From 5d4625d4216b7d26be2234cd2617377a5c929e85 Mon Sep 17 00:00:00 2001 From: jeb228 Date: Mon, 29 Nov 2010 20:08:34 +0000 Subject: [PATCH] NIHVIVO-1430 When a user logs in, change what is viewed. Consolidate the logic so an external user is more like an internal user. --- .../webapp/controller/VitroHttpServlet.java | 24 +- .../authenticate/Authenticator.java | 9 +- .../authenticate/BasicAuthenticator.java | 20 +- .../authenticate/ExternalAuthHelper.java | 7 +- .../authenticate/LoginExternalAuthReturn.java | 25 +-- .../authenticate/LoginRedirector.java | 208 +++++++++--------- .../webapp/controller/edit/Authenticate.java | 8 +- .../authenticate/AuthenticatorStub.java | 25 ++- .../controller/edit/AuthenticateTest.java | 82 ++++--- 9 files changed, 225 insertions(+), 183 deletions(-) diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java index b0aea03d5..6a2dd5aef 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroHttpServlet.java @@ -21,6 +21,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import edu.cornell.mannlib.vedit.beans.LoginStatusBean; +import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginRedirector; public class VitroHttpServlet extends HttpServlet { private static final long serialVersionUID = 1L; @@ -73,7 +74,7 @@ public class VitroHttpServlet extends HttpServlet { // ---------------------------------------------------------------------- /** - * If not logged in, send them to the login page. + * If not logged in, redirect them to the appropriate page. */ public static boolean checkLoginStatus(HttpServletRequest request, HttpServletResponse response) { @@ -90,8 +91,7 @@ public class VitroHttpServlet extends HttpServlet { } /** - * If not logged in at the minimum level or higher, send them to the login - * page. + * If not logged in at the minimum level or higher, redirect them to the appropriate page. */ public static boolean checkLoginStatus(HttpServletRequest request, HttpServletResponse response, int minimumLevel) { @@ -122,17 +122,15 @@ public class VitroHttpServlet extends HttpServlet { postLoginRequest = request.getRequestURI() + "?" + queryString; } - request.getSession().setAttribute("postLoginRequest", postLoginRequest); + LoginRedirector.setReturnUrlFromForcedLogin(request, postLoginRequest); + String loginPage = request.getContextPath() + Controllers.LOGIN; response.sendRedirect(loginPage); } - /** Don't dump the contents of these headers, even if log.trace is enabled. */ - private static final List BORING_HEADERS = new ArrayList( - Arrays.asList(new String[] { "host", "user-agent", "accept", - "accept-language", "accept-encoding", "accept-charset", - "keep-alive", "connection" })); - + /** + * If logging is set to the TRACE level, dump the HTTP headers on the request. + */ @SuppressWarnings("unchecked") @Override public void service(ServletRequest req, ServletResponse resp) @@ -152,4 +150,10 @@ public class VitroHttpServlet extends HttpServlet { super.service(req, resp); } + /** Don't dump the contents of these headers, even if log.trace is enabled. */ + private static final List BORING_HEADERS = new ArrayList( + Arrays.asList(new String[] { "host", "user-agent", "accept", + "accept-language", "accept-encoding", "accept-charset", + "keep-alive", "connection" })); + } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java index f26347708..03b434180 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java @@ -66,10 +66,16 @@ public abstract class Authenticator { */ public abstract User getUserByUsername(String username); + /** + * Get the URI of the individual associated with this user, or null if no + * such Individual exists. + */ + public abstract String getAssociatedIndividualUri(String username); + /** * Get a list of URIs of the people that this user is allowed to edit. */ - public abstract List asWhomMayThisUserEdit(User user); + public abstract List asWhomMayThisUserEdit(String username); /** * Record a new password for the user. @@ -108,4 +114,5 @@ public abstract class Authenticator { * */ public abstract void recordUserIsLoggedOut(); + } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java index 3d2fd6712..ebf7f1a49 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java @@ -18,8 +18,11 @@ import edu.cornell.mannlib.vedit.beans.LoginFormBean; import edu.cornell.mannlib.vedit.beans.LoginStatusBean; import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource; import edu.cornell.mannlib.vitro.webapp.auth.policy.RoleBasedPolicy.AuthRole; +import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration; import edu.cornell.mannlib.vitro.webapp.beans.User; +import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.edit.Authenticate; +import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao; import edu.cornell.mannlib.vitro.webapp.dao.UserDao; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; import edu.cornell.mannlib.vitro.webapp.dao.jena.LoginEvent; @@ -197,8 +200,16 @@ public class BasicAuthenticator extends Authenticator { } @Override - public List asWhomMayThisUserEdit(User user) { - if (user == null) { + public String getAssociatedIndividualUri(String username) { + IndividualDao iDao = new VitroRequest(request).getWebappDaoFactory() + .getIndividualDao(); + return SelfEditingConfiguration.getBean(request) + .getIndividualUriFromUsername(iDao, username); + } + + @Override + public List asWhomMayThisUserEdit(String username) { + if (username == null) { return Collections.emptyList(); } @@ -207,6 +218,11 @@ public class BasicAuthenticator extends Authenticator { return Collections.emptyList(); } + User user = userDao.getUserByUsername(username); + if (user == null) { + return Collections.emptyList(); + } + String userUri = user.getURI(); if (userUri == null) { return Collections.emptyList(); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java index 0023506bb..d32e47be9 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java @@ -35,7 +35,7 @@ public class ExternalAuthHelper { private static final String PROPERTY_EXTERNAL_AUTH_SERVER_URL = "externalAuth.serverUrl"; /** This configuration property says which HTTP header holds the username. */ - public static final String PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER = "externalAuth.netIdheaderName"; + public static final String PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER = "externalAuth.netIdHeaderName"; // ---------------------------------------------------------------------- // static methods @@ -57,7 +57,7 @@ public class ExternalAuthHelper { log.trace("No session; no need to create one."); return DUMMY_HELPER; } - + ServletContext context = session.getServletContext(); Object attr = context.getAttribute(BEAN_ATTRIBUTE); @@ -73,7 +73,8 @@ public class ExternalAuthHelper { } /** It would be private, but we want to allow calls for faking. */ - protected static void setBean(ServletContext context, ExternalAuthHelper bean) { + protected static void setBean(ServletContext context, + ExternalAuthHelper bean) { context.setAttribute(BEAN_ATTRIBUTE, bean); } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java index 2144daa0b..0db63a2b0 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java @@ -14,10 +14,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource; -import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration; -import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean; -import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao; /** * Handle the return from the external authorization login server. If we are @@ -27,8 +24,6 @@ public class LoginExternalAuthReturn extends BaseLoginServlet { private static final Log log = LogFactory .getLog(LoginExternalAuthReturn.class); - private final LoginRedirector loginRedirector = new LoginRedirector(); - /** * 
 	 * Returning from the external authorization server. If we were successful,
@@ -47,7 +42,7 @@ public class LoginExternalAuthReturn extends BaseLoginServlet {
 			throws ServletException, IOException {
 		String username = ExternalAuthHelper.getHelper(req)
 				.getExternalUsername(req);
-		String uri = getAssociatedIndividualUri(username, req);
+		String uri = getAuthenticator(req).getAssociatedIndividualUri(username);
 
 		if (username == null) {
 			log.debug("No username.");
@@ -58,31 +53,21 @@ public class LoginExternalAuthReturn extends BaseLoginServlet {
 			getAuthenticator(req).recordLoginAgainstUserAccount(username,
 					AuthenticationSource.EXTERNAL);
 			removeLoginProcessArtifacts(req);
-			loginRedirector.redirectLoggedInUser(req, resp);
+			new LoginRedirector(req, resp).redirectLoggedInUser();
 		} else if (uri != null) {
 			log.debug("Recognize '" + username + "' as self-editor for " + uri);
 			getAuthenticator(req).recordLoginWithoutUserAccount(username, uri,
 					AuthenticationSource.EXTERNAL);
 			removeLoginProcessArtifacts(req);
-			loginRedirector.redirectSelfEditingUser(req, resp, uri);
+			new LoginRedirector(req, resp).redirectLoggedInUser();
 		} else {
 			log.debug("User is not recognized: " + username);
 			removeLoginProcessArtifacts(req);
-			loginRedirector.redirectUnrecognizedUser(req, resp, username);
+			new LoginRedirector(req, resp)
+					.redirectUnrecognizedExternalUser(username);
 		}
 	}
 
-	private String getAssociatedIndividualUri(String username,
-			HttpServletRequest req) {
-		if (username == null) {
-			return null;
-		}
-		IndividualDao indDao = new VitroRequest(req).getWebappDaoFactory()
-				.getIndividualDao();
-		return SelfEditingConfiguration.getBean(req)
-				.getIndividualUriFromUsername(indDao, username);
-	}
-
 	private void removeLoginProcessArtifacts(HttpServletRequest req) {
 		LoginProcessBean.removeBean(req);
 		req.getSession().removeAttribute(ATTRIBUTE_REFERRER);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
index b186cd475..28c1fb52a 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginRedirector.java
@@ -5,17 +5,16 @@ package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
-import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
 import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
-import edu.cornell.mannlib.vitro.webapp.auth.policy.RoleBasedPolicy.AuthRole;
-import edu.cornell.mannlib.vitro.webapp.beans.User;
+import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage;
 import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
 
 /**
@@ -24,114 +23,127 @@ import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
 public class LoginRedirector {
 	private static final Log log = LogFactory.getLog(LoginRedirector.class);
 
-	public void redirectSelfEditingUser(HttpServletRequest request,
-			HttpServletResponse response, String uri) throws IOException {
-		String userHomePage = assembleUserHomePageUrl(request, uri);
-		log.debug("Redirecting self-editor to " + userHomePage);
-		response.sendRedirect(userHomePage);
+	private static final String ATTRIBUTE_RETURN_FROM_FORCED_LOGIN = "return_from_forced_login";
+
+	private final HttpServletRequest request;
+	private final HttpServletResponse response;
+	private final HttpSession session;
+
+	private final String urlOfRestrictedPage;
+	private final String uriOfAssociatedIndividual;
+
+	public LoginRedirector(HttpServletRequest request,
+			HttpServletResponse response) {
+		this.request = request;
+		this.session = request.getSession();
+		this.response = response;
+
+		urlOfRestrictedPage = getUrlOfRestrictedPage();
+		uriOfAssociatedIndividual = getAssociatedIndividualUri();
 	}
 
-	public void redirectUnrecognizedUser(HttpServletRequest request,
-			HttpServletResponse response, String username) throws IOException {
-		log.debug("Redirecting unrecognized user: " + username);
-		response.sendRedirect(request.getContextPath()
-				+ "/unrecognizedUser?username=" + username);
+	/** Were we forced to log in when trying to access a restricted page? */
+	private String getUrlOfRestrictedPage() {
+		String url = (String) session
+				.getAttribute(ATTRIBUTE_RETURN_FROM_FORCED_LOGIN);
+		session.removeAttribute(ATTRIBUTE_RETURN_FROM_FORCED_LOGIN);
+		log.debug("URL of restricted page is " + url);
+		return url;
+
 	}
 
-	/**
-	 * 
-	 * The user is logged in. They might go to:
-	 * - A one-time redirect, stored in the session, if they had tried to
-	 *     bookmark to a page that requires login.
-	 * - An application-wide redirect, stored in the servlet context.
-	 * - Their home page, if they are a self-editor.
-	 * - The site admin page.
-	 * 

-	 */
-	public void redirectLoggedInUser(HttpServletRequest request,
-			HttpServletResponse response) throws IOException {
-		// Did they have a one-time redirect stored on the session?
-		String sessionRedirect = (String) request.getSession().getAttribute(
-				"postLoginRequest");
-		if (sessionRedirect != null) {
-			request.getSession().removeAttribute("postLoginRequest");
-			log.debug("User is logged in. Redirect by session to "
-					+ sessionRedirect);
-			response.sendRedirect(sessionRedirect);
-			return;
-		}
-
-		// Is there a login-redirect stored in the application as a whole?
-		// It could lead to another page in this app, or to any random URL.
-		String contextRedirect = (String) request.getSession()
-				.getServletContext().getAttribute("postLoginRequest");
-		if (contextRedirect != null) {
-			log.debug("User is logged in. Redirect by application to "
-					+ contextRedirect);
-			if (contextRedirect.indexOf(":") == -1) {
-				response.sendRedirect(request.getContextPath()
-						+ contextRedirect);
-			} else {
-				response.sendRedirect(contextRedirect);
-			}
-			return;
-		}
-
-		// If the user is a self-editor, send them to their home page.
-		User user = getLoggedInUser(request);
-		if (userIsANonEditor(user)) {
-			List uris = getAuthenticator(request)
-					.asWhomMayThisUserEdit(user);
-			if (uris != null && uris.size() > 0) {
-				String userHomePage = assembleUserHomePageUrl(request,
-						uris.get(0));
-				log.debug("User is logged in. Redirect as self-editor to "
-						+ userHomePage);
-				response.sendRedirect(userHomePage);
-				return;
-			}
-		}
-
-		// If nothing else applies, send them to the Site Admin page.
-		log.debug("User is logged in. Redirect to site admin page.");
-		response.sendRedirect(getSiteAdminUrl(request));
-	}
-
-	/** Is the logged in user an AuthRole.USER? */
-	private boolean userIsANonEditor(User user) {
-		if (user == null) {
-			return false;
-		}
-		String nonEditorRoleUri = Integer.toString(AuthRole.USER.level());
-		return nonEditorRoleUri.equals(user.getRoleURI());
-	}
-
-	/**
-	 * What user are we logged in as?
-	 */
-	private User getLoggedInUser(HttpServletRequest request) {
-		LoginStatusBean bean = LoginStatusBean.getBean(request);
-		if (!bean.isLoggedIn()) {
-			log.debug("getLoggedInUser: not logged in");
+	/** Is there an Individual associated with this user? */
+	private String getAssociatedIndividualUri() {
+		String username = LoginStatusBean.getBean(request).getUsername();
+		if (username == null) {
+			log.warn("Not logged in? How did we get here?");
 			return null;
 		}
-		return getAuthenticator(request).getUserByUsername(bean.getUsername());
+
+		String uri = Authenticator.getInstance(request)
+				.getAssociatedIndividualUri(username);
+		log.debug("URI of associated individual is " + uri);
+		return uri;
 	}
 
-	/** What's the URL for the site admin screen? */
-	private String getSiteAdminUrl(HttpServletRequest request) {
+	public void redirectLoggedInUser() throws IOException {
+		if (isForcedFromRestrictedPage()) {
+			log.debug("Returning to restricted page.");
+			response.sendRedirect(urlOfRestrictedPage);
+		} else if (isUserEditorOrBetter()) {
+			log.debug("Going to site admin page.");
+			response.sendRedirect(getSiteAdminPageUrl());
+		} else if (isSelfEditorWithIndividual()) {
+			log.debug("Going to Individual home page.");
+			response.sendRedirect(getAssociatedIndividualHomePage());
+		} else {
+			log.debug("User not recognized. Going to application home.");
+			DisplayMessage.setMessage(request, "You have logged in, "
+					+ "but the system contains no profile for you.");
+			response.sendRedirect(getApplicationHomePageUrl());
+		}
+	}
+
+	private boolean isForcedFromRestrictedPage() {
+		return urlOfRestrictedPage != null;
+	}
+
+	private boolean isUserEditorOrBetter() {
+		return LoginStatusBean.getBean(session).isLoggedInAtLeast(
+				LoginStatusBean.EDITOR);
+	}
+
+	private String getSiteAdminPageUrl() {
 		String contextPath = request.getContextPath();
 		return contextPath + Controllers.SITE_ADMIN;
 	}
 
-	/** Get a reference to the Authenticator. */
-	private Authenticator getAuthenticator(HttpServletRequest request) {
-		return Authenticator.getInstance(request);
+	private boolean isSelfEditorWithIndividual() {
+		return uriOfAssociatedIndividual != null;
 	}
 
-	private String assembleUserHomePageUrl(HttpServletRequest request,
-			String uri) throws UnsupportedEncodingException {
-		return request.getContextPath() + "/individual?uri="
-				+ URLEncoder.encode(uri, "UTF-8");
+	private String getAssociatedIndividualHomePage() {
+		try {
+			return request.getContextPath() + "/individual?uri="
+					+ URLEncoder.encode(uriOfAssociatedIndividual, "UTF-8");
+		} catch (UnsupportedEncodingException e) {
+			throw new IllegalStateException("No UTF-8 encoding? Really?", e);
+		}
+	}
+
+	public void redirectUnrecognizedExternalUser(String username)
+			throws IOException {
+		log.debug("Redirecting unrecognized external user: " + username);
+		DisplayMessage.setMessage(request,
+				"VIVO cannot find a profile for your account.");
+		response.sendRedirect(getApplicationHomePageUrl());
+	}
+
+	/**
+	 * The application home page can be overridden by an attribute in the
+	 * ServletContext. Further, it can either be an absolute URL, or it can be
+	 * relative to the application. Weird.
+	 */
+	private String getApplicationHomePageUrl() {
+		String contextRedirect = (String) session.getServletContext()
+				.getAttribute("postLoginRequest");
+		if (contextRedirect != null) {
+			if (contextRedirect.indexOf(":") == -1) {
+				return request.getContextPath() + contextRedirect;
+			} else {
+				return contextRedirect;
+			}
+		}
+		return request.getContextPath();
+	}
+
+	// ----------------------------------------------------------------------
+	// static helper methods
+	// ----------------------------------------------------------------------
+
+	public static void setReturnUrlFromForcedLogin(HttpServletRequest request,
+			String url) {
+		request.getSession().setAttribute(ATTRIBUTE_RETURN_FROM_FORCED_LOGIN,
+				url);
 	}
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
index d2b8e64c6..a2e7f9e5a 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
@@ -59,8 +59,6 @@ public class Authenticate extends VitroHttpServlet {
 	/** Where do we find the User/Session map in the servlet context? */
 	public static final String USER_SESSION_MAP_ATTR = "userURISessionMap";
 
-	private final LoginRedirector loginRedirector = new LoginRedirector();
-
 	/**
 	 * Find out where they are in the login process, process any input, record
 	 * the new state, and show the next page.
@@ -106,7 +104,7 @@ public class Authenticate extends VitroHttpServlet {
 				showLoginScreen(vreq, response);
 				break;
 			default: // LOGGED_IN:
-				loginRedirector.redirectLoggedInUser(vreq, response);
+				new LoginRedirector(vreq, response).redirectLoggedInUser();
 				break;
 			}
 		} catch (Exception e) {
@@ -332,11 +330,11 @@ public class Authenticate extends VitroHttpServlet {
 	private void showLoginScreen(VitroRequest vreq, HttpServletResponse response)
 			throws IOException {
 		log.debug("logging in.");
-		
+
 		String referringPage = vreq.getHeader("referer");
 		if (referringPage == null) {
 			log.warn("No referring page on the request");
-			referringPage = getHomeUrl(vreq); 
+			referringPage = getHomeUrl(vreq);
 		}
 		response.sendRedirect(referringPage);
 		return;
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
index b65623995..2d144d7b1 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
@@ -71,6 +71,7 @@ public class AuthenticatorStub extends Authenticator {
 
 	private final Map usersByName = new HashMap();
 	private final Map> editingPermissions = new HashMap>();
+	private final Map associatedUris = new HashMap();
 	private final List recordedLogins = new ArrayList();
 	private final Map newPasswords = new HashMap();
 
@@ -84,11 +85,15 @@ public class AuthenticatorStub extends Authenticator {
 		usersByName.put(user.getUsername(), user);
 	}
 
-	public void addEditingPermission(String userUri, String personUri) {
-		if (!editingPermissions.containsKey(userUri)) {
-			editingPermissions.put(userUri, new ArrayList());
+	public void addEditingPermission(String username, String personUri) {
+		if (!editingPermissions.containsKey(username)) {
+			editingPermissions.put(username, new ArrayList());
 		}
-		editingPermissions.get(userUri).add(personUri);
+		editingPermissions.get(username).add(personUri);
+	}
+
+	public void setAssociatedUri(String username, String individualUri) {
+		associatedUris.put(username, individualUri);
 	}
 
 	public List getRecordedLoginUsernames() {
@@ -113,6 +118,11 @@ public class AuthenticatorStub extends Authenticator {
 		return usersByName.get(username);
 	}
 
+	@Override
+	public String getAssociatedIndividualUri(String username) {
+		return associatedUris.get(username);
+	}
+
 	@Override
 	public boolean isCurrentPassword(String username, String clearTextPassword) {
 		if (!isExistingUser(username)) {
@@ -129,10 +139,9 @@ public class AuthenticatorStub extends Authenticator {
 	}
 
 	@Override
-	public List asWhomMayThisUserEdit(User user) {
-		String userUri = user.getURI();
-		if (editingPermissions.containsKey(userUri)) {
-			return editingPermissions.get(userUri);
+	public List asWhomMayThisUserEdit(String username) {
+		if (editingPermissions.containsKey(username)) {
+			return editingPermissions.get(username);
 		} else {
 			return Collections.emptyList();
 		}
diff --git a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
index fc56485e6..2b4049242 100644
--- a/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
+++ b/webapp/test/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
@@ -29,6 +29,7 @@ import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
 import edu.cornell.mannlib.vitro.webapp.beans.User;
 import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
 import edu.cornell.mannlib.vitro.webapp.controller.authenticate.AuthenticatorStub;
+import edu.cornell.mannlib.vitro.webapp.controller.authenticate.LoginRedirector;
 import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean;
 import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.State;
 
@@ -96,26 +97,26 @@ public class AuthenticateTest extends AbstractTestClass {
 	}
 
 	private User createNewDbaUser() {
-		User dbaUser = new User();
-		dbaUser.setUsername(USER_DBA_NAME);
-		dbaUser.setURI(USER_DBA_URI);
-		dbaUser.setRoleURI("50");
-		dbaUser.setMd5password(Authenticate.applyMd5Encoding(USER_DBA_PASSWORD));
-		dbaUser.setFirstTime(null);
-		dbaUser.setLoginCount(0);
-		return dbaUser;
+		User user = new User();
+		user.setUsername(USER_DBA_NAME);
+		user.setURI(USER_DBA_URI);
+		user.setRoleURI("50");
+		user.setMd5password(Authenticate.applyMd5Encoding(USER_DBA_PASSWORD));
+		user.setFirstTime(null);
+		user.setLoginCount(0);
+		return user;
 	}
 
 	private User createOldHandUser() {
-		User ohUser = new User();
-		ohUser.setUsername(USER_OLDHAND_NAME);
-		ohUser.setURI(USER_OLDHAND_URI);
-		ohUser.setRoleURI("1");
-		ohUser.setMd5password(Authenticate
+		User user = new User();
+		user.setUsername(USER_OLDHAND_NAME);
+		user.setURI(USER_OLDHAND_URI);
+		user.setRoleURI("1");
+		user.setMd5password(Authenticate
 				.applyMd5Encoding(USER_OLDHAND_PASSWORD));
-		ohUser.setLoginCount(USER_OLDHAND_LOGIN_COUNT);
-		ohUser.setFirstTime(new Date(0));
-		return ohUser;
+		user.setLoginCount(USER_OLDHAND_LOGIN_COUNT);
+		user.setFirstTime(new Date(0));
+		return user;
 	}
 
 	// ----------------------------------------------------------------------
@@ -201,7 +202,7 @@ public class AuthenticateTest extends AbstractTestClass {
 		auth.doPost(request, response);
 
 		assertNoProcessBean();
-		assertExpectedRedirect(URL_SITE_ADMIN_PAGE);
+		assertExpectedRedirect(URL_HOME_PAGE);
 		assertExpectedLoginSessions(USER_OLDHAND_NAME);
 	}
 
@@ -291,14 +292,35 @@ public class AuthenticateTest extends AbstractTestClass {
 	// ----------------------------------------------------------------------
 
 	@Test
-	public void redirectOnSession() {
-		session.setAttribute("postLoginRequest", URL_SESSION_REDIRECT);
+	public void redirectReturnToRestrictedPage() {
+		LoginRedirector.setReturnUrlFromForcedLogin(request,
+				URL_SESSION_REDIRECT);
 		loginNotFirstTime();
 		assertExpectedLiteralRedirect(URL_SESSION_REDIRECT);
 	}
 
 	@Test
-	public void redirectOnServletContext() {
+	public void redirectDbaToSiteAdmin() {
+		authenticator.getUserByUsername(USER_OLDHAND_NAME).setRoleURI("50");
+		loginNotFirstTime();
+		assertExpectedRedirect(URL_SITE_ADMIN_PAGE);
+	}
+
+	@Test
+	public void redirectSelfEditor() {
+		authenticator.setAssociatedUri(USER_OLDHAND_NAME, "selfEditorURI");
+		loginNotFirstTime();
+		assertExpectedRedirect(URL_SELF_EDITOR_PAGE);
+	}
+
+	@Test
+	public void redirectUnrecognizedUserToHome() {
+		loginNotFirstTime();
+		assertExpectedRedirect(URL_HOME_PAGE);
+	}
+
+	@Test
+	public void redirectUnrecognizedUserToApplicationHome() {
 		servletContext.setAttribute("postLoginRequest",
 				URL_CONTEXT_REDIRECT_LOCAL);
 		loginNotFirstTime();
@@ -306,26 +328,13 @@ public class AuthenticateTest extends AbstractTestClass {
 	}
 
 	@Test
-	public void redirectOnServletContextToExternalUrl() {
+	public void redirectUnrecognizedUserToApplicationExternalHome() {
 		servletContext.setAttribute("postLoginRequest",
 				URL_CONTEXT_REDIRECT_REMOTE);
 		loginNotFirstTime();
 		assertExpectedLiteralRedirect(URL_CONTEXT_REDIRECT_REMOTE);
 	}
 
-	@Test
-	public void redirectSelfEditor() {
-		authenticator.addEditingPermission(USER_OLDHAND_URI, "selfEditorURI");
-		loginNotFirstTime();
-		assertExpectedRedirect(URL_SELF_EDITOR_PAGE);
-	}
-
-	@Test
-	public void redirectNoneOfTheAbove() {
-		loginNotFirstTime();
-		assertExpectedRedirect(URL_SITE_ADMIN_PAGE);
-	}
-
 	// ----------------------------------------------------------------------
 	// helper methods
 	// ----------------------------------------------------------------------
@@ -384,7 +393,8 @@ public class AuthenticateTest extends AbstractTestClass {
 		LoginProcessBean bean = LoginProcessBean.getBean(request);
 		assertEquals("state", state, bean.getState());
 		assertEquals("info message", infoMessage, bean.getInfoMessageAndClear());
-		assertEquals("error message", errorMessage, bean.getErrorMessageAndClear());
+		assertEquals("error message", errorMessage,
+				bean.getErrorMessageAndClear());
 		assertEquals("username", username, bean.getUsername());
 	}
 
@@ -412,7 +422,7 @@ public class AuthenticateTest extends AbstractTestClass {
 		assertEquals("recorded logins", expected, actualRecorded);
 	}
 
-	/** Boilerplate login process for the rediret tests. */
+	/** Boilerplate login process for the redirect tests. */
 	private void loginNotFirstTime() {
 		setProcessBean(LOGGING_IN);
 		setLoginNameAndPassword(USER_OLDHAND_NAME, USER_OLDHAND_PASSWORD);