added prompt=login support, addresses #323

openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java

@@ -27,6 +27,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -46,6 +47,9 @@ public class PromptFilter extends GenericFilterBean {
 
 	private Logger logger = LoggerFactory.getLogger(PromptFilter.class);
 
+	public final static String PROMPTED = "PROMPT_FILTER_PROMPTED";
+	public final static String PROMPT_REQUESTED = "PROMPT_FILTER_REQUESTED";
+	
 	/**
 	 * 
 	 */
@@ -73,21 +77,33 @@ public class PromptFilter extends GenericFilterBean {
 					response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
 					return;
 				}
-				/* TODO: this is an attempt to catch the prompt=login case, but it results in an infinite loop so it's commented out
 			} else if (request.getParameter("prompt").equals("login")) {
+
+    			// first see if the user's already been prompted in this session
+				HttpSession session = request.getSession();
+    			if (session.getAttribute(PROMPTED) == null) {
+    				// user hasn't been PROMPTED yet, we need to check    			
+
+    				session.setAttribute(PROMPT_REQUESTED, Boolean.TRUE);
+    				
     				// see if the user's logged in
     				Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-
 	        		if (auth != null) {
 	        			// user's been logged in already (by session management)
 	        			// log them out and continue
 	        			SecurityContextHolder.getContext().setAuthentication(null);
 	        			chain.doFilter(req, res);
 	        		} else {
-        			// user hasn't been logged in yet, we can keep going
+	        			// user hasn't been logged in yet, we can keep going since we'll get there
+	        			chain.doFilter(req, res);
+	        		}
+    			} else {
+    				// user has been PROMPTED, we're fine
+    				
+    				// but first, undo the prompt tag
+    				session.removeAttribute(PROMPTED);
         			chain.doFilter(req, res);
     			}
-				 */
 			} else {
 				// prompt parameter is a value we don't care about, not our business
 				chain.doFilter(req, res);

openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java

@@ -27,6 +27,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.mitre.openid.connect.filter.PromptFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
@@ -64,6 +65,11 @@ public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSu
 
 		session.setAttribute(AUTH_TIMESTAMP, authTimestamp);
 		
+		if (session.getAttribute(PromptFilter.PROMPT_REQUESTED) != null) {
+			session.setAttribute(PromptFilter.PROMPTED, Boolean.TRUE);
+			session.removeAttribute(PromptFilter.PROMPT_REQUESTED);
+		}
+		
 		logger.info("Successful Authentication at " + authTimestamp.toString());
 
 		super.onAuthenticationSuccess(request, response, authentication);