package org.glassfish.ejb.security.application;

import com.sun.ejb.EjbInvocation;
import com.sun.enterprise.backup.Constants;
import com.sun.enterprise.deployment.EjbIORConfigurationDescriptor;
import com.sun.enterprise.deployment.MethodDescriptor;
import com.sun.enterprise.deployment.MethodPermission;
import com.sun.enterprise.deployment.RoleReference;
import com.sun.enterprise.deployment.RunAsIdentityDescriptor;
import com.sun.enterprise.security.SecurityContext;
import com.sun.enterprise.security.SecurityManager;
import com.sun.enterprise.security.auth.login.LoginContextDriver;
import com.sun.enterprise.security.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.security.common.AppservAccessController;
import com.sun.enterprise.security.ee.CachedPermissionImpl;
import com.sun.enterprise.security.ee.PermissionCache;
import com.sun.enterprise.security.ee.PermissionCacheFactory;
import com.sun.enterprise.security.ee.SecurityUtil;
import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
import com.sun.logging.LogDomains;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.WeakHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.SubjectDomainCombiner;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import org.apache.derby.iapi.services.classfile.VMDescriptor;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.api.invocation.InvocationException;
import org.glassfish.api.invocation.InvocationManager;
import org.glassfish.deployment.common.SecurityRoleMapperFactory;
import org.glassfish.ejb.deployment.descriptor.EjbDescriptor;
import org.glassfish.ejb.security.factory.EJBSecurityManagerFactory;
import org.glassfish.external.probe.provider.PluginPoint;
import org.glassfish.external.probe.provider.StatsProviderManager;
import org.glassfish.security.common.Role;
import org.jboss.weld.metadata.Selectors;

/* loaded from: input_file:org/glassfish/ejb/security/application/EJBSecurityManager.class */
public final class EJBSecurityManager implements SecurityManager {
    private static final Logger _logger;
    private AppServerAuditManager auditManager;
    private static final PolicyContextHandlerImpl pcHandlerImpl;
    private final EjbDescriptor deploymentDescriptor;
    private final RunAsIdentityDescriptor runAs;
    private static PolicyConfigurationFactory pcf;
    private static final CodeSource managerCodeSource;
    private final InvocationManager invMgr;
    private final EJBSecurityManagerFactory ejbSFM;
    private static volatile EjbSecurityStatsProvider ejbStatsProvider;
    static final /* synthetic */ boolean $assertionsDisabled;
    private String ejbName = null;
    private String contextId = null;
    private String codebase = null;
    private CodeSource codesource = null;
    private String realmName = null;
    private final Map cacheProtectionDomain = Collections.synchronizedMap(new WeakHashMap());
    private final Map protectionDomainCache = Collections.synchronizedMap(new WeakHashMap());
    private final Map accessControlContextCache = Collections.synchronizedMap(new WeakHashMap());
    private PermissionCache uncheckedMethodPermissionCache = null;
    private final EjbSecurityProbeProvider probeProvider = new EjbSecurityProbeProvider();
    private final SecurityRoleMapperFactory roleMapperFactory = SecurityUtil.getRoleMapperFactory();
    private final Policy policy = Policy.getPolicy();

    public EJBSecurityManager(EjbDescriptor ejbDescriptor, InvocationManager invocationManager, EJBSecurityManagerFactory eJBSecurityManagerFactory) throws Exception {
        this.deploymentDescriptor = ejbDescriptor;
        this.invMgr = invocationManager;
        this.ejbSFM = eJBSecurityManagerFactory;
        if (!this.deploymentDescriptor.getUsesCallerIdentity().booleanValue()) {
            this.runAs = this.deploymentDescriptor.getRunAsIdentity();
            if (this.runAs != null && _logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, this.deploymentDescriptor.getEjbClassName() + " will run-as: " + this.runAs.getPrincipal() + " (" + this.runAs.getRoleName() + VMDescriptor.ENDMETHOD);
            }
        } else {
            this.runAs = null;
        }
        initialize();
    }

    private static CodeSource getApplicationCodeSource(String str) throws Exception {
        CodeSource codeSource = null;
        try {
            try {
                URI uri = new URI("file:///" + str.replace(' ', '_'));
                if (uri != null) {
                    codeSource = new CodeSource(uri.toURL(), (Certificate[]) null);
                }
                return codeSource;
            } catch (URISyntaxException e) {
                _logger.log(Level.SEVERE, "JACC_createurierror", (Throwable) e);
                throw new RuntimeException(e);
            }
        } catch (MalformedURLException e2) {
            _logger.log(Level.SEVERE, "JACC_ejbsm.codesourceerror", (Throwable) e2);
            throw new RuntimeException(e2);
        }
    }

    private static PolicyConfigurationFactory getPolicyFactory() throws PolicyContextException {
        synchronized (EJBSecurityManager.class) {
            if (pcf == null) {
                try {
                    pcf = PolicyConfigurationFactory.getPolicyConfigurationFactory();
                } catch (ClassNotFoundException e) {
                    _logger.severe("jaccfactory.notfound");
                    throw new PolicyContextException(e);
                } catch (PolicyContextException e2) {
                    _logger.severe("jaccfactory.notfound");
                    throw e2;
                }
            }
        }
        return pcf;
    }

    public boolean getUsesCallerIdentity() {
        return this.runAs == null;
    }

    public void loadPolicyConfiguration(EjbDescriptor ejbDescriptor) throws Exception {
        if (getPolicyFactory().inService(this.contextId)) {
            return;
        }
        convertEJBMethodPermissions(ejbDescriptor, this.contextId);
        convertEJBRoleReferences(ejbDescriptor, this.contextId);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: policy translated for policy context:" + this.contextId);
        }
    }

    public static String getContextID(EjbDescriptor ejbDescriptor) {
        return SecurityUtil.getContextID(ejbDescriptor.getEjbBundleDescriptor());
    }

    private void initialize() throws Exception {
        Iterator<EjbIORConfigurationDescriptor> it;
        if (ejbStatsProvider == null) {
            synchronized (EjbSecurityStatsProvider.class) {
                if (ejbStatsProvider == null) {
                    ejbStatsProvider = new EjbSecurityStatsProvider();
                    StatsProviderManager.register("security", PluginPoint.SERVER, "security/ejb", ejbStatsProvider);
                }
            }
        }
        this.contextId = getContextID(this.deploymentDescriptor);
        this.roleMapperFactory.setAppNameForContext(this.deploymentDescriptor.getApplication().getRegistrationName(), this.contextId);
        this.codesource = getApplicationCodeSource(this.contextId);
        this.ejbName = this.deploymentDescriptor.getName();
        this.realmName = this.deploymentDescriptor.getApplication().getRealm();
        if (this.realmName == null && (it = this.deploymentDescriptor.getIORConfigurationDescriptors().iterator()) != null) {
            while (it.hasNext()) {
                this.realmName = it.next().getRealmName();
            }
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: Context id (id under which all EJB's in application will be created) = " + this.contextId);
            _logger.fine("Codebase (module id for ejb " + this.ejbName + ") = " + this.codebase);
        }
        loadPolicyConfiguration(this.deploymentDescriptor);
        this.uncheckedMethodPermissionCache = PermissionCacheFactory.createPermissionCache(this.contextId, this.codesource, EJBMethodPermission.class, this.ejbName);
        this.auditManager = this.ejbSFM.getAuditManager();
    }

    private static void convertEJBRoleReferences(EjbDescriptor ejbDescriptor, String str) throws PolicyContextException {
        PolicyConfiguration policyConfiguration = getPolicyFactory().getPolicyConfiguration(str, false);
        if (!$assertionsDisabled && policyConfiguration == null) {
            throw new AssertionError();
        }
        Set<Role> roles = ejbDescriptor.getEjbBundleDescriptor().getRoles();
        Role role = new Role(Selectors.DEEP_TREE_MATCH);
        boolean contains = roles.contains(role);
        ArrayList arrayList = new ArrayList();
        String name = ejbDescriptor.getName();
        for (RoleReference roleReference : ejbDescriptor.getRoleReferences()) {
            String roleName = roleReference.getRoleName();
            EJBRoleRefPermission eJBRoleRefPermission = new EJBRoleRefPermission(name, roleName);
            String name2 = roleReference.getSecurityRoleLink().getName();
            arrayList.add(new Role(roleName));
            policyConfiguration.addToRole(name2, eJBRoleRefPermission);
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC: Converting role-ref -> " + roleReference.toString() + " to permission with name(" + eJBRoleRefPermission.getName() + ") and actions (" + eJBRoleRefPermission.getActions() + ")mapped to role (" + name2 + VMDescriptor.ENDMETHOD);
            }
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "JACC: Converting role-ref: Going through the list of roles not present in RoleRef elements and creating EJBRoleRefPermissions ");
        }
        for (Role role2 : roles) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "JACC: Converting role-ref: Looking at Role =  " + role2.getName());
            }
            if (!arrayList.contains(role2)) {
                String name3 = role2.getName();
                EJBRoleRefPermission eJBRoleRefPermission2 = new EJBRoleRefPermission(name, name3);
                policyConfiguration.addToRole(name3, eJBRoleRefPermission2);
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.fine("JACC: Converting role-ref: Role =  " + role2.getName() + " is added as a permission with name(" + eJBRoleRefPermission2.getName() + ") and actions (" + eJBRoleRefPermission2.getActions() + ")mapped to role (" + name3 + VMDescriptor.ENDMETHOD);
                }
            }
        }
        if (arrayList.contains(role) || contains) {
            return;
        }
        String name4 = role.getName();
        EJBRoleRefPermission eJBRoleRefPermission3 = new EJBRoleRefPermission(name, name4);
        policyConfiguration.addToRole(name4, eJBRoleRefPermission3);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: Converting role-ref: Adding any authenticated user role-ref  to permission with name(" + eJBRoleRefPermission3.getName() + ") and actions (" + eJBRoleRefPermission3.getActions() + ")mapped to role (" + name4 + VMDescriptor.ENDMETHOD);
        }
    }

    private static HashMap addToRolePermissionsTable(HashMap hashMap, MethodPermission methodPermission, EJBMethodPermission eJBMethodPermission) {
        if (methodPermission.isRoleBased()) {
            if (hashMap == null) {
                hashMap = new HashMap();
            }
            String name = methodPermission.getRole().getName();
            Permissions permissions = (Permissions) hashMap.get(name);
            if (permissions == null) {
                permissions = new Permissions();
                hashMap.put(name, permissions);
            }
            permissions.add(eJBMethodPermission);
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC DD conversion: EJBMethodPermission ->(" + eJBMethodPermission.getName() + Constants.NO_CONFIG + eJBMethodPermission.getActions() + ")protected by role -> " + name);
            }
        }
        return hashMap;
    }

    private static Permissions addToUncheckedPermissions(Permissions permissions, MethodPermission methodPermission, EJBMethodPermission eJBMethodPermission) {
        if (methodPermission.isUnchecked()) {
            if (permissions == null) {
                permissions = new Permissions();
            }
            permissions.add(eJBMethodPermission);
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC DD conversion: EJBMethodPermission ->(" + eJBMethodPermission.getName() + Constants.NO_CONFIG + eJBMethodPermission.getActions() + ") is (unchecked)");
            }
        }
        return permissions;
    }

    private static Permissions addToExcludedPermissions(Permissions permissions, MethodPermission methodPermission, EJBMethodPermission eJBMethodPermission) {
        if (methodPermission.isExcluded()) {
            if (permissions == null) {
                permissions = new Permissions();
            }
            permissions.add(eJBMethodPermission);
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC DD conversion: EJBMethodPermission ->(" + eJBMethodPermission.getName() + Constants.NO_CONFIG + eJBMethodPermission.getActions() + ") is (excluded)");
            }
        }
        return permissions;
    }

    private static void convertEJBMethodPermissions(EjbDescriptor ejbDescriptor, String str) throws PolicyContextException {
        PolicyConfiguration policyConfiguration = getPolicyFactory().getPolicyConfiguration(str, false);
        if (!$assertionsDisabled && policyConfiguration == null) {
            throw new AssertionError();
        }
        String name = ejbDescriptor.getName();
        Permissions permissions = null;
        Permissions permissions2 = null;
        HashMap hashMap = null;
        HashMap methodPermissionsFromDD = ejbDescriptor.getMethodPermissionsFromDD();
        if (methodPermissionsFromDD != null) {
            for (Map.Entry entry : methodPermissionsFromDD.entrySet()) {
                MethodPermission methodPermission = (MethodPermission) entry.getKey();
                Iterator it = ((ArrayList) entry.getValue()).iterator();
                while (it.hasNext()) {
                    MethodDescriptor methodDescriptor = (MethodDescriptor) it.next();
                    String name2 = methodDescriptor.getName();
                    EJBMethodPermission eJBMethodPermission = new EJBMethodPermission(name, name2.equals("*") ? null : name2, methodDescriptor.getEjbClassSymbol(), methodDescriptor.getStyle() == 3 ? methodDescriptor.getParameterClassNames() : null);
                    hashMap = addToRolePermissionsTable(hashMap, methodPermission, eJBMethodPermission);
                    permissions = addToUncheckedPermissions(permissions, methodPermission, eJBMethodPermission);
                    permissions2 = addToExcludedPermissions(permissions2, methodPermission, eJBMethodPermission);
                }
            }
        }
        for (MethodDescriptor methodDescriptor2 : ejbDescriptor.getMethodDescriptors()) {
            Method method = methodDescriptor2.getMethod(ejbDescriptor);
            String ejbClassSymbol = methodDescriptor2.getEjbClassSymbol();
            if (method != null) {
                if (ejbClassSymbol == null || ejbClassSymbol.equals("")) {
                    _logger.log(Level.SEVERE, "method_descriptor_not_defined", new Object[]{name, methodDescriptor2.getName(), methodDescriptor2.getParameterClassNames()});
                } else {
                    EJBMethodPermission eJBMethodPermission2 = new EJBMethodPermission(name, ejbClassSymbol, method);
                    for (MethodPermission methodPermission2 : ejbDescriptor.getMethodPermissionsFor(methodDescriptor2)) {
                        hashMap = addToRolePermissionsTable(hashMap, methodPermission2, eJBMethodPermission2);
                        permissions = addToUncheckedPermissions(permissions, methodPermission2, eJBMethodPermission2);
                        permissions2 = addToExcludedPermissions(permissions2, methodPermission2, eJBMethodPermission2);
                    }
                }
            }
        }
        if (permissions != null) {
            policyConfiguration.addToUncheckedPolicy(permissions);
        }
        if (permissions2 != null) {
            policyConfiguration.addToExcludedPolicy(permissions2);
        }
        if (hashMap != null) {
            for (Map.Entry entry2 : hashMap.entrySet()) {
                policyConfiguration.addToRole((String) entry2.getKey(), (Permissions) entry2.getValue());
            }
        }
    }

    private ProtectionDomain getCachedProtectionDomain(Set set, boolean z) {
        ProtectionDomain protectionDomain;
        CodeSource codeSource;
        if (z) {
            protectionDomain = (ProtectionDomain) this.cacheProtectionDomain.get(set);
            codeSource = this.codesource;
        } else {
            protectionDomain = (ProtectionDomain) this.protectionDomainCache.get(set);
            codeSource = managerCodeSource;
        }
        if (protectionDomain == null) {
            protectionDomain = new ProtectionDomain(codeSource, null, null, set == null ? null : (Principal[]) set.toArray(new Principal[set.size()]));
            HashSet hashSet = set != null ? new HashSet(set) : new HashSet();
            if (z) {
                this.cacheProtectionDomain.put(hashSet, protectionDomain);
            } else {
                this.protectionDomainCache.put(hashSet, protectionDomain);
            }
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC: new ProtectionDomain added to cache");
            }
        }
        if (_logger.isLoggable(Level.FINE)) {
            if (set == null) {
                _logger.fine("JACC: returning cached ProtectionDomain PrincipalSet: null");
            } else {
                StringBuffer stringBuffer = null;
                Principal[] principalArr = (Principal[]) set.toArray(new Principal[set.size()]);
                for (int i = 0; i < principalArr.length; i++) {
                    if (i == 0) {
                        stringBuffer = new StringBuffer(principalArr[i].toString());
                    } else {
                        stringBuffer.append(Constants.NO_CONFIG + principalArr[i].toString());
                    }
                }
                _logger.fine("JACC: returning cached ProtectionDomain - CodeSource: (" + codeSource + ") PrincipalSet: " + ((Object) stringBuffer));
            }
        }
        return protectionDomain;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v75, types: [com.sun.enterprise.security.ee.CachedPermission] */
    /* JADX WARN: Type inference failed for: r0v77, types: [java.security.Permission] */
    /* JADX WARN: Type inference failed for: r6v0, types: [org.glassfish.ejb.security.application.EJBSecurityManager] */
    @Override // com.sun.enterprise.security.SecurityManager
    public boolean authorize(ComponentInvocation componentInvocation) {
        EJBMethodPermission eJBMethodPermission;
        CachedPermissionImpl cachedPermissionImpl;
        if (!(componentInvocation instanceof EjbInvocation)) {
            return false;
        }
        EjbInvocation ejbInvocation = (EjbInvocation) componentInvocation;
        if (ejbInvocation.getAuth() != null) {
            return ejbInvocation.getAuth().booleanValue();
        }
        if (ejbInvocation.invocationInfo == null || ejbInvocation.invocationInfo.cachedPermission == null) {
            eJBMethodPermission = new EJBMethodPermission(this.ejbName, ejbInvocation.getMethodInterface(), ejbInvocation.method);
            cachedPermissionImpl = new CachedPermissionImpl(this.uncheckedMethodPermissionCache, eJBMethodPermission);
            if (ejbInvocation.invocationInfo != null) {
                ejbInvocation.invocationInfo.cachedPermission = cachedPermissionImpl;
                if (_logger.isLoggable(Level.FINE)) {
                    _logger.fine("JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = " + eJBMethodPermission.getName() + " (Action) = " + eJBMethodPermission.getActions());
                }
            }
        } else {
            cachedPermissionImpl = ejbInvocation.invocationInfo.cachedPermission;
            eJBMethodPermission = cachedPermissionImpl.getPermission();
        }
        String str = null;
        SecurityContext securityContext = null;
        pcHandlerImpl.getHandlerData().setInvocation(ejbInvocation);
        boolean checkPermission = cachedPermissionImpl.checkPermission();
        if (!checkPermission) {
            securityContext = SecurityContext.getCurrent();
            ProtectionDomain cachedProtectionDomain = getCachedProtectionDomain(securityContext.getPrincipalSet(), true);
            try {
                String policyContext = setPolicyContext(this.contextId);
                try {
                    try {
                        checkPermission = this.policy.implies(cachedProtectionDomain, eJBMethodPermission);
                        resetPolicyContext(policyContext, this.contextId);
                    } finally {
                    }
                } catch (SecurityException e) {
                    _logger.log(Level.SEVERE, "jacc_access_exception", (Throwable) e);
                    checkPermission = false;
                    resetPolicyContext(policyContext, this.contextId);
                } catch (Throwable th) {
                    _logger.log(Level.SEVERE, "jacc_access_exception", th);
                    checkPermission = false;
                    resetPolicyContext(policyContext, this.contextId);
                }
            } catch (Throwable th2) {
                _logger.log(Level.SEVERE, "jacc_policy_context_exception", th2);
                checkPermission = false;
            }
        }
        ejbInvocation.setAuth((checkPermission ? Boolean.TRUE : Boolean.FALSE).booleanValue());
        if (this.auditManager.isAuditOn()) {
            if (securityContext == null) {
                securityContext = SecurityContext.getCurrent();
            }
            str = securityContext.getCallerPrincipal().getName();
            this.auditManager.ejbInvocation(str, this.ejbName, ejbInvocation.method.toString(), checkPermission);
        }
        if (checkPermission && ejbInvocation.isWebService && !ejbInvocation.isPreInvokeDone()) {
            preInvoke(ejbInvocation);
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: Access Control Decision Result: " + checkPermission + " EJBMethodPermission (Name) = " + eJBMethodPermission.getName() + " (Action) = " + eJBMethodPermission.getActions() + " (Caller) = " + str);
        }
        return checkPermission;
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void preInvoke(ComponentInvocation componentInvocation) {
        if (this.runAs == null) {
            componentInvocation.setPreInvokeDone(true);
            return;
        }
        boolean z = false;
        if (componentInvocation instanceof EjbInvocation) {
            z = ((EjbInvocation) componentInvocation).isWebService;
        }
        if ((!z || (componentInvocation.getAuth() != null && componentInvocation.getAuth().booleanValue())) && !componentInvocation.isPreInvokeDone()) {
            componentInvocation.setOldSecurityContext(SecurityContext.getCurrent());
            loginForRunAs();
            componentInvocation.setPreInvokeDone(true);
        }
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void postInvoke(final ComponentInvocation componentInvocation) {
        if (this.runAs == null || !componentInvocation.isPreInvokeDone()) {
            return;
        }
        AppservAccessController.doPrivileged(new PrivilegedAction() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                SecurityContext.setCurrent((SecurityContext) componentInvocation.getOldSecurityContext());
                return null;
            }
        });
    }

    private void loginForRunAs() {
        AppservAccessController.doPrivileged(new PrivilegedAction() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                LoginContextDriver.loginPrincipal(EJBSecurityManager.this.runAs.getPrincipal(), EJBSecurityManager.this.realmName);
                return null;
            }
        });
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public boolean isCallerInRole(String str) {
        boolean z;
        if (_logger.isLoggable(Level.FINE)) {
            _logger.entering("EJBSecurityManager", "isCallerInRole", str);
        }
        EJBRoleRefPermission eJBRoleRefPermission = new EJBRoleRefPermission(this.ejbName, str);
        SecurityContext current = this.runAs != null ? (SecurityContext) this.invMgr.getCurrentInvocation().getOldSecurityContext() : SecurityContext.getCurrent();
        ProtectionDomain cachedProtectionDomain = getCachedProtectionDomain(current != null ? current.getPrincipalSet() : null, true);
        String str2 = null;
        try {
            try {
                try {
                    str2 = setPolicyContext(this.contextId);
                    z = this.policy.implies(cachedProtectionDomain, eJBRoleRefPermission);
                    try {
                        resetPolicyContext(str2, this.contextId);
                    } catch (Throwable th) {
                        _logger.log(Level.SEVERE, "jacc_policy_context_exception", th);
                        z = false;
                    }
                } catch (Throwable th2) {
                    try {
                        resetPolicyContext(str2, this.contextId);
                    } catch (Throwable th3) {
                        _logger.log(Level.SEVERE, "jacc_policy_context_exception", th3);
                    }
                    throw th2;
                }
            } catch (Throwable th4) {
                _logger.log(Level.SEVERE, "jacc_is_caller_in_role_exception", th4);
                z = false;
                try {
                    resetPolicyContext(str2, this.contextId);
                } catch (Throwable th5) {
                    _logger.log(Level.SEVERE, "jacc_policy_context_exception", th5);
                    z = false;
                }
            }
        } catch (SecurityException e) {
            _logger.log(Level.SEVERE, "jacc_is_caller_in_role_exception", (Throwable) e);
            z = false;
            try {
                resetPolicyContext(str2, this.contextId);
            } catch (Throwable th6) {
                _logger.log(Level.SEVERE, "jacc_policy_context_exception", th6);
                z = false;
            }
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: isCallerInRole Result: " + z + " EJBRoleRefPermission (Name) = " + eJBRoleRefPermission.getName() + " (Action) = " + eJBRoleRefPermission.getActions() + " (Codesource) = " + cachedProtectionDomain.getCodeSource());
        }
        return z;
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Principal getCallerPrincipal() {
        SecurityContext current;
        if (this.runAs != null) {
            ComponentInvocation currentInvocation = this.invMgr.getCurrentInvocation();
            if (currentInvocation == null) {
                throw new InvocationException();
            }
            current = (SecurityContext) currentInvocation.getOldSecurityContext();
        } else {
            current = SecurityContext.getCurrent();
        }
        return current != null ? current.getCallerPrincipal() : SecurityContext.getDefaultCallerPrincipal();
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void destroy() {
        try {
            if (getPolicyFactory().inService(this.contextId)) {
                this.policy.refresh();
            }
            PermissionCacheFactory.removePermissionCache(this.uncheckedMethodPermissionCache);
            this.uncheckedMethodPermissionCache = null;
            this.roleMapperFactory.removeAppNameForContext(this.contextId);
        } catch (PolicyContextException e) {
            _logger.log(Level.WARNING, "ejbsm.could_not_delete", (Throwable) e);
        }
        this.probeProvider.securityManagerDestructionStartedEvent(this.ejbName);
        this.ejbSFM.getManager(this.contextId, this.ejbName, true);
        this.probeProvider.securityManagerDestructionEndedEvent(this.ejbName);
        this.probeProvider.securityManagerDestructionEvent(this.ejbName);
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Subject getCurrentSubject() {
        return SecurityContext.getCurrent().getSubject();
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Object doAsPrivileged(PrivilegedExceptionAction privilegedExceptionAction) throws Throwable {
        SecurityContext current = SecurityContext.getCurrent();
        Set principalSet = current.getPrincipalSet();
        AccessControlContext accessControlContext = (AccessControlContext) this.accessControlContextCache.get(principalSet);
        if (accessControlContext == null) {
            final ProtectionDomain[] protectionDomainArr = {getCachedProtectionDomain(principalSet, false)};
            try {
                if (principalSet != null) {
                    final Subject subject = current.getSubject();
                    accessControlContext = (AccessControlContext) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.3
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return new AccessControlContext(new AccessControlContext(protectionDomainArr), new SubjectDomainCombiner(subject));
                        }
                    });
                } else {
                    accessControlContext = new AccessControlContext(protectionDomainArr);
                }
                if (principalSet != null) {
                    this.accessControlContextCache.put(new HashSet(principalSet), accessControlContext);
                }
                _logger.fine("JACC: new AccessControlContext added to cache");
            } catch (Exception e) {
                _logger.log(Level.SEVERE, "java_security.security_context_exception", (Throwable) e);
                throw e;
            }
        }
        String policyContext = setPolicyContext(this.contextId);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: doAsPrivileged contextId(" + this.contextId + VMDescriptor.ENDMETHOD);
        }
        try {
            Object doPrivileged = AccessController.doPrivileged((PrivilegedExceptionAction<Object>) privilegedExceptionAction, accessControlContext);
            resetPolicyContext(policyContext, this.contextId);
            return doPrivileged;
        } catch (Throwable th) {
            resetPolicyContext(policyContext, this.contextId);
            throw th;
        }
    }

    public Object runMethod(Method method, Object obj, Object[] objArr) throws Throwable {
        String policyContext = setPolicyContext(this.contextId);
        try {
            Object invoke = method.invoke(obj, objArr);
            resetPolicyContext(policyContext, this.contextId);
            return invoke;
        } catch (Throwable th) {
            resetPolicyContext(policyContext, this.contextId);
            throw th;
        }
    }

    private static void resetPolicyContext(final String str, String str2) throws Throwable {
        if (str2 == str || str == null) {
            return;
        }
        if (str2 == null || !str2.equals(str)) {
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC: Changing Policy Context ID: oldV = " + str2 + " newV = " + str);
            }
            try {
                AppservAccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.4
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        PolicyContext.setContextID(str);
                        return null;
                    }
                });
            } catch (PrivilegedActionException e) {
                Throwable cause = e.getCause();
                if (cause instanceof AccessControlException) {
                    _logger.log(Level.SEVERE, "jacc_policy_context_security_exception", cause);
                } else {
                    _logger.log(Level.SEVERE, "jacc_policy_context_exception", cause);
                }
                throw cause;
            }
        }
    }

    private static String setPolicyContext(String str) throws Throwable {
        String contextID = PolicyContext.getContextID();
        resetPolicyContext(str, contextID);
        return contextID;
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public Object invoke(final Method method, boolean z, final Object obj, final Object[] objArr) throws Throwable {
        Object doAsPrivileged;
        if ((z && getUsesCallerIdentity()) || System.getSecurityManager() == null) {
            doAsPrivileged = runMethod(method, obj, objArr);
        } else {
            try {
                doAsPrivileged = doAsPrivileged(new PrivilegedExceptionAction() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.5
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return method.invoke(obj, objArr);
                    }
                });
            } catch (PrivilegedActionException e) {
                throw e.getCause();
            }
        }
        return doAsPrivileged;
    }

    @Override // com.sun.enterprise.security.SecurityManager
    public void resetPolicyContext() {
        if (System.getSecurityManager() == null) {
            ((PolicyContextHandlerImpl) PolicyContextHandlerImpl.getInstance()).reset();
            PolicyContext.setContextID(null);
            return;
        }
        try {
            AppservAccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: org.glassfish.ejb.security.application.EJBSecurityManager.6
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    ((PolicyContextHandlerImpl) PolicyContextHandlerImpl.getInstance()).reset();
                    PolicyContext.setContextID(null);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (cause instanceof AccessControlException) {
                _logger.log(Level.SEVERE, "jacc_policy_context_security_exception", cause);
            } else {
                _logger.log(Level.SEVERE, "jacc_policy_context_exception", cause);
            }
            throw new RuntimeException(cause);
        }
    }

    static {
        $assertionsDisabled = !EJBSecurityManager.class.desiredAssertionStatus();
        _logger = LogDomains.getLogger(EJBSecurityManager.class, LogDomains.EJB_LOGGER);
        pcHandlerImpl = (PolicyContextHandlerImpl) PolicyContextHandlerImpl.getInstance();
        pcf = null;
        managerCodeSource = EJBSecurityManager.class.getProtectionDomain().getCodeSource();
        ejbStatsProvider = null;
    }
}
