package org.springframework.security.web.authentication.session;

import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;

/* loaded from: input_file:spg-user-ui-war-2.1.50.war:WEB-INF/lib/spring-security-web-3.1.1.RELEASE.jar:org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.class */
public class SessionFixationProtectionStrategy implements SessionAuthenticationStrategy {
    protected final Log logger = LogFactory.getLog(getClass());
    private boolean migrateSessionAttributes = true;
    private List<String> retainedAttributes = null;
    private boolean alwaysCreateSession;

    @Override // org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
    public void onAuthentication(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = httpServletRequest.getSession(false) != null;
        if (z || this.alwaysCreateSession) {
            HttpSession session = httpServletRequest.getSession();
            if (z && httpServletRequest.isRequestedSessionIdValid()) {
                String id = session.getId();
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("Invalidating session with Id '" + id + "' " + (this.migrateSessionAttributes ? "and" : "without") + " migrating attributes.");
                }
                Map<String, Object> extractAttributes = extractAttributes(session);
                session.invalidate();
                HttpSession session2 = httpServletRequest.getSession(true);
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("Started new session: " + session2.getId());
                }
                if (id.equals(session2.getId())) {
                    this.logger.warn("Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks");
                }
                transferAttributes(extractAttributes, session2);
                onSessionChange(id, session2, authentication);
            }
        }
    }

    protected void onSessionChange(String str, HttpSession httpSession, Authentication authentication) {
    }

    protected Map<String, Object> extractAttributes(HttpSession httpSession) {
        return createMigratedAttributeMap(httpSession);
    }

    private void transferAttributes(Map<String, Object> map, HttpSession httpSession) {
        if (map != null) {
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                httpSession.setAttribute(entry.getKey(), entry.getValue());
            }
        }
    }

    private HashMap<String, Object> createMigratedAttributeMap(HttpSession httpSession) {
        HashMap<String, Object> hashMap = null;
        if (this.migrateSessionAttributes || this.retainedAttributes == null) {
            hashMap = new HashMap<>();
            Enumeration attributeNames = httpSession.getAttributeNames();
            while (attributeNames.hasMoreElements()) {
                String str = (String) attributeNames.nextElement();
                if (this.migrateSessionAttributes || str.startsWith("SPRING_SECURITY_")) {
                    hashMap.put(str, httpSession.getAttribute(str));
                }
            }
        } else if (!this.retainedAttributes.isEmpty()) {
            hashMap = new HashMap<>();
            for (String str2 : this.retainedAttributes) {
                Object attribute = httpSession.getAttribute(str2);
                if (attribute != null) {
                    hashMap.put(str2, attribute);
                }
            }
        }
        return hashMap;
    }

    public void setMigrateSessionAttributes(boolean z) {
        this.migrateSessionAttributes = z;
    }

    @Deprecated
    public void setRetainedAttributes(List<String> list) {
        this.logger.warn("Retained attributes is deprecated. Override the extractAttributes() method instead.");
        Assert.notNull(list);
        this.retainedAttributes = list;
    }

    public void setAlwaysCreateSession(boolean z) {
        this.alwaysCreateSession = z;
    }
}
