private void refreshData(
      AuthenticationSettings authSettings,
      AuthorizationRequestData rdo,
      HttpServletRequest request,
      HttpServletResponse response)
      throws ServletException, IOException, MarketplaceRemovedException {

    if (authSettings.isServiceProvider()) {

      rdo.setTenantID(getTenantID(rdo, request));

      if (!isSamlForward(request)) {
        return;
      }

      rdo.refreshData(request);

      SAMLCredentials samlCredentials = new SAMLCredentials(request);

      if (rdo.getUserId() == null) {
        rdo.setUserId(samlCredentials.getUserId());
      }

      if (rdo.getPassword() == null) {
        String generatedPassword = samlCredentials.generatePassword();
        if (generatedPassword == null) {
          request.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_SAML_TIMEOUT);
          forward(errorPage, request, response);
        }
        rdo.setPassword(generatedPassword);

        // if generated password is null, then timeout!!!
      }
    } else {
      rdo.refreshData(request);
      // store some parameters if the login fails (needed for login.xhtml)
      request.setAttribute(Constants.REQ_PARAM_USER_ID, rdo.getUserId());
    }
  }
  protected void handleProtectedUrlAndChangePwdCase(
      FilterChain chain,
      HttpServletRequest httpRequest,
      HttpServletResponse httpResponse,
      AuthorizationRequestData rdo)
      throws IOException, ServletException {

    if (logger.isDebugLoggingEnabled()) {
      logger.logDebug("Access to protected URL='" + rdo.getRelativePath() + "'");
    }

    ServiceAccess serviceAccess = ServiceAccess.getServiceAcccessFor(httpRequest.getSession());

    try {
      if (rdo.isAccessToServiceUrl()) {
        /*
         * We must NOT read the request parameters for service URLs
         * because this would cause a state switch of the request.
         * Afterwards the rewriting of a POST request may fail because
         * the parameters can't be accessed via the request input
         * stream.
         */
        httpRequest = handleServiceUrl(chain, httpRequest, httpResponse, rdo);
        if (httpRequest == null) {
          return;
        }
      } else if (ADMStringUtils.isBlank(rdo.getUserId())) {
        if (authSettings.isServiceProvider()) {
          if (isSamlForward(httpRequest)) {
            SAMLCredentials samlCredentials = new SAMLCredentials(httpRequest);
            rdo.setUserId(samlCredentials.getUserId());
            if (rdo.getUserId() == null) {
              httpRequest.setAttribute(
                  Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_INVALID_SAML_RESPONSE);
              forward(errorPage, httpRequest, httpResponse);
            }
          }
        } else {
          rdo.setUserId(httpRequest.getParameter(Constants.REQ_PARAM_USER_ID));
        }
      }

      // continue if user is already logged-in
      if (handleLoggedInUser(chain, httpRequest, httpResponse, serviceAccess, rdo)) {
        return;
      }

      // the httpRequest was already processed and we forwarded to the
      // corresponding page therefore we must not try to login again
      if (httpRequest.getAttribute(Constants.REQ_ATTR_ERROR_KEY) != null) {
        chain.doFilter(httpRequest, httpResponse);
        return;
      }

      refreshData(authSettings, rdo, httpRequest, httpResponse);

      // user not logged in, check user-name and password before login
      // don't do a trim on password because it may have
      // leading/trailing/only blanks

      if (authSettings.isServiceProvider()) {
        rollbackDefaultTimeout(httpRequest);
        if (ADMStringUtils.isBlank(rdo.getUserId())) {
          httpRequest.setAttribute(
              Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_INVALID_SAML_RESPONSE);
          if (isSamlForward(httpRequest)) {
            forward(errorPage, httpRequest, httpResponse);
          } else {
            forwardToLoginPage(rdo.getRelativePath(), true, httpRequest, httpResponse, chain);
          }
          return;
        }
      } else {
        if (ADMStringUtils.isBlank(rdo.getUserId()) || !rdo.isPasswordSet()) {
          if (!rdo.isMarketplace()
              && (!ADMStringUtils.isBlank(rdo.getUserId()) || rdo.isPasswordSet())) {
            // login data not complete, user or password empty
            httpRequest.setAttribute(Constants.REQ_ATTR_ERROR_KEY, BaseBean.ERROR_LOGIN);
          }
          forwardToLoginPage(rdo.getRelativePath(), true, httpRequest, httpResponse, chain);
          return;
        }
      }

      IdentityService identityService = serviceAccess.getService(IdentityService.class);
      VOUser voUser;
      try {
        voUser = readTechnicalUserFromDb(identityService, rdo);
      } catch (ObjectNotFoundException e) {
        handleUserNotRegistered(chain, httpRequest, httpResponse, rdo);
        return;
      } catch (SaaSApplicationException e) {
        setErrorAttributesAndForward(errorPage, httpRequest, httpResponse, e);
        return;
      }

      if (!authSettings.isServiceProvider()) {
        if (isAccountLocked(httpRequest, httpResponse, voUser)) {
          return;
        }
      }

      final boolean operationSucceeded;
      if (!authSettings.isServiceProvider() && rdo.isRequestedToChangePwd()) {
        operationSucceeded =
            handleChangeUserPasswordRequest(chain, httpRequest, httpResponse, rdo, identityService);
      } else {
        operationSucceeded =
            loginUser(chain, httpRequest, httpResponse, voUser, rdo, identityService);
      }
      if (!operationSucceeded) {
        return;
      }
      rdo.setUserDetails(identityService.getCurrentUserDetails());

      // read user details value object and store it in the session, DON'T
      // use old session, because it might have been invalidated
      httpRequest.getSession().setAttribute(Constants.SESS_ATTR_USER, rdo.getUserDetails());

      if (isPageForbiddenToAccess(httpRequest, rdo, serviceAccess)) {
        forward(insufficientAuthoritiesUrl, httpRequest, httpResponse);
      }
      // check if user must change his password
      if (!authSettings.isServiceProvider()
          && (rdo.getUserDetails().getStatus() == UserAccountStatus.PASSWORD_MUST_BE_CHANGED)) {
        forwardToPwdPage(rdo.getUserDetails().getUserId(), httpRequest, httpResponse);
      } else {
        redirectToPrimarilyRequestedUrl(chain, httpRequest, httpResponse, serviceAccess, rdo);
      }

    } catch (NumberFormatException e) {
      handleNumberFormatException(chain, httpRequest, httpResponse, e, rdo);
    } catch (ServletException e) {
      handleServletException(httpRequest, httpResponse, e);
    } catch (MarketplaceRemovedException e) {
      handleMarketplaceRemovedException(httpRequest, httpResponse);
    }
  }