package org.springframework.security.web.authentication.session;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.core.log.LogMessage;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import org.springframework.web.util.WebUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-web-5.6.1.jar:org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.class */
public abstract class AbstractSessionFixationProtectionStrategy implements SessionAuthenticationStrategy, ApplicationEventPublisherAware {
    protected final Log logger = LogFactory.getLog(getClass());
    private ApplicationEventPublisher applicationEventPublisher = new NullEventPublisher();
    private boolean alwaysCreateSession;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-web-5.6.1.jar:org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy$NullEventPublisher.class */
    protected static final class NullEventPublisher implements ApplicationEventPublisher {
        protected NullEventPublisher() {
        }

        @Override // org.springframework.context.ApplicationEventPublisher
        public void publishEvent(ApplicationEvent applicationEvent) {
        }

        @Override // org.springframework.context.ApplicationEventPublisher
        public void publishEvent(Object obj) {
        }
    }

    @Override // org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
    public void onAuthentication(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String id;
        HttpSession applySessionFixation;
        String id2;
        boolean z = httpServletRequest.getSession(false) != null;
        if (z || this.alwaysCreateSession) {
            HttpSession session = httpServletRequest.getSession();
            if (z && httpServletRequest.isRequestedSessionIdValid()) {
                synchronized (WebUtils.getSessionMutex(session)) {
                    id = session.getId();
                    applySessionFixation = applySessionFixation(httpServletRequest);
                    id2 = applySessionFixation.getId();
                }
                if (id.equals(id2)) {
                    this.logger.warn("Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks");
                } else if (this.logger.isDebugEnabled()) {
                    this.logger.debug(LogMessage.format("Changed session id from %s", id));
                }
                onSessionChange(id, applySessionFixation, authentication);
            }
        }
    }

    abstract HttpSession applySessionFixation(HttpServletRequest httpServletRequest);

    protected void onSessionChange(String str, HttpSession httpSession, Authentication authentication) {
        this.applicationEventPublisher.publishEvent((ApplicationEvent) new SessionFixationProtectionEvent(authentication, str, httpSession.getId()));
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        Assert.notNull(applicationEventPublisher, "applicationEventPublisher cannot be null");
        this.applicationEventPublisher = applicationEventPublisher;
    }

    public void setAlwaysCreateSession(boolean z) {
        this.alwaysCreateSession = z;
    }
}
