public AuthStatus validateRequest()

in geronimo-jaspi-openid/src/main/java/org/apache/geronimo/components/jaspi/modules/openid/OpenIDServerAuthModule.java [141:266]


    public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
        HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
        HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
        boolean isMandatory = isMandatory(messageInfo);
        HttpSession session = request.getSession(isMandatory);
        String uri = request.getRequestURI();
        if (session == null || isLoginOrErrorPage(uri)) {
            //auth not mandatory and not logged in.
            return AuthStatus.SUCCESS;
        }

        //are we returning from the OP redirect?
        if (uri.endsWith(RETURN_ADDRESS)) {
            ParameterList parameterList = new ParameterList(request.getParameterMap());
            DiscoveryInformation discovered = (DiscoveryInformation) session.getAttribute(DISCOVERY_SESSION_KEY);
            String returnAddress = (String) session.getAttribute(RETURN_ADDRESS_KEY);
            session.removeAttribute(RETURN_ADDRESS_KEY);
            try {
                VerificationResult verification = consumerManager.verify(returnAddress, parameterList, discovered);
                Identifier identifier = verification.getVerifiedId();

                if (identifier != null) {
                    session.setAttribute(ID_KEY, identifier);
                    //redirect back to original page
                    response.setContentLength(0);
                    String originalURI = (String) session.getAttribute(ORIGINAL_URI_KEY);
                    session.removeAttribute(ORIGINAL_URI_KEY);
                    if (originalURI == null || originalURI.length() == 0) {
                        originalURI = request.getContextPath();
                        if (originalURI.length() == 0) {
                            originalURI = "/";
                        }
                    }
                    response.sendRedirect(response.encodeRedirectURL(originalURI));
                    return AuthStatus.SEND_CONTINUE;
                }
                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Response verification failed: " + verification.getStatusMsg());

//            } catch (MessageException e) {
//
//            } catch (DiscoveryException e) {
//
//            } catch (AssociationException e) {
//
//            } catch (IOException e) {
            } catch (Exception e) {
                try {
                    //TODO redirect to error page or just send error
                    response.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
                } catch (IOException e1) {

                }
            }
            return AuthStatus.SEND_FAILURE;
        }

        //are we already logged in, and not expired?
        Identifier identifier = (Identifier) session.getAttribute(ID_KEY);
        if (identifier != null) {
            //TODO set up subject and callback handler.
            final IdentifierPrincipal principal = new IdentifierPrincipal(identifier.getIdentifier());
            clientSubject.getPrincipals().add(principal);
            clientSubject.getPrincipals().add(new AuthenticatedPrincipal());
            DiscoveryInformation discovered = (DiscoveryInformation) session.getAttribute(DISCOVERY_SESSION_KEY);
            URL opEndpoint = discovered.getOPEndpoint();
            clientSubject.getPrincipals().add(new OpenIDProviderPrincipal(opEndpoint.toString()));
            CallerPrincipalCallback cpCallback = new CallerPrincipalCallback(clientSubject, principal);
            GroupPrincipalCallback gpCallback = new GroupPrincipalCallback(clientSubject, new String[]{"authenticated"});
            try {
                callbackHandler.handle(new Callback[]{cpCallback, gpCallback});
            } catch (IOException e) {

            } catch (UnsupportedCallbackException e) {

            }
            return AuthStatus.SUCCESS;
        }

        //if request is not mandatory, we don't authenticate.
        if (!isMandatory) {
            return AuthStatus.SUCCESS;
        }
        //assume not...

        String openidIdentifier = request.getParameter(OPENID_IDENTIFIER);
        try {
            //redirect to login page here...
            if (openidIdentifier == null) {
                // redirect to login page
                session.setAttribute(ORIGINAL_URI_KEY, getFullRequestURI(request).toString());
                response.setContentLength(0);
                response.sendRedirect(response.encodeRedirectURL(addPaths(request.getContextPath(), loginPage)));
                return AuthStatus.SEND_CONTINUE;

            }
            List<DiscoveryInformation> discoveries = consumerManager.discover(openidIdentifier);
            //associate with one OP
            DiscoveryInformation discovered = consumerManager.associate(discoveries);
            //save association info in session
            session.setAttribute(DISCOVERY_SESSION_KEY, discovered);

            String returnAddress = request.getRequestURL().append(RETURN_ADDRESS).toString();
            AuthRequest authRequest = consumerManager.authenticate(discovered, returnAddress);
            session.setAttribute(RETURN_ADDRESS_KEY, authRequest.getReturnTo());

            //save original uri in response, to be retrieved after redirect returns
            if (session.getAttribute(ORIGINAL_URI_KEY) == null) {
                session.setAttribute(ORIGINAL_URI_KEY, getFullRequestURI(request).toString());
            }

            //TODO openid 2.0 form redirect
            response.sendRedirect(authRequest.getDestinationUrl(true));
            return AuthStatus.SEND_CONTINUE;

        } catch (DiscoveryException e) {
            throw (AuthException) new AuthException("Could not authenticate").initCause(e);
        } catch (ConsumerException e) {
            throw (AuthException) new AuthException("Could not authenticate").initCause(e);
        } catch (MessageException e) {
            throw (AuthException) new AuthException("Could not authenticate").initCause(e);
        } catch (IOException e) {
            throw (AuthException) new AuthException("Could not authenticate").initCause(e);
        }

//        return null;
    }