package org.jsecurity.web.session;

import java.io.Serializable;
import java.net.InetAddress;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jsecurity.authz.AuthorizationException;
import org.jsecurity.authz.HostUnauthorizedException;
import org.jsecurity.io.IniResource;
import org.jsecurity.session.InvalidSessionException;
import org.jsecurity.session.Session;
import org.jsecurity.session.mgt.DefaultSessionManager;
import org.jsecurity.web.WebUtils;
import org.jsecurity.web.attr.CookieAttribute;
import org.jsecurity.web.attr.RequestParamAttribute;
import org.jsecurity.web.servlet.JSecurityHttpServletRequest;

/* loaded from: input_file:shindig/shindig-server-1.1-BETA1-incubating.war:WEB-INF/lib/jsecurity-0.9.0.jar:org/jsecurity/web/session/DefaultWebSessionManager.class */
public class DefaultWebSessionManager extends DefaultSessionManager implements WebSessionManager {
    private static final Log log = LogFactory.getLog(DefaultWebSessionManager.class);
    private boolean validateRequestOrigin = false;
    protected CookieAttribute<Serializable> sessionIdCookieAttribute = null;
    protected RequestParamAttribute<Serializable> sessionIdRequestParamAttribute = null;

    public DefaultWebSessionManager() {
        ensureCookieSessionIdStore();
        ensureRequestParamSessionIdStore();
    }

    public CookieAttribute<Serializable> getSessionIdCookieAttribute() {
        return this.sessionIdCookieAttribute;
    }

    public void setSessionIdCookieAttribute(CookieAttribute<Serializable> cookieAttribute) {
        this.sessionIdCookieAttribute = cookieAttribute;
    }

    public RequestParamAttribute<Serializable> getSessionIdRequestParamAttribute() {
        return this.sessionIdRequestParamAttribute;
    }

    public void setSessionIdRequestParamAttribute(RequestParamAttribute<Serializable> requestParamAttribute) {
        this.sessionIdRequestParamAttribute = requestParamAttribute;
    }

    public boolean isValidateRequestOrigin() {
        return this.validateRequestOrigin;
    }

    public void setValidateRequestOrigin(boolean z) {
        this.validateRequestOrigin = z;
    }

    public void setSessionIdCookieName(String str) {
        getSessionIdCookieAttribute().setName(str);
    }

    public void setSessionIdCookiePath(String str) {
        getSessionIdCookieAttribute().setPath(str);
    }

    public void setSessionIdCookieMaxAge(int i) {
        getSessionIdCookieAttribute().setMaxAge(i);
    }

    public void setSessionIdCookieSecure(boolean z) {
        getSessionIdCookieAttribute().setSecure(z);
    }

    protected void ensureCookieSessionIdStore() {
        if (getSessionIdCookieAttribute() == null) {
            CookieAttribute<Serializable> cookieAttribute = new CookieAttribute<>("JSESSIONID");
            cookieAttribute.setCheckRequestParams(false);
            setSessionIdCookieAttribute(cookieAttribute);
        }
    }

    protected void ensureRequestParamSessionIdStore() {
        if (getSessionIdRequestParamAttribute() == null) {
            setSessionIdRequestParamAttribute(new RequestParamAttribute<>("JSESSIONID"));
        }
    }

    protected void validateSessionOrigin(ServletRequest servletRequest, Session session) throws HostUnauthorizedException {
        InetAddress inetAddress = WebUtils.getInetAddress(servletRequest);
        InetAddress hostAddress = session.getHostAddress();
        Serializable id = session.getId();
        if (hostAddress == null) {
            if (inetAddress != null) {
                throw new HostUnauthorizedException("No IP Address was specified when creating session with id [" + id + "].  Attempting to access session from IP [" + inetAddress + "].  Origin IP and request IP must match.");
            }
        } else {
            if (inetAddress == null) {
                throw new HostUnauthorizedException("No IP Address associated with the current HttpServletRequest.  Session with id [" + id + "] originated from " + IniResource.HEADER_PREFIX + hostAddress + "].  Request IP must match the session's origin IP in order to gain access to that session.");
            }
            if (!inetAddress.equals(hostAddress)) {
                throw new HostUnauthorizedException("Session with id [" + id + "] originated from [" + hostAddress + "], but the current HttpServletRequest originated from [" + inetAddress + "].  Disallowing session access: session origin and request origin must match to allow access.");
            }
        }
    }

    protected void storeSessionId(Serializable serializable, ServletRequest servletRequest, ServletResponse servletResponse) {
        if (serializable == null) {
            throw new IllegalArgumentException("sessionId cannot be null when persisting for subsequent requests.");
        }
        Serializable retrieveSessionId = retrieveSessionId(servletRequest, servletResponse);
        if (retrieveSessionId == null || !serializable.equals(retrieveSessionId)) {
            getSessionIdCookieAttribute().storeValue(serializable, servletRequest, servletResponse);
        }
    }

    protected Serializable retrieveSessionId(ServletRequest servletRequest, ServletResponse servletResponse) {
        Serializable retrieveValue = getSessionIdCookieAttribute().retrieveValue(servletRequest, servletResponse);
        if (retrieveValue != null) {
            servletRequest.setAttribute(JSecurityHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, JSecurityHttpServletRequest.COOKIE_SESSION_ID_SOURCE);
        } else {
            retrieveValue = getSessionIdRequestParamAttribute().retrieveValue(servletRequest, servletResponse);
            if (retrieveValue != null) {
                servletRequest.setAttribute(JSecurityHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, "url");
            }
        }
        return retrieveValue;
    }

    @Override // org.jsecurity.session.mgt.AbstractSessionManager, org.jsecurity.session.mgt.SessionManager
    public Serializable start(InetAddress inetAddress) throws HostUnauthorizedException, IllegalArgumentException {
        return start(WebUtils.getRequiredServletRequest(), WebUtils.getRequiredServletResponse(), inetAddress);
    }

    protected Serializable start(ServletRequest servletRequest, ServletResponse servletResponse, InetAddress inetAddress) {
        Serializable start = super.start(inetAddress);
        storeSessionId(start, servletRequest, servletResponse);
        servletRequest.removeAttribute(JSecurityHttpServletRequest.REFERENCED_SESSION_ID_SOURCE);
        servletRequest.setAttribute(JSecurityHttpServletRequest.REFERENCED_SESSION_IS_NEW, Boolean.TRUE);
        return start;
    }

    @Override // org.jsecurity.session.mgt.DefaultSessionManager, org.jsecurity.session.mgt.AbstractValidatingSessionManager
    public Session retrieveSession(Serializable serializable) throws InvalidSessionException, AuthorizationException {
        return serializable != null ? super.retrieveSession(serializable) : getSession(WebUtils.getRequiredServletRequest(), WebUtils.getRequiredServletResponse());
    }

    @Override // org.jsecurity.web.session.WebSessionManager
    public final Session getSession(ServletRequest servletRequest, ServletResponse servletResponse) throws InvalidSessionException, AuthorizationException {
        Session handleInvalidSession;
        try {
            handleInvalidSession = doGetSession(servletRequest, servletResponse);
        } catch (InvalidSessionException e) {
            if (log.isTraceEnabled()) {
                log.trace("Request Session is invalid, message: [" + e.getMessage() + "].  Removing any associated session cookie...");
            }
            getSessionIdCookieAttribute().removeValue(servletRequest, servletResponse);
            handleInvalidSession = handleInvalidSession(servletRequest, servletResponse, e);
        }
        return handleInvalidSession;
    }

    protected Session doGetSession(ServletRequest servletRequest, ServletResponse servletResponse) {
        Session session = null;
        Serializable retrieveSessionId = retrieveSessionId(servletRequest, servletResponse);
        if (retrieveSessionId != null) {
            servletRequest.setAttribute(JSecurityHttpServletRequest.REFERENCED_SESSION_ID, retrieveSessionId);
            session = super.retrieveSession(retrieveSessionId);
            if (isValidateRequestOrigin()) {
                if (log.isDebugEnabled()) {
                    log.debug("Validating request origin against session origin");
                }
                validateSessionOrigin(servletRequest, session);
            }
            if (session != null) {
                servletRequest.setAttribute(JSecurityHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
            }
        } else if (log.isTraceEnabled()) {
            log.trace("No JSecurity session id associated with the given HttpServletRequest.  A Session will not be returned.");
        }
        return session;
    }

    protected Session handleInvalidSession(ServletRequest servletRequest, ServletResponse servletResponse, InvalidSessionException invalidSessionException) {
        if (!log.isTraceEnabled()) {
            return null;
        }
        log.trace("Sesssion associated with the current request is nonexistent or invalid.  Returning null.");
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jsecurity.session.mgt.DefaultSessionManager, org.jsecurity.session.mgt.AbstractSessionManager
    public void onStop(Session session) {
        super.onStop(session);
        getSessionIdCookieAttribute().removeValue(WebUtils.getRequiredServletRequest(), WebUtils.getRequiredServletResponse());
    }
}
