package at.gv.egovernment.moa.id.auth.servlet.interceptor;

import at.gv.egiz.eaaf.core.impl.utils.HTTPUtils;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.class */
public class WebFrontEndSecurityInterceptor implements HandlerInterceptor {

    @Autowired
    AuthConfiguration authConfig;

    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        httpServletResponse.setHeader("Expires", "Sat, 6 May 1995 12:00:00 GMT");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setHeader("Cache-control", "no-store, no-cache, must-revalidate");
        httpServletResponse.addHeader("Cache-control", "post-check=0, pre-check=0");
        String servletPath = httpServletRequest.getServletPath();
        if (MiscUtil.isNotEmpty(servletPath) && servletPath.startsWith("/services")) {
            Logger.debug("SAML1 GetAuthenticationServices allow access without SSL");
            return true;
        }
        String extractAuthURLFromRequest = HTTPUtils.extractAuthURLFromRequest(httpServletRequest);
        if (extractAuthURLFromRequest.startsWith("https:") || this.authConfig.isHTTPAuthAllowed() || this.authConfig.getPublicURLPrefix().contains(extractAuthURLFromRequest)) {
            return true;
        }
        Logger.info("Receive request, which is not in IDP URL-Prefix whitelist.");
        String message = MOAIDMessageProvider.getInstance().getMessage("auth.07", new Object[]{extractAuthURLFromRequest + "*"});
        Logger.info(message);
        httpServletResponse.sendError(403, StringEscapeUtils.escapeHtml(message));
        return false;
    }

    public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, ModelAndView modelAndView) throws Exception {
    }

    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, Exception exc) throws Exception {
    }
}
