package fi.vm.sade.security;

import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:WEB-INF/lib/generic-common-9.4-SNAPSHOT.jar:fi/vm/sade/security/CustomCasAuthenticationFilter.class */
public class CustomCasAuthenticationFilter extends CasAuthenticationFilter {
    public static final String CAS_SECURITY_TICKET = "CasSecurityTicket";

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.cas.web.CasAuthenticationFilter
    public String obtainArtifact(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("CasSecurityTicket");
        if (header != null) {
            if (!header.equals(getSessionTicket())) {
                return header;
            }
            this.logger.debug("ticket already authenticated in session: " + header);
            return null;
        }
        if (!"POST".equals(httpServletRequest.getMethod())) {
            return super.obtainArtifact(httpServletRequest);
        }
        this.logger.debug("skipping cas obtainArtifact because post and already authenticated");
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.cas.web.CasAuthenticationFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Object sessionTicket = getSessionTicket();
        if (sessionTicket != null) {
            String obtainArtifact = obtainArtifact(httpServletRequest);
            if ((obtainArtifact == null || obtainArtifact.equals(sessionTicket)) ? false : true) {
                this.logger.warn("clear authentication because ticket changed, requestTicket: " + obtainArtifact + ", sessionTicket: " + sessionTicket);
                SecurityContextHolder.clearContext();
            }
        }
        return super.requiresAuthentication(httpServletRequest, httpServletResponse);
    }

    private Object getSessionTicket() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null) {
            return authentication.getCredentials();
        }
        return null;
    }

    @Override // org.springframework.security.cas.web.CasAuthenticationFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException {
        return atttempAuthenticationInternal(httpServletRequest, httpServletResponse);
    }

    private Authentication atttempAuthenticationInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        IOException iOException;
        try {
            return super.attemptAuthentication(httpServletRequest, httpServletResponse);
        } catch (RuntimeException e) {
            if ((e.getCause() instanceof IOException) && (iOException = (IOException) e.getCause()) != null && iOException.getMessage() != null && iOException.getMessage().contains("412") && iOException.getMessage().contains("proxyValidate")) {
                throw new BadCredentialsException("Possible error with auth system or infra.. check: 1) configs, urls, ports, 2) caller ticket not expired, 3) cas logs for req ticket: " + obtainArtifact(httpServletRequest), (Throwable) e);
            }
            throw e;
        }
    }
}
