@Override
public AuthStatus validateRequest(
MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
HttpMsgContext msgContext = new HttpMsgContext(handler, options, messageInfo, clientSubject);
if (!msgContext.isAnyExplicitAuthCall()) {
// Check to see if this request is to a protected resource
//
// We'll save the current request here, so we can redirect to the original URL after
// authentication succeeds and when we start processing that URL wrap the request
// with one containing the original headers, cookies, etc.
//
// NOTE: This assumes that automatic session management is used (like e.g.
// AutoRegisterSessionWrapper does) and that the SAMs
// are NOT invoked when the user is authenticated and has access to the resource.
//
// TODO: Add checks is user is authenticated and deal with case where user is authenticated
// but doesn't have access
if (msgContext.isProtected()) {
requestDAO.save(msgContext.getRequest());
redirect(
msgContext.getRequest(),
msgContext.getResponse(),
getBaseURL(msgContext.getRequest())
+ msgContext.getModuleOption(PUBLIC_REDIRECT_URL)
+ "?new=false");
return SEND_CONTINUE; // End request processing for this request and don't try to process
// the handler
}
// No explicit login request and no protected resource. Just continue.
return null;
} else {
// An explicit authentication call was done. Check if this call was accompanied by a
// redirect URL
String redirectUrl = getRedirectUrl(msgContext);
if (redirectUrl != null) {
requestDAO.saveUrlOnly(msgContext.getRequest(), redirectUrl);
}
return super.validateRequest(messageInfo, clientSubject, serviceSubject);
}
}
private String getRedirectUrl(HttpMsgContext msgContext) {
AuthParameters authParameters = msgContext.getAuthParameters();
return authParameters != null ? authParameters.getRedirectUrl() : null;
}