package org.craftercms.security.authorization.impl;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.craftercms.commons.http.RequestContext;
import org.craftercms.security.authorization.AccessDeniedHandler;
import org.craftercms.security.exception.AccessDeniedException;
import org.craftercms.security.exception.SecurityProviderException;
import org.craftercms.security.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/crafter-security-provider-3.0.27.jar:org/craftercms/security/authorization/impl/AccessDeniedHandlerImpl.class */
public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
    private static final Logger logger = LoggerFactory.getLogger(AccessDeniedHandlerImpl.class);
    protected String errorPageUrl;

    public void setErrorPageUrl(String str) {
        this.errorPageUrl = str;
    }

    protected String getErrorPageUrl() {
        return this.errorPageUrl;
    }

    @Override // org.craftercms.security.authorization.AccessDeniedHandler
    public void handle(RequestContext requestContext, AccessDeniedException accessDeniedException) throws SecurityProviderException, IOException {
        saveException(requestContext, accessDeniedException);
        if (StringUtils.isNotEmpty(getErrorPageUrl())) {
            forwardToErrorPage(requestContext);
        } else {
            sendError(accessDeniedException, requestContext);
        }
    }

    protected void saveException(RequestContext requestContext, AccessDeniedException accessDeniedException) {
        logger.debug("Saving access denied exception in request to use after forward");
        requestContext.getRequest().setAttribute(SecurityUtils.ACCESS_DENIED_EXCEPTION_SESSION_ATTRIBUTE, accessDeniedException);
    }

    protected void forwardToErrorPage(RequestContext requestContext) throws SecurityProviderException, IOException {
        HttpServletRequest request = requestContext.getRequest();
        HttpServletResponse response = requestContext.getResponse();
        String errorPageUrl = getErrorPageUrl();
        response.setStatus(403);
        logger.debug("Forwarding to error page at {}, with 403 FORBIDDEN status", errorPageUrl);
        try {
            request.getRequestDispatcher(errorPageUrl).forward(request, response);
        } catch (ServletException e) {
            throw new SecurityProviderException(e.getMessage(), e);
        }
    }

    protected void sendError(AccessDeniedException accessDeniedException, RequestContext requestContext) throws IOException {
        logger.debug("Sending 403 FORBIDDEN error");
        requestContext.getResponse().sendError(403, accessDeniedException.getMessage());
    }
}
