util.WebUtils;

/* loaded from: input_file:WEB-INF/classes/org/alfresco/web/site/servlet/SSOAuthenticationFilter.class */
public class SSOAuthenticationFilter implements DependencyInjectedFilter, CallbackHandler, ApplicationContextAware {
    private static Log logger = LogFactory.getLog(SSOAuthenticationFilter.class);
    private static final String AUTH_NTLM = "NTLM";
    private static final String AUTH_SPNEGO = "Negotiate";
    private static final String HEADER_WWWAUTHENTICATE = "WWW-Authenticate";
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String HEADER_ACCEPT_LANGUAGE = "Accept-Language";
    private static final String NTLM_AUTH_DETAILS = "_alfwfNTLMDetails";
    private static final String AUTH_BY_KERBEROS = "_alfAuthByKerberos";
    private static final String MIME_HTML_TEXT = "text/html";
    private static final String PAGE_SERVLET_PATH = "/page";
    private static final String LOGIN_PATH_INFORMATION = "/dologin";
    private static final String LOGIN_PARAMETER = "login";
    private static final String ERROR_PARAMETER = "error";
    private static final String UNAUTHENTICATED_ACCESS_PROXY = "/proxy/alfresco-noauth";
    private static final String PAGE_VIEW_RESOLVER = "pageViewResolver";
    private ApplicationContext context;
    private ConnectorService connectorService;
    private String endpoint;
    private String userHeader;
    private Pattern userIdPattern;
    private SlingshotLoginController loginController;
    private String krbAccountName;
    private String krbPassword;
    private String krbRealm;
    private String krbEndpointSPN;
    private String jaasLoginEntryName;
    private LoginContext jaasLoginContext;
    private boolean stripUserNameSuffix;

    public void init() {
        if (logger.isDebugEnabled()) {
            logger.debug("Initializing the SSOAuthenticationFilter.");
        }
        this.loginController = (SlingshotLoginController) this.context.getBean("loginController");
        this.connectorService = (ConnectorService) this.context.getBean("connector.service");
        ConfigService configService = (ConfigService) this.context.getBean("web.config");
        RemoteConfigElement remoteConfigElement = (RemoteConfigElement) configService.getConfig("Remote").getConfigElement("remote");
        if (remoteConfigElement == null) {
            logger.error("There is no Remote configuration element. This is required to use SSOAuthenticationFilter.");
            return;
        }
        if (this.endpoint == null) {
            logger.error("There is no 'endpoint' property in the SSOAuthenticationFilter bean parameters. Cannot initialise filter.");
            return;
        }
        RemoteConfigElement.EndpointDescriptor endpointDescriptor = remoteConfigElement.getEndpointDescriptor(this.endpoint);
        if (endpointDescriptor == null || !endpointDescriptor.getExternalAuth()) {
            if (logger.isDebugEnabled()) {
                logger.debug("No External Auth endpoint configured for " + this.endpoint);
            }
            this.endpoint = null;
            return;
        }
        try {
            Connector connector = this.connectorService.getConnector(this.endpoint);
            if (logger.isDebugEnabled()) {
                logger.debug("Endpoint is " + this.endpoint);
            }
            this.userHeader = connector.getConnectorSession().getParameter(SlingshotAlfrescoConnector.CS_PARAM_USER_HEADER);
            String parameter = connector.getConnectorSession().getParameter(SlingshotAlfrescoConnector.CS_PARAM_USER_ID_PATTERN);
            if (parameter != null) {
                this.userIdPattern = Pattern.compile(parameter);
            }
            if (logger.isDebugEnabled()) {
                logger.debug("userHeader is " + this.userHeader);
                logger.debug("userIdPattern is " + parameter);
            }
        } catch (ConnectorServiceException e) {
            logger.error("Unable to find connector " + endpointDescriptor.getConnectorId() + " for the endpoint " + this.endpoint, e);
        }
        KerberosConfigElement kerberosConfigElement = (KerberosConfigElement) configService.getConfig("Kerberos").getConfigElement(CmisAuthentication.AUTH_KERBEROS);
        if (kerberosConfigElement != null) {
            if (logger.isDebugEnabled()) {
                logger.debug("Found configuration for Kerberos authentication.");
            }
            String realm = kerberosConfigElement.getRealm();
            if (realm == null || realm.length() <= 0) {
                throw new AlfrescoRuntimeException("Kerberos realm not specified");
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Found Kerberos realm: " + realm);
            }
            this.krbRealm = realm;
            String password = kerberosConfigElement.getPassword();
            if (password == null || password.length() <= 0) {
                throw new AlfrescoRuntimeException("HTTP service account password not specified");
            }
            this.krbPassword = password;
            String endpointSPN = kerberosConfigElement.getEndpointSPN();
            if (endpointSPN == null || endpointSPN.length() <= 0) {
                throw new AlfrescoRuntimeException("endpoint service principal name not specified");
            }
            if (logger.isDebugEnabled()) {
                logger.debug("The Service Principal Name to use on the endpoint: " + endpointSPN);
            }
            this.krbEndpointSPN = endpointSPN;
            String loginEntryName = kerberosConfigElement.getLoginEntryName();
            if (loginEntryName != null) {
                if (loginEntryName.length() <= 0) {
                    throw new AlfrescoRuntimeException("Invalid login entry specified");
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("The login configuration entry name to use: " + loginEntryName);
                }
                this.jaasLoginEntryName = loginEntryName;
            }
            boolean stripUserNameSuffix = kerberosConfigElement.getStripUserNameSuffix();
            if (logger.isDebugEnabled()) {
                logger.debug("The stripUserNameSuffix property is set to: " + stripUserNameSuffix);
            }
            this.stripUserNameSuffix = stripUserNameSuffix;
            try {
                this.jaasLoginContext = new LoginContext(this.jaasLoginEntryName, this);
                this.jaasLoginContext.login();
                if (logger.isDebugEnabled()) {
                    logger.debug("HTTP Kerberos login successful");
                }
                this.krbAccountName = this.jaasLoginContext.getSubject().getPrincipals().iterator().next().getName();
                if (logger.isDebugEnabled()) {
                    logger.debug("Logged on using principal " + this.krbAccountName);
                }
            } catch (LoginException e2) {
                if (logger.isErrorEnabled()) {
                    logger.error("HTTP Kerberos web filter error", e2);
                }
                throw new AlfrescoRuntimeException("Failed to login HTTP server service");
            }
        }
        if (logger.isInfoEnabled()) {
            logger.info("SSOAuthenticationFilter initialised.");
        }
    }

    @Override // org.springframework.context.ApplicationContextAware
    public void setApplicationContext(ApplicationContext applicationContext) {
        this.context = applicationContext;
    }

    public void setEndpoint(String str) {
        this.endpoint = str;
    }

    protected ServletRequest wrapHeaderAuthenticatedRequest(ServletRequest servletRequest) {
        if (this.userHeader != null && (servletRequest instanceof HttpServletRequest)) {
            final HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            servletRequest = new HttpServletRequestWrapper(httpServletRequest) { // from class: org.alfresco.web.site.servlet.SSOAuthenticationFilter.1
                public String getRemoteUser() {
                    String remoteUser;
                    String header = httpServletRequest.getHeader(SSOAuthenticationFilter.this.userHeader);
                    if (header != null) {
                        if (!Base64.isBase64(header)) {
                            try {
                                header = new String(header.getBytes("ISO-8859-1"), "UTF-8");
                            } catch (UnsupportedEncodingException e) {
                            }
                        }
                        remoteUser = extractUserFromProxyHeader(header);
                    } else {
                        remoteUser = super.getRemoteUser();
                    }
                    return remoteUser;
                }

                private String extractUserFromProxyHeader(String str) {
                    String trim;
                    if (SSOAuthenticationFilter.this.userIdPattern == null) {
                        trim = str.trim();
                    } else {
                        Matcher matcher = SSOAuthenticationFilter.this.userIdPattern.matcher(str);
                        if (!matcher.matches()) {
                            return null;
                        }
                        trim = matcher.group(1).trim();
                    }
                    if (trim.length() == 0) {
                        return null;
                    }
                    return trim;
                }
            };
        }
        return servletRequest;
    }

    @Override // org.springframework.extensions.webscripts.servlet.DependencyInjectedFilter
    public void doFilter(ServletContext servletContext, ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilter(servletRequest, servletResponse, filterChain);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        PageViewResolver pageViewResolver;
        NDC.remove();
        NDC.push(Thread.currentThread().getName());
        boolean isDebugEnabled = logger.isDebugEnabled();
        ServletRequest wrapHeaderAuthenticatedRequest = wrapHeaderAuthenticatedRequest(servletRequest);
        if (this.endpoint == null) {
            if (isDebugEnabled) {
                logger.debug("There is no endpoint with external auth enabled.");
            }
            filterChain.doFilter(wrapHeaderAuthenticatedRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) wrapHeaderAuthenticatedRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession();
        if (httpServletRequest.getServletPath() != null && httpServletRequest.getServletPath().startsWith(UNAUTHENTICATED_ACCESS_PROXY)) {
            if (isDebugEnabled) {
                logger.debug("SSO is by-passed for unauthenticated access endpoint.");
            }
            filterChain.doFilter(wrapHeaderAuthenticatedRequest, servletResponse);
            return;
        }
        if (isDebugEnabled) {
            logger.debug("Processing request " + httpServletRequest.getRequestURI() + " SID:" + session.getId());
        }
        String pathInfo = httpServletRequest.getPathInfo();
        if (PAGE_SERVLET_PATH.equals(httpServletRequest.getServletPath()) && (LOGIN_PATH_INFORMATION.equals(pathInfo) || (pathInfo == null && "login".equals(httpServletRequest.getParameter("pt"))))) {
            if (isDebugEnabled) {
                logger.debug("Login page requested, chaining ...");
            }
            filterChain.doFilter(wrapHeaderAuthenticatedRequest, servletResponse);
            return;
        }
        try {
            RequestContext initRequestContext = RequestContextUtil.initRequestContext(this.context, httpServletRequest, true);
            Page page = initRequestContext.getPage();
            if (page == null && pathInfo != null && (pageViewResolver = (PageViewResolver) this.context.getBean(PAGE_VIEW_RESOLVER)) != null) {
                try {
                    if (pageViewResolver.resolveViewName(pathInfo, null) != null) {
                        page = initRequestContext.getPage();
                    }
                } catch (Exception e) {
                }
            }
            if (page != null && page.getAuthentication() == Description.RequiredAuthentication.none) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Unauthenticated page requested - skipping auth filter...");
                }
                filterChain.doFilter(wrapHeaderAuthenticatedRequest, servletResponse);
                return;
            }
            if (this.userHeader != null) {
                if (AuthenticationUtil.getUserId(httpServletRequest) == null || httpServletRequest.getRemoteUser() == null) {
                    challengeOrPassThrough(filterChain, httpServletRequest, httpServletResponse, session);
                    return;
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("userHeader external auth - skipping auth filter...");
                }
                setExternalAuthSession(session);
                onSuccess(httpServletRequest, httpServletResponse, session, httpServletRequest.getRemoteUser());
                filterChain.doFilter(wrapHeaderAuthenticatedRequest, servletResponse);
                return;
            }
            String header = httpServletRequest.getHeader("Authorization");
            if (header == null && AuthenticationUtil.isAuthenticated(httpServletRequest)) {
                if (isDebugEnabled) {
                    logger.debug("Touching the repo to ensure we still have an authenticated session.");
                }
                challengeOrPassThrough(filterChain, httpServletRequest, httpServletResponse, session);
                return;
            }
            if (header == null) {
                if (isDebugEnabled) {
                    logger.debug("New auth request from " + httpServletRequest.getRemoteHost() + " (" + httpServletRequest.getRemoteAddr() + ":" + httpServletRequest.getRemotePort() + ")");
                }
                challengeOrPassThrough(filterChain, httpServletRequest, httpServletResponse, session);
                return;
            }
            if (!header.startsWith("Negotiate") || this.krbRealm == null) {
                if (!header.startsWith("NTLM")) {
                    if (isDebugEnabled) {
                        logger.debug("Processing Basic Authentication.");
                    }
                    if (AuthenticationUtil.isAuthenticated(httpServletRequest) || httpServletRequest.getRemoteUser() != null) {
                        if (isDebugEnabled) {
                            logger.debug("Ensuring the session is still valid.");
                        }
                        challengeOrPassThrough(filterChain, httpServletRequest, httpServletResponse, session);
                        return;
                    } else {
                        if (isDebugEnabled) {
                            logger.debug("Establish a new session or bring up the login page.");
                        }
                        filterChain.doFilter(httpServletRequest, httpServletResponse);
                        return;
                    }
                }
                if (isDebugEnabled) {
                    logger.debug("Processing NTLM authentication.");
                }
                byte[] decode = org.springframework.extensions.surf.util.Base64.decode(header.substring(5).getBytes());
                int isNTLMType = NTLMMessage.isNTLMType(decode);
                Object sessionMutex = WebUtils.getSessionMutex(session);
                if (isNTLMType == 1) {
                    if (isDebugEnabled) {
                        logger.debug("Process the type 1 NTLM message.");
                    }
                    Type1NTLMMessage type1NTLMMessage = new Type1NTLMMessage(decode);
                    synchronized (sessionMutex) {
                        processType1(type1NTLMMessage, httpServletRequest, httpServletResponse, session);
                    }
                    return;
                }
                if (isNTLMType != 3) {
                    if (isDebugEnabled) {
                        logger.debug("NTLM not handled, redirecting to login page");
                    }
                    redirectToLoginPage(httpServletRequest, httpServletResponse);
                    return;
                } else {
                    if (isDebugEnabled) {
                        logger.debug("Process the type 3 NTLM message.");
                    }
                    Type3NTLMMessage type3NTLMMessage = new Type3NTLMMessage(decode);
                    synchronized (sessionMutex) {
                        processType3(type3NTLMMessage, httpServletRequest, httpServletResponse, session, filterChain);
                    }
                    return;
                }
            }
            if (isDebugEnabled) {
                logger.debug("Processing SPNEGO / Kerberos authentication.");
            }
            byte[] decode2 = org.springframework.extensions.surf.util.Base64.decode(header.substring(10).getBytes());
            if (isNTLMSSPBlob(decode2, 0)) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Client sent an NTLMSSP security blob");
                }
                restartAuthProcess(session, httpServletRequest, httpServletResponse, "Negotiate");
                return;
            }
            int i = -1;
            try {
                i = SPNEGO.checkTokenType(decode2, 0, decode2.length);
            } catch (IOException e2) {
            }
            if (i != 0) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Unknown SPNEGO token type");
                }
                restartAuthProcess(session, httpServletRequest, httpServletResponse, "Negotiate");
                return;
            }
            if (isDebugEnabled) {
                logger.debug("Parsing the SPNEGO security blob to get the Kerberos ticket.");
            }
            NegTokenInit negTokenInit = new NegTokenInit();
            try {
                negTokenInit.decode(decode2, 0, decode2.length);
                String str = null;
                if (negTokenInit.numberOfOids() > 0) {
                    str = negTokenInit.getOidAt(0).toString();
                }
                if (str == null || !(str.equals(OID.ID_MSKERBEROS5) || str.equals(OID.ID_KERBEROS5))) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Unsupported SPNEGO mechanism " + str);
                    }
                    restartAuthProcess(session, httpServletRequest, httpServletResponse, "Negotiate");
                } else {
                    if (isDebugEnabled) {
                        logger.debug("Kerberos logon.");
                    }
                    if (doKerberosLogon(negTokenInit, httpServletRequest, httpServletResponse, session) != null) {
                        filterChain.doFilter(httpServletRequest, httpServletResponse);
                        if (logger.isDebugEnabled()) {
                            logger.debug("Request processing ended");
                        }
                    } else {
                        restartAuthProcess(session, httpServletRequest, httpServletResponse, "Negotiate");
                    }
                }
            } catch (IOException e3) {
                if (logger.isDebugEnabled()) {
                    logger.debug(e3);
                }
            }
        } catch (Exception e4) {
            logger.error("Error calling initRequestContext", e4);
            throw new ServletException(e4);
        }
    }

    private void clearSession(HttpSession httpSession) {
        if (logger.isDebugEnabled()) {
            logger.debug("Clearing the session.");
        }
        Enumeration attributeNames = httpSession.getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            httpSession.removeAttribute((String) attributeNames.nextElement());
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (logger.isDebugEnabled()) {
            logger.debug("Processing the JAAS callback list of " + callbackArr.length + " items.");
        }
        for (int i = 0; i < callbackArr.length; i++) {
            if (callbackArr[i] instanceof NameCallback) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Request for user name.");
                }
                ((NameCallback) callbackArr[i]).setName(this.krbAccountName);
            } else if (callbackArr[i] instanceof PasswordCallback) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Request for password.");
                }
                ((PasswordCallback) callbackArr[i]).setPassword(this.krbPassword.toCharArray());
            } else {
                if (!(callbackArr[i] instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i]);
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("Request for realm.");
                }
                ((RealmCallback) callbackArr[i]).setText(this.krbRealm);
            }
        }
    }

    private void challengeOrPassThrough(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) throws IOException, ServletException {
        ConnectorContext connectorContext;
        try {
            String userId = AuthenticationUtil.getUserId(httpServletRequest);
            if (userId == null) {
                userId = httpServletRequest.getRemoteUser();
                httpSession.setAttribute(UserFactory.SESSION_ATTRIBUTE_EXTERNAL_AUTH, Boolean.TRUE);
                if (userId != null && logger.isDebugEnabled()) {
                    logger.debug("Initial login from externally authenticated user " + userId);
                }
                setExternalAuthSession(httpSession);
            } else if (logger.isDebugEnabled()) {
                logger.debug("Validating repository session for " + userId);
            }
            if (userId != null && !userId.equalsIgnoreCase(httpServletRequest.getRemoteUser()) && httpSession.getAttribute(NTLM_AUTH_DETAILS) == null && httpSession.getAttribute(AUTH_BY_KERBEROS) == null) {
                httpSession.removeAttribute(UserFactory.SESSION_ATTRIBUTE_EXTERNAL_AUTH);
            }
            Connector connector = this.connectorService.getConnector(this.endpoint, userId, httpSession);
            if (httpServletRequest.getHeader("Accept-Language") != null) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Accept-Language header present: " + httpServletRequest.getHeader("Accept-Language"));
                }
                connectorContext = new ConnectorContext(null, Collections.singletonMap("Accept-Language", httpServletRequest.getHeader("Accept-Language")));
            } else {
                connectorContext = new ConnectorContext();
            }
            Response call = connector.call("/touch", connectorContext);
            if (401 != call.getStatus().getCode()) {
                onSuccess(httpServletRequest, httpServletResponse, httpSession, userId);
                if (logger.isDebugEnabled()) {
                    logger.debug("Authentication not required, chaining ...");
                }
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Repository session timed out - restarting auth process...");
            }
            String str = call.getStatus().getHeaders().get("WWW-Authenticate");
            if (str != null) {
                restartAuthProcess(httpSession, httpServletRequest, httpServletResponse, str);
                return;
            }
            if (httpServletRequest.getRemoteUser() == null) {
                try {
                    httpSession.invalidate();
                } catch (IllegalStateException e) {
                }
            }
            redirectToLoginPage(httpServletRequest, httpServletResponse);
        } catch (ConnectorServiceException e2) {
            throw new PlatformRuntimeException("Incorrectly configured endpoint ID: " + this.endpoint);
        }
    }

    public void destroy() {
    }

    private Map<String, String> getConnectionHeaders(Connector connector) {
        HashMap hashMap = new HashMap(4);
        hashMap.put("user-agent", "");
        if (connector.getConnectorSession().getCookie("JSESSIONID") == null) {
            hashMap.put("Cookie", null);
        }
        hashMap.put("Content-Type", null);
        hashMap.put("Content-Length", null);
        return hashMap;
    }

    private void restartAuthProcess(HttpSession httpSession, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("Restarting " + str + " authentication.");
        }
        clearSession(httpSession);
        setRedirectUrl(httpServletRequest);
        httpServletResponse.setHeader("WWW-Authenticate", str);
        httpServletResponse.setStatus(401);
        httpServletResponse.setContentType("text/html");
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("<html><head>");
        writer.println("<meta http-equiv=\"Refresh\" content=\"0; url=" + httpServletRequest.getContextPath() + "/page?pt=login\">");
        writer.println("</head><body><p>Please <a href=\"" + httpServletRequest.getContextPath() + "/page?pt=login\">log in</a>.</p>");
        writer.println("</body></html>");
        writer.close();
        httpServletResponse.flushBuffer();
    }

    private void processType1(Type1NTLMMessage type1NTLMMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("Received type1 " + type1NTLMMessage);
        }
        NTLMLogonDetails nTLMLogonDetails = (NTLMLogonDetails) httpSession.getAttribute(NTLM_AUTH_DETAILS);
        if (nTLMLogonDetails != null && nTLMLogonDetails.hasType2Message()) {
            Type2NTLMMessage type2Message = nTLMLogonDetails.getType2Message();
            String str = "NTLM " + new String(org.springframework.extensions.surf.util.Base64.encodeBytes(type2Message.getBytes(), 8));
            if (logger.isDebugEnabled()) {
                logger.debug("Sending cached NTLM type2 to client - " + type2Message);
            }
            httpServletResponse.setHeader("WWW-Authenticate", str);
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
            return;
        }
        httpSession.removeAttribute(NTLM_AUTH_DETAILS);
        try {
            Connector connector = this.connectorService.getConnector(this.endpoint, httpSession);
            Response call = connector.call("/touch", new ConnectorContext(null, getConnectionHeaders(connector)), httpServletRequest, (HttpServletResponse) null);
            if (401 == call.getStatus().getCode()) {
                String str2 = call.getStatus().getHeaders().get("WWW-Authenticate");
                if (!str2.startsWith("NTLM") || str2.length() <= 4) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Unexpected response from repository: WWW-Authenticate:" + str2);
                    }
                    redirectToLoginPage(httpServletRequest, httpServletResponse);
                } else {
                    byte[] decode = org.springframework.extensions.surf.util.Base64.decode(str2.substring(5).getBytes());
                    int isNTLMType = NTLMMessage.isNTLMType(decode);
                    if (isNTLMType == 2) {
                        Type2NTLMMessage type2NTLMMessage = new Type2NTLMMessage(decode);
                        NTLMLogonDetails nTLMLogonDetails2 = new NTLMLogonDetails();
                        nTLMLogonDetails2.setType2Message(type2NTLMMessage);
                        httpSession.setAttribute(NTLM_AUTH_DETAILS, nTLMLogonDetails2);
                        if (logger.isDebugEnabled()) {
                            logger.debug("Sending NTLM type2 to client - " + type2NTLMMessage);
                        }
                        httpServletResponse.setHeader("WWW-Authenticate", "NTLM " + new String(org.springframework.extensions.surf.util.Base64.encodeBytes(type2NTLMMessage.getBytes(), 8)));
                        httpServletResponse.setStatus(401);
                        httpServletResponse.flushBuffer();
                    } else {
                        if (logger.isDebugEnabled()) {
                            logger.debug("Unexpected NTLM message type from repository: NTLMType" + isNTLMType);
                        }
                        redirectToLoginPage(httpServletRequest, httpServletResponse);
                    }
                }
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Unexpected response from repository: " + call.getStatus().getMessage());
                }
                redirectToLoginPage(httpServletRequest, httpServletResponse);
            }
        } catch (ConnectorServiceException e) {
            throw new PlatformRuntimeException("Incorrectly configured endpoint ID: " + this.endpoint);
        }
    }

    private void processType3(Type3NTLMMessage type3NTLMMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, FilterChain filterChain) throws IOException, ServletException {
        if (logger.isDebugEnabled()) {
            logger.debug("Received type3 " + type3NTLMMessage);
        }
        NTLMLogonDetails nTLMLogonDetails = (NTLMLogonDetails) httpSession.getAttribute(NTLM_AUTH_DETAILS);
        String userId = AuthenticationUtil.getUserId(httpServletRequest);
        String userName = type3NTLMMessage.getUserName();
        String workstation = type3NTLMMessage.getWorkstation();
        String domain = type3NTLMMessage.getDomain();
        boolean z = false;
        if (userId != null && nTLMLogonDetails != null && nTLMLogonDetails.hasNTLMHashedPassword()) {
            byte[] nTLMHash = type3NTLMMessage.getNTLMHash();
            byte[] nTLMHashedPassword = nTLMLogonDetails.getNTLMHashedPassword();
            if (nTLMHash != null && nTLMHash.length == nTLMHashedPassword.length) {
                z = true;
                int i = 0;
                while (true) {
                    if (i >= nTLMHash.length) {
                        break;
                    }
                    if (nTLMHash[i] != nTLMHashedPassword[i]) {
                        z = false;
                        break;
                    }
                    i++;
                }
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Using cached NTLM hash, authenticated = " + z);
            }
            if (z) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } else {
                restartAuthProcess(httpSession, httpServletRequest, httpServletResponse, "NTLM");
                return;
            }
        }
        try {
            Connector connector = this.connectorService.getConnector(this.endpoint, httpSession);
            Response call = connector.call("/touch", new ConnectorContext(null, getConnectionHeaders(connector)), httpServletRequest, (HttpServletResponse) null);
            if (401 == call.getStatus().getCode()) {
                String str = call.getStatus().getHeaders().get("WWW-Authenticate");
                if (str.equals("NTLM")) {
                    String header = httpServletRequest.getHeader("user-agent");
                    if (header == null || header.indexOf("Safari") == -1 || header.indexOf("Chrome") != -1) {
                        restartAuthProcess(httpSession, httpServletRequest, httpServletResponse, str);
                    } else {
                        httpServletResponse.setStatus(401);
                        PrintWriter writer = httpServletResponse.getWriter();
                        writer.println("<html><head></head>");
                        writer.println("<body><p>Login authentication failed. Please close and re-open Safari to try again.</p>");
                        writer.println("</body></html>");
                        writer.close();
                    }
                    httpServletResponse.flushBuffer();
                } else {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Unexpected response from repository: WWW-Authenticate:" + str);
                    }
                    redirectToLoginPage(httpServletRequest, httpServletResponse);
                }
            } else if (200 == call.getStatus().getCode() || 307 == call.getStatus().getCode()) {
                if (nTLMLogonDetails == null) {
                    nTLMLogonDetails = new NTLMLogonDetails(userName, workstation, domain, false, null);
                    nTLMLogonDetails.setNTLMHashedPassword(type3NTLMMessage.getNTLMHash());
                    httpSession.setAttribute(NTLM_AUTH_DETAILS, nTLMLogonDetails);
                    if (logger.isDebugEnabled()) {
                        logger.debug("No cached NTLM details, created");
                    }
                } else {
                    nTLMLogonDetails.setDetails(userName, workstation, domain, false, null);
                    nTLMLogonDetails.setNTLMHashedPassword(type3NTLMMessage.getNTLMHash());
                    if (logger.isDebugEnabled()) {
                        logger.debug("Updated cached NTLM details");
                    }
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("User logged on via NTLM, " + nTLMLogonDetails);
                }
                setExternalAuthSession(httpSession);
                onSuccess(httpServletRequest, httpServletResponse, httpSession, userName);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Unexpected response from repository: " + call.getStatus().getMessage());
                }
                redirectToLoginPage(httpServletRequest, httpServletResponse);
            }
        } catch (ConnectorServiceException e) {
            throw new PlatformRuntimeException("Incorrectly configured endpoint: " + this.endpoint);
        }
    }

    private void redirectToLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("Redirecting to the login page.");
        }
        if (!PAGE_SERVLET_PATH.equals(httpServletRequest.getServletPath())) {
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
        } else {
            setRedirectUrl(httpServletRequest);
            String parameter = httpServletRequest.getParameter(ERROR_PARAMETER);
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/page?pt=login" + (parameter == null ? "" : "&error=" + parameter));
        }
    }

    private boolean isNTLMSSPBlob(byte[] bArr, int i) {
        boolean z = false;
        if (bArr.length - i >= NTLM.Signature.length) {
            if (logger.isDebugEnabled()) {
                logger.debug("Checking if the blob has the NTLMSSP signature.");
            }
            int i2 = 0;
            while (i2 < NTLM.Signature.length && bArr[i + i2] == NTLM.Signature[i2]) {
                i2++;
            }
            if (i2 == NTLM.Signature.length) {
                z = true;
            }
        }
        return z;
    }

    private NegTokenTarg doKerberosLogon(NegTokenInit negTokenInit, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) {
        NegTokenTarg negTokenTarg = null;
        try {
            Object doAs = Subject.doAs(this.jaasLoginContext.getSubject(), new KerberosSessionSetupPrivilegedAction(this.krbAccountName, negTokenInit.getMechtoken(), this.krbEndpointSPN));
            if (doAs != null) {
                Pair pair = (Pair) doAs;
                KerberosDetails kerberosDetails = (KerberosDetails) pair.getFirst();
                String str = (String) pair.getSecond();
                negTokenTarg = new NegTokenTarg(0, OID.KERBEROS5, kerberosDetails.getResponseToken());
                if (negTokenTarg != null) {
                    String userName = this.stripUserNameSuffix ? kerberosDetails.getUserName() : kerberosDetails.getSourceName();
                    if (logger.isDebugEnabled()) {
                        logger.debug("User " + userName + " logged on via Kerberos; attempting to log on to Alfresco then");
                    }
                    if (!doKerberosDelegateLogin(httpServletRequest, httpServletResponse, httpSession, userName, str)) {
                        return null;
                    }
                    httpSession.setAttribute(AUTH_BY_KERBEROS, true);
                }
            } else if (logger.isDebugEnabled()) {
                logger.debug("No SPNEGO response, Kerberos logon failed");
            }
        } catch (Exception e) {
            if (logger.isDebugEnabled()) {
                logger.debug("Kerberos logon error", e);
            }
        }
        return negTokenTarg;
    }

    private boolean doKerberosDelegateLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, String str, String str2) throws IOException {
        ConnectorContext connectorContext;
        try {
            Connector connector = this.connectorService.getConnector(this.endpoint, httpSession);
            if (httpServletRequest.getHeader("Accept-Language") != null) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Accept-Language header present: " + httpServletRequest.getHeader("Accept-Language"));
                }
                HashMap hashMap = new HashMap(7);
                hashMap.put("Accept-Language", httpServletRequest.getHeader("Accept-Language"));
                connectorContext = new ConnectorContext(null, hashMap);
            } else {
                connectorContext = new ConnectorContext();
            }
            Response call = connector.call("/touch", connectorContext);
            if (401 != call.getStatus().getCode()) {
                if (200 != call.getStatus().getCode() && 307 != call.getStatus().getCode()) {
                    if (!logger.isDebugEnabled()) {
                        return false;
                    }
                    logger.debug("Unexpected response from repository: " + call.getStatus().getMessage());
                    return false;
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("Authentication succeeded on the repo side.");
                }
                setExternalAuthSession(httpSession);
                onSuccess(httpServletRequest, httpServletResponse, httpSession, str);
                return true;
            }
            String str3 = call.getStatus().getHeaders().get("WWW-Authenticate");
            if (!str3.equals("Negotiate")) {
                if (!logger.isDebugEnabled()) {
                    return false;
                }
                logger.debug("Unexpected response from repository: WWW-Authenticate:" + str3);
                return false;
            }
            HashMap hashMap2 = new HashMap(7);
            hashMap2.put("Authorization", "Negotiate " + str2);
            if (httpServletRequest.getHeader("Accept-Language") != null) {
                hashMap2.put("Accept-Language", httpServletRequest.getHeader("Accept-Language"));
            }
            Response call2 = connector.call("/touch", new ConnectorContext(null, hashMap2));
            if (200 == call2.getStatus().getCode() || 307 == call2.getStatus().getCode()) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Authentication succeeded on the repo side.");
                }
                setExternalAuthSession(httpSession);
                onSuccess(httpServletRequest, httpServletResponse, httpSession, str);
            } else if (401 == call2.getStatus().getCode()) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Authentication failed on repo side - beging login process again.");
                }
                httpServletResponse.setHeader("WWW-Authenticate", str3);
                httpServletResponse.setStatus(401);
                httpServletResponse.flushBuffer();
            }
            return true;
        } catch (ConnectorServiceException e) {
            throw new AlfrescoRuntimeException("Incorrectly configured endpoint: " + this.endpoint);
        }
    }

    private void setRedirectUrl(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        session.setAttribute(SlingshotPageView.REDIRECT_URI, httpServletRequest.getRequestURI());
        if (httpServletRequest.getQueryString() != null) {
            session.setAttribute(SlingshotPageView.REDIRECT_QUERY, httpServletRequest.getQueryString());
        }
    }

    private void setExternalAuthSession(HttpSession httpSession) {
        httpSession.setAttribute(UserFactory.SESSION_ATTRIBUTE_EXTERNAL_AUTH, Boolean.TRUE);
    }

    private void onSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, String str) {
        httpSession.setAttribute(UserFactory.SESSION_ATTRIBUTE_KEY_USER_ID, str);
        try {
            this.loginController.beforeSuccess(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            throw new AlfrescoRuntimeException("Error during loginController.onSuccess()", e);
        }
    }
}
