package org.springframework.security.access.expression.method;

import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.expression.ExpressionUtils;
import org.springframework.security.access.prepost.PostInvocationAttribute;
import org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:WEB-INF/lib/spring-security-core-5.0.9.RELEASE.jar:org/springframework/security/access/expression/method/ExpressionBasedPostInvocationAdvice.class */
public class ExpressionBasedPostInvocationAdvice implements PostInvocationAuthorizationAdvice {
    protected final Log logger = LogFactory.getLog(getClass());
    private final MethodSecurityExpressionHandler expressionHandler;

    public ExpressionBasedPostInvocationAdvice(MethodSecurityExpressionHandler methodSecurityExpressionHandler) {
        this.expressionHandler = methodSecurityExpressionHandler;
    }

    @Override // org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice
    public Object after(Authentication authentication, MethodInvocation methodInvocation, PostInvocationAttribute postInvocationAttribute, Object obj) throws AccessDeniedException {
        PostInvocationExpressionAttribute postInvocationExpressionAttribute = (PostInvocationExpressionAttribute) postInvocationAttribute;
        EvaluationContext createEvaluationContext = this.expressionHandler.createEvaluationContext(authentication, methodInvocation);
        Expression filterExpression = postInvocationExpressionAttribute.getFilterExpression();
        Expression authorizeExpression = postInvocationExpressionAttribute.getAuthorizeExpression();
        if (filterExpression != null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Applying PostFilter expression " + filterExpression);
            }
            if (obj != null) {
                obj = this.expressionHandler.filter(obj, filterExpression, createEvaluationContext);
            } else if (this.logger.isDebugEnabled()) {
                this.logger.debug("Return object is null, filtering will be skipped");
            }
        }
        this.expressionHandler.setReturnObject(obj, createEvaluationContext);
        if (authorizeExpression == null || ExpressionUtils.evaluateAsBoolean(authorizeExpression, createEvaluationContext)) {
            return obj;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("PostAuthorize expression rejected access");
        }
        throw new AccessDeniedException("Access is denied");
    }
}
