custom authentication components and flow.

[Rob Shepherd]

Hello, I would like a few pointers - or possible a suggestion to where to get further help.

I have some users that are authenticated via OpenID delegates (works) and some users that are authenticated via a web service to a central database.

I also need to let the user pick a "role" before the authentication concludes.

I must decide via which auth route to take based on a webservice call using their email address.

1. USER enter email

1b. CAS call webservice to lookup account type 

1c. if(password) then (goto 3) if(google openid) then (goto 2) end if

2. CAS trigger openid client delegate

2b. CAS collect user profile

2c. goto 4

3. USER enter password

3b. CAS authenticate using username and password to webservice

3c. goto 4.

4. CAS lookup roles using webservice

4a. USER choose role

4b. define a Principle that includes the email address and attributes based on the role chosen

5. login complete, grant tickets and service access etc.

In order to provide these components I just need to gain a better understanding of the CAS Terminology that describes the workings.

I will use a simple webflow and actions to perform all of (1)

I already have working the openid client for (2), i just need to wire it up in the scheme.

I can use a custom Handler to make the authentication call for (3) 

I will use a policy that appreciates the state of either (2) or (3) and only authenticates properly when (4) has been concluded also.

I will use a sub-flow and actions to perform the role choosing components in the form of a RoleChoiceCredential and a custom handler for that to to implement (4)

I think I can use a custom PrincipleResolver to solve (4b) but haven't quite worked out how to glue together the results of a few stages of the authentication 

My current understanding fails at the follow points:

Looking at the source: within AuthenticationViaFormAction.submit(...) I can see whole heap of internal logic to do with tickets and cookies etc that I don't want to break the functionality of.  

E.g. isRequestAskingForServiceTicket(...) & grantServiceTicket(...)  Do these need to be retained somewhere?  I don't see these being used in other login actions (such as x509)

Any pointers would be appreciated.

Thanks

Rob