org.wso2.carbon.identity.provider.openid.handlers.OpenIDHandler.java Source code

Java tutorial

Introduction

Here is the source code for org.wso2.carbon.identity.provider.openid.handlers.OpenIDHandler.java

Source

/*
 * Copyright (c) 2005-2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
 *  WSO2 Inc. licenses this file to you under the Apache License,
 *  Version 2.0 (the "License"); you may not use this file except
 *  in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.wso2.carbon.identity.provider.openid.handlers;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.openid4java.message.DirectError;
import org.openid4java.message.ParameterList;
import org.owasp.encoder.Encode;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationRequestCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCache;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheEntry;
import org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheKey;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.cache.CacheEntry;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.base.IdentityConstants;
import org.wso2.carbon.identity.base.IdentityConstants.OpenId;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.provider.IdentityProviderException;
import org.wso2.carbon.identity.provider.dto.OpenIDAuthRequestDTO;
import org.wso2.carbon.identity.provider.dto.OpenIDAuthResponseDTO;
import org.wso2.carbon.identity.provider.dto.OpenIDParameterDTO;
import org.wso2.carbon.identity.provider.openid.OpenIDConstants;
import org.wso2.carbon.identity.provider.openid.client.OpenIDAdminClient;
import org.wso2.carbon.identity.provider.openid.util.OpenIDUtil;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.Enumeration;
import java.util.Map;

/**
 * Handles functionality related OpenID association,
 * authentication,checkid_immediate checkid_setup. check_authentication [POST] :
 * Ask an Identity Provider if a message is valid. For dumb, state-less
 * Consumers or when verifying an invalidate_handle response. checkid_setup
 * [GET] : Ask an Identity Provider if a End User owns the Claimed Identifier,
 * but be willing to wait for the reply. The Consumer will pass the User-Agent
 * to the Identity Provider for a short period of time which will return either
 * a "yes" or "cancel" answer. checkid_immediate [GET] : Ask an Identity
 * Provider if a End User owns the Claimed Identifier, getting back an immediate
 * "yes" or "can't say" answer. associate [POST] : Establish a shared secret
 * between Consumer and Identity Provider
 */
public class OpenIDHandler {

    private static final String TRUE = "true";
    // Guaranteed to be thread safe
    private static OpenIDHandler provider;
    private static final Log log = LogFactory.getLog(OpenIDHandler.class);
    private String frontEndUrl;
    private String opAddress;

    /**
     * Configure the OpenID Provider's end-point URL
     *
     * @param serverUrl
     */
    private OpenIDHandler(String serverUrl) {
        opAddress = serverUrl;
    }

    /**
     * @param serverUrl
     * @return
     */
    public static OpenIDHandler getInstance(String serverUrl) {
        if (provider == null) {
            provider = new OpenIDHandler(serverUrl);
        }
        return provider;
    }

    /**
     * This is the page the user will be redirected for authentication.
     *
     * @param frontEndUrl Authentication page
     */
    public void setFrontEndUrl(String frontEndUrl) {
        this.frontEndUrl = frontEndUrl;
        if (log.isDebugEnabled()) {
            log.debug("Authentication page set to :" + this.frontEndUrl);
        }
    }

    /**
     * @return OpenID Provider server URL.
     */
    public String getOpAddress() {
        return opAddress;
    }

    /**
     * Process the request message and handles the logic
     *
     * @param request
     * @param response
     * @return
     * @throws IdentityException
     */
    public String processRequest(HttpServletRequest request, HttpServletResponse response)
            throws IdentityException {
        // check if a logout request
        if (request.getParameter(OpenIDConstants.RequestParameter.LOGOUT_URL) != null) {
            return handleSingleLogout(request, response);
        }

        // check if a request from the login page
        if (request.getAttribute(OpenIDConstants.RequestParameter.NON_LOGIN) == null
                && request.getParameter(OpenIDConstants.RequestParameter.SESSION_DATA_KEY) != null) {
            handleRequestFromLoginPage(request, response);

        } else { // this is a request from the client or from the consent page

            // if a request from the consent page
            String approval = request.getParameter(OpenIDConstants.RequestParameter.HAS_APPROVED_ALWAYS);
            if (approval != null) {
                request.getSession().setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED_ALWAYS, approval);
                request.getSession().setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED, "true");
            }

            String responseText = null;
            try {

                HttpSession session = request.getSession();
                OpenIDAdminClient client = OpenIDUtil.getOpenIDAdminClient(session);
                ParameterList paramList = getParameterList(request);
                String mode = getOpenIDMessageMode(paramList, response, request);

                if (OpenId.ASSOCIATE.equals(mode)) {
                    // association request from the client
                    OpenIDParameterDTO[] reqDTO = OpenIDUtil.getOpenIDAuthRequest(request);
                    responseText = client.getOpenIDAssociationResponse(reqDTO);
                    if (log.isDebugEnabled()) {
                        log.debug("Association created successfully");
                    }

                } else if (OpenId.CHECKID_SETUP.equals(mode) || OpenId.CHECKID_IMMEDIATE.equals(mode)) {
                    return checkSetupOrImmediate(request, response, paramList, client);

                } else if (OpenId.CHECK_AUTHENTICATION.equals(mode)) {
                    responseText = client.verify(OpenIDUtil.getOpenIDAuthRequest(request));
                    if (log.isDebugEnabled()) {
                        log.debug("Authentication verified successfully");
                    }

                } else {
                    responseText = getErrorResponseText("Not a valid OpenID request");
                    if (log.isDebugEnabled()) {
                        log.debug("No valid MODE found : " + request.getQueryString());
                    }
                }

            } catch (Exception e) {
                log.error("Failed to process OpenID client request", e);
                responseText = getErrorResponseText(e.getMessage());
            }

            try { // Return the result to the user.
                directResponse(response, responseText);
            } catch (IOException e) {
                log.error("Failed to redirect OpenID response", e);
                throw new IdentityException("OpenID redirect reponse failed");
            }
        }

        return null;
    }

    /**
     * Returns the mode field of the OpenID message.
     *
     * @param paramList
     * @param response
     * @param request
     * @return
     * @throws IOException
     */
    private String getOpenIDMessageMode(ParameterList paramList, HttpServletResponse response,
            HttpServletRequest request) throws IOException {
        String mode = null;
        if (paramList == null) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid OpenID message :" + request.getQueryString());
            }
            directResponse(response, getErrorResponseText("Invalid OpenID message"));
            return null;
        }
        mode = paramList.hasParameter(OpenId.ATTR_MODE) ? paramList.getParameterValue(OpenId.ATTR_MODE) : null;
        if (log.isDebugEnabled()) {
            log.debug("OpenID authentication mode :" + mode);
        }
        return mode;
    }

    /**
     * This method returns the OpenID ParameterList object.
     * If the first request, then list is taken from the http request else will
     * be taken from the http session.
     *
     * @param request
     * @return {@link ParameterList}
     */
    private ParameterList getParameterList(HttpServletRequest request) {

        if (OpenId.AUTHENTICATED.equals(request.getSession().getAttribute(OpenId.ACTION))
                || OpenId.CANCEL.equals(request.getSession().getAttribute(OpenId.ACTION))) {
            // not the first visit, get from the session
            return (ParameterList) request.getSession().getAttribute(OpenId.PARAM_LIST);

        } else {
            // its the fist visit, get from the request
            return new ParameterList(request.getParameterMap());
        }
    }

    /**
     * This method handles single logout requests.
     * Basically we are invalidating the session data and cookies.
     *
     * @param request
     * @param response
     * @return
     */
    private String handleSingleLogout(HttpServletRequest request, HttpServletResponse response) {

        log.info("OpenID Single Logout for " + request.getSession().getAttribute("authenticatedOpenID"));

        // removing the authenticated user from the session
        request.getSession().setAttribute("authenticatedOpenID", null);

        // removing the remember-me cookie
        Cookie[] cookies = request.getCookies();
        if (cookies != null) {
            Cookie curCookie = null;
            for (int x = 0; x < cookies.length; x++) {
                curCookie = cookies[x];
                if ("openidtoken".equalsIgnoreCase(curCookie.getName())) {
                    curCookie.setMaxAge(0);// removing the cookie
                    response.addCookie(curCookie);
                    break;
                }
            }
        }
        // TODO : Must invalidate the cookie from backend too
        return request.getParameter("logoutUrl");
    }

    /**
     * checkid_immediate : Ask an Identity Provider if an End User owns the
     * Claimed Identifier, getting back an immediate "yes" or "can't say"
     * answer. checkid_setup Description: Ask an Identity Provider if a End User
     * owns the Claimed Identifier, but be willing to wait for the reply. The
     * Consumer will pass the User-Agent to the Identity Provider for a short
     * period of time which will return either a "yes" or "cancel" answer.
     *
     * @param request
     * @param params
     * @param client
     * @throws IdentityProviderException
     */
    private String checkSetupOrImmediate(HttpServletRequest request, HttpServletResponse response,
            ParameterList params, OpenIDAdminClient client) throws IdentityProviderException {
        boolean authenticated = false;
        String profileName = null;
        HttpSession session = request.getSession();

        String claimedID = params.getParameterValue(IdentityConstants.OpenId.ATTR_IDENTITY);
        if (claimedID == null) {
            throw new IdentityProviderException("Required attribute openid.identity is missing");
        }

        if (claimedID.endsWith("/openid/")) {
            String openIdInSession = (String) session.getAttribute(OpenIDConstants.SessionAttribute.OPENID);
            if (openIdInSession != null && !"".equals(openIdInSession.trim())) {
                claimedID = openIdInSession;
            }
        }

        if (log.isDebugEnabled()) {
            log.debug("Authentication check for user " + claimedID);
        }

        boolean authCompleted = IdentityConstants.OpenId.AUTHENTICATED
                .equals(session.getAttribute(IdentityConstants.OpenId.ACTION));
        boolean approved = TRUE.equals(session.getAttribute(IdentityConstants.USER_APPROVED));

        if (authCompleted && approved) {
            session.removeAttribute(IdentityConstants.USER_APPROVED);
            session.removeAttribute(IdentityConstants.OpenId.ACTION);
            session.removeAttribute(OpenIDConstants.SessionAttribute.PROFILE);
            authenticated = true;
            if (log.isDebugEnabled()) {
                log.debug("Authenticated and user confirmed :" + claimedID);
            }
            profileName = (String) session.getAttribute(OpenIDConstants.SessionAttribute.PROFILE);
            if (profileName == null) {
                profileName = OpenIDConstants.SessionAttribute.DEFAULT_PROFILE;
            }
            if (log.isDebugEnabled()) {
                log.debug("Selected profile : " + profileName);
            }
            updateRPInfo(claimedID, profileName, params, client, session);
        }

        if (IdentityConstants.OpenId.CANCEL.equals(session.getAttribute(IdentityConstants.OpenId.ACTION))) {
            if (log.isDebugEnabled()) {
                log.debug("User cancelled :" + claimedID);
            }
            authenticated = false;
        } else if (!authenticated) {
            if (log.isDebugEnabled()) {
                log.debug(claimedID + " not authenticated. Redirecting for authentication");
            }

            /*
             * We are setting the openid request parameters to the session. This
             * can be used after we are comming back from the authentication
             * page.
             */
            session.setAttribute(IdentityConstants.OpenId.PARAM_LIST, params);

            try {
                return getLoginPageUrl(claimedID, request, params);
            } catch (IdentityException | IOException e) {
                throw new IdentityProviderException("Failed to get login page url", e);
            }
        }

        OpenIDAuthRequestDTO openIDAuthRequest = new OpenIDAuthRequestDTO();

        if (IdentityConstants.TRUE.equals(session.getAttribute(IdentityConstants.PHISHING_RESISTANCE))) {
            openIDAuthRequest.setPhishiingResistanceAuthRequest(true);
            // Clear the session.
            session.removeAttribute(IdentityConstants.PHISHING_RESISTANCE);
        }
        if (IdentityConstants.TRUE.equals(session.getAttribute(IdentityConstants.MULTI_FACTOR_AUTH))) {
            openIDAuthRequest.setMultiFactorAuthRequested(true);
            // Clear the cache.
            session.removeAttribute(IdentityConstants.MULTI_FACTOR_AUTH);
        }
        openIDAuthRequest.setParams(OpenIDUtil.getOpenIDAuthRequest(params));
        openIDAuthRequest.setOpLocalId(claimedID);
        openIDAuthRequest.setUserSelectedClaimedId(claimedID);
        openIDAuthRequest.setAuthenticated(authenticated);
        openIDAuthRequest.setOpenID(claimedID);
        openIDAuthRequest.setProfileName(profileName);

        String authenticatedIdPsParam = "";

        // setting the user claims received from the framework
        if (session.getAttribute(OpenIDConstants.AUTHENTICATION_RESULT) != null) {
            AuthenticationResult authResult = (AuthenticationResult) session
                    .getAttribute(OpenIDConstants.AUTHENTICATION_RESULT);
            openIDAuthRequest.setResponseClaims(authResult.getSubject().getUserAttributes());
            String authenticatedIdPs = authResult.getAuthenticatedIdPs();

            if (authenticatedIdPs != null && !authenticatedIdPs.isEmpty()) {
                try {
                    authenticatedIdPsParam = "&AuthenticatedIdPs=" + URLEncoder.encode(authenticatedIdPs, "UTF-8");
                } catch (UnsupportedEncodingException e) {
                    throw new IdentityProviderException("Url encoding failed", e);
                }
            }
        }

        session.removeAttribute(OpenIDConstants.SessionAttribute.OPENID);
        OpenIDAuthResponseDTO openIDAuthResponse = client.getOpenIDAuthResponse(openIDAuthRequest);

        if (openIDAuthResponse != null) {
            return openIDAuthResponse.getDestinationUrl() + authenticatedIdPsParam;
        }
        return null;
    }

    /**
     * Updates the RP information of user in the database
     *
     * @param openId
     * @param profileName
     * @param params
     * @param client
     * @param
     * @param session
     * @throws IdentityProviderException
     */
    private void updateRPInfo(String openId, String profileName, ParameterList params, OpenIDAdminClient client,
            HttpSession session) throws IdentityProviderException {

        if (!client.isOpenIDUserApprovalBypassEnabled()) {

            boolean alwaysApprovedRp = Boolean.parseBoolean(
                    (String) session.getAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED_ALWAYS));

            client.updateOpenIDUserRPInfo(params.getParameterValue(IdentityConstants.OpenId.ATTR_RETURN_TO),
                    alwaysApprovedRp, profileName, openId);

        }
    }

    /**
     * Returns the login page URL. User will be redirected to this URL when they
     * are not authenticated.
     *
     * @param claimedID
     * @param request
     * @param params
     * @return loginPageUrl
     * @throws IdentityException
     * @throws IOException
     */
    private String getLoginPageUrl(String claimedID, HttpServletRequest request, ParameterList params)
            throws IdentityException, IOException {

        /*
         * We are setting the request's openid identifier to the session
         * here.  
         */
        request.getSession().setAttribute(OpenIDConstants.SessionAttribute.OPENID, claimedID);

        String commonAuthURL = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH);
        String selfPath = URLEncoder.encode("/" + FrameworkConstants.OPENID_SERVER, "UTF-8");
        String sessionDataKey = UUIDGenerator.generateUUID();

        //Authentication context keeps data which should be sent to commonAuth endpoint
        AuthenticationRequest authenticationRequest = new AuthenticationRequest();
        authenticationRequest.setRelyingParty(getRelyingParty(request));
        authenticationRequest.setCommonAuthCallerPath(selfPath);
        String username = null;
        String tenantDomain = null;
        if (params.getParameterValue(FrameworkConstants.OPENID_IDENTITY) != null) {
            username = OpenIDUtil.getUserName(params.getParameterValue(FrameworkConstants.OPENID_IDENTITY));
            authenticationRequest.addRequestQueryParam(FrameworkConstants.USERNAME, new String[] { username });
        }
        if (params.getParameterValue(FrameworkConstants.RequestParams.TENANT_DOMAIN) != null) {
            tenantDomain = params.getParameterValue(FrameworkConstants.RequestParams.TENANT_DOMAIN);
            authenticationRequest.setTenantDomain(tenantDomain);
        }

        boolean forceAuthenticate = false;
        if (!claimedID.endsWith("/openid/")) {
            String authenticatedUser = (String) request.getSession()
                    .getAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID);
            if (log.isDebugEnabled()) {
                log.debug("claimedID : " + claimedID + ", authenticated user : " + authenticatedUser);
            }
            if (authenticatedUser != null && !"".equals(authenticatedUser.trim())
                    && !claimedID.equals(authenticatedUser.trim())) {
                if (log.isDebugEnabled()) {
                    log.debug("Overriding previously authenticated OpenID : " + authenticatedUser
                            + " with the OpenID in the current request :" + claimedID
                            + " and setting forceAuthenticate.");
                }
                forceAuthenticate = true;
            }
        }
        authenticationRequest.setForceAuth(forceAuthenticate);
        //Add request headers to authentication request context. ie to cache
        authenticationRequest.setRequestQueryParams(request.getParameterMap());
        for (Enumeration headerNames = request.getHeaderNames(); headerNames.hasMoreElements();) {
            String headerName = headerNames.nextElement().toString();
            authenticationRequest.addHeader(headerName, request.getHeader(headerName));
        }

        AuthenticationRequestCacheEntry authRequest = new AuthenticationRequestCacheEntry(authenticationRequest);
        FrameworkUtils.addAuthenticationRequestToCache(sessionDataKey, authRequest);
        StringBuilder queryStringBuilder = new StringBuilder();
        queryStringBuilder.append(commonAuthURL).append("?").append(FrameworkConstants.SESSION_DATA_KEY).append("=")
                .append(sessionDataKey).append("&").append(FrameworkConstants.RequestParams.TYPE).append("=")
                .append(FrameworkConstants.RequestType.CLAIM_TYPE_OPENID);
        // reading the authorization header for request path authentication
        FrameworkUtils.setRequestPathCredentials(request);

        return queryStringBuilder.toString();
    }

    /**
     * Return the error response message based on the given message
     *
     * @param message Error message
     * @return Direct error
     */
    private String getErrorResponseText(String message) {
        log.error(message);
        return DirectError.createDirectError(message).keyValueFormEncoding();
    }

    /**
     * Send a direct response to the RP.
     *
     * @param httpResp HttpServletResponse
     * @param response Response message
     * @return
     * @throws IOException
     */
    private void directResponse(HttpServletResponse httpResp, String response) throws IOException {
        ServletOutputStream stream = null;
        try {
            stream = httpResp.getOutputStream();
            stream.write(response.getBytes());
        } finally {
            if (stream != null) {
                stream.close();
            }
        }
    }

    private void handleRequestFromLoginPage(HttpServletRequest req, HttpServletResponse resp)
            throws IdentityException {

        try {
            HttpSession session = req.getSession();

            String claimedID = (String) session.getAttribute(OpenIDConstants.RequestParameter.OPENID);

            if (claimedID == null) {
                throw new IdentityException("No valid OpenID Identifier found. Terminating authentication flow");
            }

            String userName = null;
            AuthenticationResult authnResult = null;

            if (req.getParameter("sessionDataKey") != null) {
                authnResult = getAuthenticationResultFromCache(req.getParameter("sessionDataKey"));
            }

            // Directed Identity handling
            if (claimedID.endsWith("/openid/")) {

                if (authnResult != null && authnResult.isAuthenticated()) {
                    userName = authnResult.getSubject().getAuthenticatedSubjectIdentifier();
                    session.setAttribute(OpenIDConstants.AUTHENTICATION_RESULT, authnResult);
                }

                String authenticatedUserName = (String) session
                        .getAttribute(OpenIDConstants.SessionAttribute.USERNAME);

                // setting the authenticated user in the session
                if (userName != null && !"".equals(userName.trim())) {

                    if (authenticatedUserName != null && authenticatedUserName.equals(userName)) {
                        log.debug(
                                "Username in request is different from the authenticated username in the session. Starting new session ");
                        session.removeAttribute(OpenIDConstants.SessionAttribute.USERNAME);
                    }

                    session.setAttribute(OpenIDConstants.SessionAttribute.USERNAME, userName);
                    claimedID = claimedID + userName;
                }

                // set the username from the session
                if (userName == null || "".equals(userName.trim())) {
                    userName = authenticatedUserName;
                }
            }

            // This is important. Created openid in the directed identity case
            session.setAttribute(OpenIDConstants.SessionAttribute.OPENID, claimedID);

            boolean isAuthenticated = false;

            // if the user is already authenticated, then the openid should be in the session
            String authenticatedOpenID = (String) session
                    .getAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID);

            // if they are the same, then user is already logged in
            if (authenticatedOpenID != null && authenticatedOpenID.equals(claimedID)) {
                isAuthenticated = true;
            }

            OpenIDAdminClient client = OpenIDUtil.getOpenIDAdminClient(session);

            if (!isAuthenticated && authnResult != null) {
                isAuthenticated = authnResult.isAuthenticated();
            }

            if (isAuthenticated) {

                // set the authenticated openid identifier in the session
                session.setAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID, claimedID);

                // check for the <OpenIDSkipUserConsent> in the identity.xml
                if (client.isOpenIDUserApprovalBypassEnabled()) {

                    session.setAttribute(OpenIDConstants.SessionAttribute.ACTION,
                            IdentityConstants.OpenId.AUTHENTICATED);
                    session.setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED, "true");
                    session.setAttribute(OpenIDConstants.SessionAttribute.SELECTED_PROFILE, "default");

                    req.setAttribute("nonlogin", "true");
                    RequestDispatcher dispatcher = req.getRequestDispatcher("../../openidserver");
                    dispatcher.forward(req, resp);

                } else {
                    // now we read the database for the user's consent.
                    String[] rpInfo = client.getOpenIDUserRPInfo(claimedID,
                            ((ParameterList) session.getAttribute(OpenId.PARAM_LIST))
                                    .getParameterValue(OpenId.ATTR_RETURN_TO));

                    if ("true".equals(rpInfo[0])) { // approve always
                        session.setAttribute(OpenIDConstants.SessionAttribute.ACTION,
                                IdentityConstants.OpenId.AUTHENTICATED);
                        session.setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED, "true");
                        session.setAttribute(OpenIDConstants.SessionAttribute.USER_APPROVED_ALWAYS, "true");
                        session.setAttribute(OpenIDConstants.SessionAttribute.SELECTED_PROFILE, rpInfo[1]);

                        req.setAttribute("nonlogin", "true");
                        RequestDispatcher dispatcher = req.getRequestDispatcher("../../openidserver");
                        dispatcher.forward(req, resp);

                    } else {
                        // no approval found of the user, so ask for it.

                        session.setAttribute(OpenIDConstants.SessionAttribute.ACTION,
                                IdentityConstants.OpenId.AUTHENTICATED);
                        sendToApprovalPage(req, resp);
                    }
                }

            } else {
                // re-login the user
                OpenIDUtil.deleteCookie("openidtoken", "/", req);
                OpenIDUtil.deleteCookie("openidrememberme", "/", req);
                session.removeAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID);

                // sending to the login page
                String openIdEndpointUrl = IdentityUtil.getServerURL("/authenticationendpoint/openid_login.do");

                resp.sendRedirect(openIdEndpointUrl
                        + OpenIDUtil.getLoginPageQueryParams(
                                (ParameterList) req.getSession().getAttribute(OpenId.PARAM_LIST))
                        + "&errorMsg=error.while.user.auth");
            }
        } catch (Exception e) {
            throw new IdentityException("Exception while handling request from the login page", e);
        }
    }

    private void sendToApprovalPage(HttpServletRequest req, HttpServletResponse resp) throws IOException {

        HttpSession session = req.getSession();

        PrintWriter out = resp.getWriter();
        out.println("<html>");
        out.println("<body>");
        out.println("<p>You are now redirected back to Approval Page.");
        out.println(" If the redirection fails, please click the post button.</p>");
        out.println("<form method='post' action='authenticationendpoint/openid_profile.do'>");
        out.println("<p>");

        AuthenticationResult authnResult = null;

        if (req.getParameter("sessionDataKey") != null) {
            authnResult = getAuthenticationResultFromCache(req.getParameter("sessionDataKey"));
        }

        Map<ClaimMapping, String> userAttributes = authnResult.getSubject().getUserAttributes();

        out.println("<input type='hidden' name='openid.identity' value='"
                + Encode.forHtmlAttribute(
                        (String) session.getAttribute(OpenIDConstants.SessionAttribute.AUTHENTICATED_OPENID))
                + "'>");
        out.println("<input type='hidden' name='openid.return_to' value='" + Encode.forHtmlAttribute(
                ((ParameterList) session.getAttribute(OpenId.PARAM_LIST)).getParameterValue(OpenId.ATTR_RETURN_TO))
                + "'>");

        if (userAttributes != null) {
            for (ClaimMapping claimMapping : userAttributes.keySet()) {
                String value = userAttributes.get(claimMapping);
                if (value != null) {
                    out.println("<input type='hidden' name='claimTag' value='"
                            + Encode.forHtmlAttribute(claimMapping.getLocalClaim().getClaimUri()) + "'>");
                    out.println("<input type='hidden' name='claimValue' value='"
                            + Encode.forHtmlAttribute(userAttributes.get(claimMapping)) + "'>");
                }
            }
        }

        out.println("<button type='submit'>POST</button>");
        out.println("</p>");
        out.println("</form>");
        out.println("<script type='text/javascript'>");
        out.println("document.forms[0].submit();");
        out.println("</script>");
        out.println("</body>");
        out.println("</html>");

        return;
    }

    private AuthenticationResult getAuthenticationResultFromCache(String sessionDataKey) {
        AuthenticationResult authResult = null;
        AuthenticationResultCacheEntry authResultCacheEntry = FrameworkUtils
                .getAuthenticationResultFromCache(sessionDataKey);
        if (authResultCacheEntry != null) {
            authResult = authResultCacheEntry.getResult();
        } else {
            log.error("Cannot find AuthenticationResult from the cache");
        }

        return authResult;
    }

    private String getRelyingParty(HttpServletRequest request) {
        return request.getParameter("openid.realm");
    }
}