package org.cloudfoundry.identity.uaa.authentication;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.27.0.jar:org/cloudfoundry/identity/uaa/authentication/PasswordChangeRequiredFilter.class */
public class PasswordChangeRequiredFilter extends OncePerRequestFilter {
    private final AuthenticationEntryPoint entryPoint;

    public PasswordChangeRequiredFilter(AuthenticationEntryPoint authenticationEntryPoint) {
        this.entryPoint = authenticationEntryPoint;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (needsPasswordReset()) {
            this.entryPoint.commence(httpServletRequest, httpServletResponse, new PasswordChangeRequiredException((UaaAuthentication) SecurityContextHolder.getContext().getAuthentication(), "password reset is required"));
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    protected boolean needsPasswordReset() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && (authentication instanceof UaaAuthentication) && ((UaaAuthentication) authentication).isRequiresPasswordChange() && authentication.isAuthenticated();
    }
}
