package be.atbash.ee.security.octopus.filter;

import be.atbash.ee.security.octopus.config.OctopusJSFConfiguration;
import be.atbash.ee.security.octopus.config.SessionHijackingLevel;
import be.atbash.ee.security.octopus.session.usage.ActiveSessionRegistry;
import be.atbash.ee.security.octopus.session.usage.SessionInfo;
import be.atbash.ee.security.octopus.util.WebUtils;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:be/atbash/ee/security/octopus/filter/SessionHijackingFilter.class */
public class SessionHijackingFilter extends AdviceFilter {
    public static final String OCTOPUS_SESSION_HIJACKING_ATTEMPT = "OctopusSessionHijackingAttempt";
    private Logger logger = LoggerFactory.getLogger(SessionHijackingFilter.class);

    @Inject
    private ActiveSessionRegistry activeSessionRegistry;

    @Inject
    private OctopusJSFConfiguration jsfConfiguration;

    @PostConstruct
    public void init() {
        setName("sh");
    }

    protected boolean preHandle(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        boolean z = true;
        if (this.jsfConfiguration.getSessionHijackingLevel() != SessionHijackingLevel.OFF) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            if (!WebUtils._isSessionCreationEnabled(httpServletRequest)) {
                return true;
            }
            SessionInfo info = this.activeSessionRegistry.getInfo(httpServletRequest);
            z = info.getUserAgent().equals(httpServletRequest.getHeader("User-Agent"));
            if (z && this.jsfConfiguration.getSessionHijackingLevel() == SessionHijackingLevel.ON) {
                z = info.getRemoteHost().equals(servletRequest.getRemoteAddr());
            }
            if (!z) {
                HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
                httpServletResponse.setStatus(401);
                httpServletResponse.getWriter().write("Refused by the Session Hijacking Protection");
                info.getHttpSession().setAttribute(OCTOPUS_SESSION_HIJACKING_ATTEMPT, Boolean.TRUE);
            }
        }
        return z;
    }
}
