package at.itsv.tools.filters;

import at.itsv.tools.logging.SLF4J;
import java.io.IOException;
import java.util.Enumeration;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.StringUtilities;
import org.owasp.esapi.filters.SecurityWrapperRequest;
import org.owasp.esapi.filters.SecurityWrapperResponse;
import org.slf4j.Logger;

/* loaded from: input_file:at/itsv/tools/filters/SVSecurityWrapper.class */
public class SVSecurityWrapper implements Filter {

    @Inject
    @SLF4J
    private Logger log;
    private String allowableResourcesRoot = "WEB-INF";
    private Boolean pvpWithoutCookies = false;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!httpServletRequest.getRequestURI().startsWith(httpServletRequest.getContextPath() + "/javax.faces.resource")) {
            secureFilter(httpServletRequest, servletResponse, filterChain);
        } else {
            this.log.debug("requests for resources are not using SVSecurityWrapper ({})", httpServletRequest.getRequestURI());
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    protected void secureFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            try {
                HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
                HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
                if (httpServletRequest.getCharacterEncoding() == null) {
                    httpServletRequest.setCharacterEncoding(ESAPI.securityConfiguration().getCharacterEncoding());
                }
                SecurityWrapperRequest newRequest = getNewRequest(httpServletRequest);
                SecurityWrapperResponse newResponse = getNewResponse(httpServletResponse);
                newRequest.setAllowableContentRoot(this.allowableResourcesRoot);
                ESAPI.httpUtilities().setCurrentHTTP(newRequest, newResponse);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("original request");
                    logRq(httpServletRequest);
                    this.log.debug("esapi request");
                    logRq(ESAPI.currentRequest());
                }
                if (httpServletRequest.getRequestURI().startsWith(httpServletRequest.getContextPath() + "/javax.faces.resource")) {
                    this.log.warn("Der SVSecurityWrapper sollte nicht für die Anforderung von Ressourcen verwendet werden.");
                } else {
                    ESAPI.httpUtilities().setNoCacheHeaders(ESAPI.currentResponse());
                }
                filterChain.doFilter(ESAPI.currentRequest(), ESAPI.currentResponse());
                ESAPI.httpUtilities().clearCurrent();
            } catch (Exception e) {
                this.log.error("Error in SecurityWrapper: " + e.getMessage(), e);
                servletRequest.setAttribute("message", e.getMessage());
                throw e;
            }
        } catch (Throwable th) {
            ESAPI.httpUtilities().clearCurrent();
            throw th;
        }
    }

    protected SecurityWrapperRequest getNewRequest(HttpServletRequest httpServletRequest) {
        return new SVSecurityWrapperRequest(httpServletRequest);
    }

    protected SecurityWrapperResponse getNewResponse(HttpServletResponse httpServletResponse) {
        return new SVSecurityWrapperResponse(httpServletResponse, this.pvpWithoutCookies.booleanValue());
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.allowableResourcesRoot = StringUtilities.replaceNull(filterConfig.getInitParameter("allowableResourcesRoot"), this.allowableResourcesRoot);
        this.pvpWithoutCookies = Boolean.valueOf("true".equals(filterConfig.getInitParameter("at.itsv.tools.filters.SVSecurityWrapper.pvpWithoutCookies")));
        this.log.debug("pvpWithoutCookies: {}", this.pvpWithoutCookies);
    }

    private void logRq(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        this.log.debug("########## RQ LOG ##########");
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            this.log.debug("param: {}={}", str, httpServletRequest.getParameter(str));
        }
        while (headerNames.hasMoreElements()) {
            String str2 = (String) headerNames.nextElement();
            this.log.debug("header: {}={}", str2, httpServletRequest.getHeader(str2));
        }
        if (null == cookies) {
            this.log.warn("cookies is null");
        } else {
            for (Cookie cookie : cookies) {
                this.log.debug("cookie: {}={}", cookie.getName(), cookie.getValue());
            }
        }
        this.log.debug("request uri: {}", httpServletRequest.getRequestURI());
        this.log.debug("request url: {}", httpServletRequest.getRequestURL().toString());
        this.log.debug("request contextPath: {}", httpServletRequest.getContextPath());
        this.log.debug("accept-encoding: {}", httpServletRequest.getHeaders("accept-encoding"));
        this.log.debug("accept-language: {}", httpServletRequest.getHeaders("accept-language"));
        this.log.debug("accept: {}", httpServletRequest.getHeaders("accept-language"));
        this.log.debug("parameterMap: {}", httpServletRequest.getParameterMap());
        this.log.debug("pathInfo: {}", httpServletRequest.getPathInfo());
        this.log.debug("requestedSessionId: {}", httpServletRequest.getRequestedSessionId());
        this.log.debug("scheme: {}", httpServletRequest.getScheme());
        this.log.debug("serverName: {}", httpServletRequest.getServerName());
        this.log.debug("servletPath: {}", httpServletRequest.getServletPath());
        this.log.debug("############################");
    }
}
