package org.springframework.security.web.authentication.preauth;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:BOOT-INF/lib/spring-security-web-6.1.4.jar:org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.class */
public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFilterBean implements ApplicationEventPublisherAware {
    private boolean checkForPrincipalChanges;
    private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
    private ApplicationEventPublisher eventPublisher = null;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    private AuthenticationManager authenticationManager = null;
    private boolean continueFilterChainOnUnsuccessfulAuthentication = true;
    private boolean invalidateSessionOnPrincipalChange = true;
    private AuthenticationSuccessHandler authenticationSuccessHandler = null;
    private AuthenticationFailureHandler authenticationFailureHandler = null;
    private RequestMatcher requiresAuthenticationRequestMatcher = new PreAuthenticatedProcessingRequestMatcher();
    private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();

    /* loaded from: input_file:BOOT-INF/lib/spring-security-web-6.1.4.jar:org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter$PreAuthenticatedProcessingRequestMatcher.class */
    private class PreAuthenticatedProcessingRequestMatcher implements RequestMatcher {
        private PreAuthenticatedProcessingRequestMatcher() {
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            Authentication authentication = AbstractPreAuthenticatedProcessingFilter.this.securityContextHolderStrategy.getContext().getAuthentication();
            if (authentication == null) {
                return true;
            }
            if (!AbstractPreAuthenticatedProcessingFilter.this.checkForPrincipalChanges || !AbstractPreAuthenticatedProcessingFilter.this.principalChanged(httpServletRequest, authentication)) {
                return false;
            }
            AbstractPreAuthenticatedProcessingFilter.this.logger.debug("Pre-authenticated principal has changed and will be reauthenticated");
            if (!AbstractPreAuthenticatedProcessingFilter.this.invalidateSessionOnPrincipalChange) {
                return true;
            }
            AbstractPreAuthenticatedProcessingFilter.this.securityContextHolderStrategy.clearContext();
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null) {
                return true;
            }
            AbstractPreAuthenticatedProcessingFilter.this.logger.debug("Invalidating existing session");
            session.invalidate();
            httpServletRequest.getSession();
            return true;
        }
    }

    @Override // org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        try {
            super.afterPropertiesSet();
            Assert.notNull(this.authenticationManager, "An AuthenticationManager must be set");
        } catch (ServletException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.requiresAuthenticationRequestMatcher.matches((HttpServletRequest) servletRequest)) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.of(() -> {
                    return "Authenticating " + this.securityContextHolderStrategy.getContext().getAuthentication();
                }));
            }
            doAuthenticate((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
        } else if (this.logger.isTraceEnabled()) {
            this.logger.trace(LogMessage.format("Did not authenticate since request did not match [%s]", this.requiresAuthenticationRequestMatcher));
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    protected boolean principalChanged(HttpServletRequest httpServletRequest, Authentication authentication) {
        Object preAuthenticatedPrincipal = getPreAuthenticatedPrincipal(httpServletRequest);
        if ((preAuthenticatedPrincipal instanceof String) && authentication.getName().equals(preAuthenticatedPrincipal)) {
            return false;
        }
        if (preAuthenticatedPrincipal != null && preAuthenticatedPrincipal.equals(authentication.getPrincipal())) {
            return false;
        }
        this.logger.debug(LogMessage.format("Pre-authenticated principal has changed to %s and will be reauthenticated", preAuthenticatedPrincipal));
        return true;
    }

    private void doAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        Object preAuthenticatedPrincipal = getPreAuthenticatedPrincipal(httpServletRequest);
        if (preAuthenticatedPrincipal == null) {
            this.logger.debug("No pre-authenticated principal found in request");
            return;
        }
        this.logger.debug(LogMessage.format("preAuthenticatedPrincipal = %s, trying to authenticate", preAuthenticatedPrincipal));
        try {
            PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(preAuthenticatedPrincipal, getPreAuthenticatedCredentials(httpServletRequest));
            preAuthenticatedAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
            successfulAuthentication(httpServletRequest, httpServletResponse, this.authenticationManager.authenticate(preAuthenticatedAuthenticationToken));
        } catch (AuthenticationException e) {
            unsuccessfulAuthentication(httpServletRequest, httpServletResponse, e);
            if (!this.continueFilterChainOnUnsuccessfulAuthentication) {
                throw e;
            }
        }
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        this.logger.debug(LogMessage.format("Authentication success: %s", authentication));
        SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
        createEmptyContext.setAuthentication(authentication);
        this.securityContextHolderStrategy.setContext(createEmptyContext);
        this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent((ApplicationEvent) new InteractiveAuthenticationSuccessEvent(authentication, getClass()));
        }
        if (this.authenticationSuccessHandler != null) {
            this.authenticationSuccessHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authentication);
        }
    }

    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        this.securityContextHolderStrategy.clearContext();
        this.logger.debug("Cleared security context due to exception", authenticationException);
        httpServletRequest.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, authenticationException);
        if (this.authenticationFailureHandler != null) {
            this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, authenticationException);
        }
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
        Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
        this.securityContextRepository = securityContextRepository;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    protected AuthenticationDetailsSource<HttpServletRequest, ?> getAuthenticationDetailsSource() {
        return this.authenticationDetailsSource;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setContinueFilterChainOnUnsuccessfulAuthentication(boolean z) {
        this.continueFilterChainOnUnsuccessfulAuthentication = z;
    }

    public void setCheckForPrincipalChanges(boolean z) {
        this.checkForPrincipalChanges = z;
    }

    public void setInvalidateSessionOnPrincipalChange(boolean z) {
        this.invalidateSessionOnPrincipalChange = z;
    }

    public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        this.authenticationSuccessHandler = authenticationSuccessHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    public void setRequiresAuthenticationRequestMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "requestMatcher cannot be null");
        this.requiresAuthenticationRequestMatcher = requestMatcher;
    }

    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
        Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
        this.securityContextHolderStrategy = securityContextHolderStrategy;
    }

    protected abstract Object getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest);

    protected abstract Object getPreAuthenticatedCredentials(HttpServletRequest httpServletRequest);
}
