@DataBoundConstructor
  public WwpassSecurityRealm(String certFile, String keyFile, String name, boolean allowsSignup) {

    this.disableSignup = !allowsSignup;

    this.name = name;

    if (certFile != null && !certFile.isEmpty() && keyFile != null && !keyFile.isEmpty()) {
      this.certFile = certFile;
      this.keyFile = keyFile;
    } else {
      if (System.getProperty("os.name").startsWith("Windows")) {
        this.certFile = DEFAULT_CERT_FILE_WINDOWS;
        this.keyFile = DEFAULT_KEY_FILE_WINDOWS;
      } else if (System.getProperty("os.name").startsWith("Linux")) {
        this.certFile = DEFAULT_CERT_FILE_LINUX;
        this.keyFile = DEFAULT_KEY_FILE_LINUX;
      } else {
        LOGGER.severe(Messages.WwpassSession_UnsupportedOsError());
        throw new Failure(Messages.WwpassSession_AuthError());
      }
    }

    if (!hasSomeUser()) {
      // if Hudson is newly set up with the security realm and there's no user account created yet,
      // insert a filter that asks the user to create one
      try {
        PluginServletFilter.addFilter(CREATE_FIRST_USER_FILTER);
      } catch (ServletException e) {
        throw new AssertionError(e); // never happen because our Filter.init is no-op
      }
    }
  }
  /** The login process starts from here. */
  public HttpResponse doCommenceLogin(
      StaplerRequest req,
      StaplerResponse rsp,
      @QueryParameter String from,
      @QueryParameter String ticket)
      throws ServletException, IOException {

    // TODO write login method
    String puid = authenticateInWwpass(ticket, certFile, keyFile);

    WwpassIdentity u;
    try {
      u = loadUserByUsername(puid);
    } catch (UsernameNotFoundException e) {
      if (allowsSignup()) {
        req.setAttribute("errorMessage", Messages.WwpassSecurityRealm_NoSuchUserAllowsSignup());
      } else {
        req.setAttribute("errorMessage", Messages.WwpassSecurityRealm_NoSuchUserDisableSignup());
      }
      req.getView(this, "login.jelly").forward(req, rsp);
      throw e;
    }
    if (!u.isAccountNonLocked() || !u.isEnabled()) {
      // throw new LockedException("Account is not activated for " + puid);
      throw new Failure(Messages.WwpassSecurityRealm_AccountNotActivated());
    }

    Authentication a = new WwpassAuthenticationToken(u.getNickname());
    a = this.getSecurityComponents().manager.authenticate(a);
    SecurityContextHolder.getContext().setAuthentication(a);

    return new HttpRedirect(Jenkins.getInstance().getRootUrl());
  }
  /**
   * @return <code>null</code> if failed. The browser is already redirected to retry by the time
   *     this method returns. a valid {@link User} object if the user creation was successful.
   */
  private User createAccount(StaplerRequest req, StaplerResponse rsp, String formView)
      throws ServletException, IOException {

    SignupInfo si = new SignupInfo(req);

    String puid = authenticateInWwpass(si.ticket, certFile, keyFile);

    try {
      if (loadUserByUsername(puid) != null) {
        si.errorMessages.add(Messages.WwpassSecurityRealm_PuidIsAlreadyTaken());
      }
    } catch (UsernameNotFoundException e) {

    }

    if (si.nickname == null || si.nickname.length() == 0)
      si.errorMessages.add(Messages.WwpassSecurityRealm_NicknameIsRequired());
    else {
      User user = User.get(si.nickname, false);
      if (null != user)
        if (user.getProperty(WwpassIdentity.class) != null)
          si.errorMessages.add(Messages.WwpassSecurityRealm_NicknameIsAlreadyTaken());
    }

    if (si.fullname == null || si.fullname.length() == 0)
      si.errorMessages.add(Messages.WwpassSecurityRealm_FullnameIsRequired());
    else {
      User user = User.get(si.fullname, false);
      if (null != user)
        if (user.getProperty(WwpassIdentity.class) != null)
          si.errorMessages.add(Messages.WwpassSecurityRealm_FullnameIsAlreadyTaken());
    }

    if (si.email == null || !si.email.contains("@"))
      si.errorMessages.add(Messages.WwpassSecurityRealm_InvalidEmailAddress());

    if (!si.errorMessages.isEmpty()) {
      // failed. ask the user to try again.
      req.setAttribute("data", si);
      req.getView(this, formView).forward(req, rsp);
      return null;
    }

    // register the user
    WwpassIdentity id = new WwpassIdentity(puid);
    id.populate(si);

    User user = createAccount(id);
    id.updateProfile(user);

    user.save();
    return user;
  }