package org.springframework.security.web.context;

import java.lang.reflect.Method;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;
import org.springframework.util.ReflectionUtils;

/* loaded from: input_file:org/springframework/security/web/context/HttpSessionSecurityContextRepository.class */
public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
    public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
    protected final Log logger = LogFactory.getLog(getClass());
    private Class<? extends SecurityContext> securityContextClass = null;
    private Object contextObject = SecurityContextHolder.createEmptyContext();
    private boolean cloneFromHttpSession = false;
    private boolean allowSessionCreation = true;
    private boolean disableUrlRewriting = false;
    private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();

    /* loaded from: input_file:org/springframework/security/web/context/HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.class */
    final class SaveToSessionResponseWrapper extends SaveContextOnUpdateOrErrorResponseWrapper {
        private HttpServletRequest request;
        private boolean httpSessionExistedAtStartOfRequest;
        private int contextHashBeforeChainExecution;
        private final SecurityContext contextBeforeExecution;

        SaveToSessionResponseWrapper(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, boolean z, SecurityContext securityContext) {
            super(httpServletResponse, HttpSessionSecurityContextRepository.this.disableUrlRewriting);
            this.request = httpServletRequest;
            this.httpSessionExistedAtStartOfRequest = z;
            this.contextHashBeforeChainExecution = securityContext.hashCode();
            this.contextBeforeExecution = securityContext;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper
        public void saveContext(SecurityContext securityContext) {
            Authentication authentication = securityContext.getAuthentication();
            HttpSession session = this.request.getSession(false);
            if (authentication == null || HttpSessionSecurityContextRepository.this.authenticationTrustResolver.isAnonymous(authentication)) {
                if (HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                    HttpSessionSecurityContextRepository.this.logger.debug("SecurityContext is empty or anonymous - context will not be stored in HttpSession. ");
                }
                if (session == null || HttpSessionSecurityContextRepository.this.contextObject.equals(this.contextBeforeExecution)) {
                    return;
                }
                session.removeAttribute("SPRING_SECURITY_CONTEXT");
                return;
            }
            if (session == null) {
                session = createNewSessionIfAllowed(securityContext);
            }
            if (session != null) {
                if (securityContext.hashCode() != this.contextHashBeforeChainExecution || session.getAttribute("SPRING_SECURITY_CONTEXT") == null) {
                    session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
                    if (HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                        HttpSessionSecurityContextRepository.this.logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'");
                    }
                }
            }
        }

        private HttpSession createNewSessionIfAllowed(SecurityContext securityContext) {
            if (this.httpSessionExistedAtStartOfRequest) {
                if (!HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                    return null;
                }
                HttpSessionSecurityContextRepository.this.logger.debug("HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
                return null;
            }
            if (!HttpSessionSecurityContextRepository.this.allowSessionCreation) {
                if (!HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                    return null;
                }
                HttpSessionSecurityContextRepository.this.logger.debug("The HttpSession is currently null, and the " + HttpSessionSecurityContextRepository.class.getSimpleName() + " is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request");
                return null;
            }
            if (HttpSessionSecurityContextRepository.this.contextObject.equals(securityContext)) {
                if (!HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                    return null;
                }
                HttpSessionSecurityContextRepository.this.logger.debug("HttpSession is null, but SecurityContext has not changed from default empty context: ' " + securityContext + "'; not creating HttpSession or storing SecurityContext");
                return null;
            }
            if (HttpSessionSecurityContextRepository.this.logger.isDebugEnabled()) {
                HttpSessionSecurityContextRepository.this.logger.debug("HttpSession being created as SecurityContext is non-default");
            }
            try {
                return this.request.getSession(true);
            } catch (IllegalStateException e) {
                HttpSessionSecurityContextRepository.this.logger.warn("Failed to create a session, as response has been committed. Unable to store SecurityContext.");
                return null;
            }
        }
    }

    @Override // org.springframework.security.web.context.SecurityContextRepository
    public SecurityContext loadContext(HttpRequestResponseHolder httpRequestResponseHolder) {
        HttpServletRequest request = httpRequestResponseHolder.getRequest();
        HttpServletResponse response = httpRequestResponseHolder.getResponse();
        HttpSession session = request.getSession(false);
        SecurityContext readSecurityContextFromSession = readSecurityContextFromSession(session);
        if (readSecurityContextFromSession == null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("No SecurityContext was available from the HttpSession: " + session + ". A new one will be created.");
            }
            readSecurityContextFromSession = generateNewContext();
        }
        httpRequestResponseHolder.setResponse(new SaveToSessionResponseWrapper(response, request, session != null, readSecurityContextFromSession));
        return readSecurityContextFromSession;
    }

    @Override // org.springframework.security.web.context.SecurityContextRepository
    public void saveContext(SecurityContext securityContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SaveContextOnUpdateOrErrorResponseWrapper saveContextOnUpdateOrErrorResponseWrapper = (SaveContextOnUpdateOrErrorResponseWrapper) httpServletResponse;
        if (saveContextOnUpdateOrErrorResponseWrapper.isContextSaved()) {
            return;
        }
        saveContextOnUpdateOrErrorResponseWrapper.saveContext(securityContext);
    }

    @Override // org.springframework.security.web.context.SecurityContextRepository
    public boolean containsContext(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        return (session == null || session.getAttribute("SPRING_SECURITY_CONTEXT") == null) ? false : true;
    }

    private SecurityContext readSecurityContextFromSession(HttpSession httpSession) {
        boolean isDebugEnabled = this.logger.isDebugEnabled();
        if (httpSession == null) {
            if (!isDebugEnabled) {
                return null;
            }
            this.logger.debug("No HttpSession currently exists");
            return null;
        }
        Object attribute = httpSession.getAttribute("SPRING_SECURITY_CONTEXT");
        if (attribute == null) {
            if (!isDebugEnabled) {
                return null;
            }
            this.logger.debug("HttpSession returned null object for SPRING_SECURITY_CONTEXT");
            return null;
        }
        if (!(attribute instanceof SecurityContext)) {
            if (!this.logger.isWarnEnabled()) {
                return null;
            }
            this.logger.warn("SPRING_SECURITY_CONTEXT did not contain a SecurityContext but contained: '" + attribute + "'; are you improperly modifying the HttpSession directly (you should always use SecurityContextHolder) or using the HttpSession attribute reserved for this class?");
            return null;
        }
        if (this.cloneFromHttpSession) {
            attribute = cloneContext(attribute);
        }
        if (isDebugEnabled) {
            this.logger.debug("Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '" + attribute + "'");
        }
        return (SecurityContext) attribute;
    }

    private Object cloneContext(Object obj) {
        Object obj2 = null;
        Assert.isInstanceOf(Cloneable.class, obj, "Context must implement Cloneable and provide a Object.clone() method");
        try {
            Method method = obj.getClass().getMethod("clone", new Class[0]);
            if (!method.isAccessible()) {
                method.setAccessible(true);
            }
            obj2 = method.invoke(obj, new Object[0]);
        } catch (Exception e) {
            ReflectionUtils.handleReflectionException(e);
        }
        return obj2;
    }

    SecurityContext generateNewContext() {
        SecurityContext securityContext = null;
        if (this.securityContextClass == null) {
            return SecurityContextHolder.createEmptyContext();
        }
        try {
            securityContext = this.securityContextClass.newInstance();
        } catch (Exception e) {
            ReflectionUtils.handleReflectionException(e);
        }
        return securityContext;
    }

    @Deprecated
    public void setSecurityContextClass(Class cls) {
        if (cls == null || !SecurityContext.class.isAssignableFrom(cls)) {
            throw new IllegalArgumentException("securityContextClass must implement SecurityContext (typically use org.springframework.security.core.context.SecurityContextImpl; existing class is " + cls + ")");
        }
        this.securityContextClass = cls;
        this.contextObject = generateNewContext();
    }

    @Deprecated
    public void setCloneFromHttpSession(boolean z) {
        this.cloneFromHttpSession = z;
    }

    public void setAllowSessionCreation(boolean z) {
        this.allowSessionCreation = z;
    }

    public void setDisableUrlRewriting(boolean z) {
        this.disableUrlRewriting = z;
    }
}
