authpds 0.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,5 @@
+= Authpds
+
+This project provides a mechanism for authenticating via Ex Libris' Patron Directory Services (PDS) and provides hooks for making authorization decisions based on the user information provided by PDS.  It leverages the authlogic gem and depends on a User-like model.
+
+For con

data/Rakefile

@@ -0,0 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Authpds'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/authpds.rb

@@ -0,0 +1,17 @@
+require 'active_support/dependencies'
+require 'authlogic'
+AUTHPDS_PATH = File.dirname(__FILE__) + "/authpds/"
+[ 
+  'acts_as_authentic',
+  'session',
+  'institution',
+  'institution_list',
+  'exlibris/pds',
+  'controllers/authpds_controller'
+].each do |library|
+  require AUTHPDS_PATH + library
+end
+if ActiveRecord::Base.respond_to?(:add_acts_as_authentic_module)
+  ActiveRecord::Base.send(:include, Authpds::ActsAsAuthentic)
+end
+Authlogic::Session::Base.send(:include, Authpds::Session)

data/lib/authpds/acts_as_authentic.rb

@@ -0,0 +1,69 @@
+module Authpds
+  module ActsAsAuthentic
+    def self.included(klass)
+      klass.class_eval do
+        add_acts_as_authentic_module(InstanceMethods, :prepend)
+      end
+    end
+
+    module InstanceMethods
+      def self.included(klass)
+        klass.class_eval do
+          serialize :user_attributes
+          attr_accessor :expiration_date
+        end
+      end
+
+      public
+      # Setting the username field also resets the persistence_token if the value changes.
+      def username=(value)
+        write_attribute(:username, value)
+        reset_persistence_token if username_changed?
+      end
+
+      def primary_institution
+        return nil unless InstitutionList.institutions_defined?
+        InstitutionList.instance.get(user_attributes[:primary_institution]) unless user_attributes.nil?
+      end
+
+      def primary_institution=(primary_institution)
+        primary_institution = primary_institution.name if primary_institution.is_a?(Institution)
+        raise ArgumentError.new(
+          "Institution #{primary_institution} does not exist.\n" + 
+          "Please maker sure the institutions yaml file is configured correctly.") if InstitutionList.instance.get(primary_institution).nil?
+        self.user_attributes=({:primary_institution => primary_institution})
+      end
+
+      def institutions
+        return nil unless InstitutionList.institutions_defined?
+        user_attributes[:institutions].collect { |institution|
+          InstitutionList.instance.get(institution) } unless user_attributes.nil?
+      end
+
+      def institutions=(institutions)
+        raise ArgumentError.new(
+          "Institutions input should be an array.") unless institutions.is_a?(Array)
+        filtered_institutions = institutions.collect { |institution|
+          institution = institution.name if institution.is_a?(Institution)
+          institution unless InstitutionList.instance.get(institution).nil?
+        }
+        self.user_attributes=({:institutions => filtered_institutions})
+      end
+
+      # "Smart" updating of user_attributes.  Maintains user_attributes that are not explicity overwritten.
+      def user_attributes=(new_attributes)
+        write_attribute(:user_attributes, new_attributes) and return unless new_attributes.kind_of?(Hash)
+        # Set new/updated attributes
+        write_attribute(:user_attributes, (user_attributes || {}).merge(new_attributes))
+      end
+
+      # Returns a boolean based on whether the User has been refreshed recently.  
+      # If User#refreshed_at is older than User#expiration_date, the User is expired and the data
+      # may need to be refreshed.
+      def expired?
+        # If the record is older than the expiration date, it is expired.
+        (refreshed_at.nil?) ? true : refreshed_at < expiration_date 
+      end
+    end
+  end
+end

data/lib/authpds/controllers/authpds_controller.rb

@@ -0,0 +1,68 @@
+module Authpds
+  module Controllers
+    module AuthpdsController
+
+      def self.included(klass)
+        klass.class_eval do
+          include InstanceMethods
+          helper_method :current_user_session, :current_user, :current_primary_institution
+        end
+      end
+    
+      module InstanceMethods
+
+        # Get the current UserSession if it exists
+        def current_user_session
+          @current_user_session ||= UserSession.find
+        end
+
+        # Get the current User if there is a UserSession
+        def current_user
+          @current_user ||= current_user_session.record unless current_user_session.nil?
+        end
+
+        # Determine current primary institution based on:
+        #   0. institutions are not being used (returns nil)
+        #   1. institution query string parameter in URL
+        #   2. institution associated with the client IP
+        #   3. primary institution for the current user
+        #   4. first default institution
+        def current_primary_institution
+            @current_primary_institution ||= 
+              (InstitutionList.institutions_defined?) ?
+                (params["institution"].nil? or InstitutionList.instance.get(params["institution"]).nil?) ?
+                  (primary_institution_from_ip.nil?) ?
+                    (current_user.nil? or current_user.primary_institution.nil?) ?
+                      InstitutionList.instance.default_institutions.first :
+                        current_user.primary_institution :
+                          primary_institution_from_ip :
+                            InstitutionList.instance.get(params["institution"]) :
+                              nil
+        end
+
+        # Grab the first institution that matches the client IP
+        def primary_institution_from_ip
+          InstitutionList.instance.institutions_with_ip(request.remote_ip).first unless request.nil?
+        end
+
+        # Determine institution layout based on:
+        #   1. primary institution's resolve_layout
+        #   2. default - views/layouts/application
+        def institution_layout
+          (current_primary_institution.nil? or current_primary_institution.application_layout.nil?) ? 
+            :application : current_primary_institution.application_layout
+        end
+
+        # Override to add institution.
+        def url_for(options={})
+          options["institution"] = params["institution"] unless params["institution"].nil? or options["institution"]
+          super(options)          
+        end
+
+        def user_session_redirect_url(url)
+          (url.nil?) ? (request.referer.nil?) ? root_url : request.referer : url
+        end
+      end
+    end
+  end
+end

data/lib/authpds/controllers/authpds_user_sessions_controller.rb

@@ -0,0 +1,36 @@
+module Authpds
+  module Controllers
+    module AuthpdsUserSessionsController
+
+    	# GET /user_sessions/new
+    	# GET /login
+    	def new
+    		@user_session = UserSession.new(params)
+    		@user_session.before_login(params) and return if performed?
+    		redirect_to @user_session.login_url(params) unless @user_session.login_url.nil?
+    		raise RuntimeError.new( "Error in #{self.class}.\nNo login url defined") if @user_session.login_url.nil?
+    	end
+
+    	# GET /validate
+    	def validate
+    		@user_session = UserSession.new(params[:user_session])
+    		@user_session.save do |result|
+    			@user_session.errors.each_full {|error|
+    				flash[:error] = "There was an error logging in. #{error}"
+    				logger.error("Error in #{self.class} while saving user session. #{error}")
+    			} unless result
+    	    	redirect_to (params[:return_url].nil?) ? root_url : params[:return_url]
+    		end
+    	end
+
+    	# DELETE /user_sessions/1
+    	# GET /logout
+    	def destroy
+    		user_session = UserSession.find
+    		logout_url = user_session.logout_url(params)
+    		user_session.destroy unless user_session.nil?
+    		redirect_to user_session_redirect_url(logout_url)
+    	end
+    end
+  end
+end

data/lib/authpds/exlibris/pds.rb

@@ -0,0 +1,59 @@
+module Authpds
+  module Exlibris
+    module Pds
+      require 'nokogiri'
+      require 'uri'
+      require 'net/http'
+
+      # Makes a call to the PDS get-attribute API.
+      # Defaults attribute equal to "bor_info".
+      # Raises an exception on if it encounters errors.
+      class GetAttribute
+        attr_reader :response, :error
+
+        protected
+        # Call to the PDS API.
+        def initialize(pds_url, calling_system, pds_handle, attribute)
+          raise ArgumentError.new("Argument Error in #{self.class}. :pds_url not specified in config.") if pds_url.nil?;
+          raise ArgumentError.new("Argument Error in #{self.class}. :calling_system not specified in config.") if calling_system.nil?;
+          raise ArgumentError.new("Argument Error in #{self.class}. :pds_handle is null.") if pds_handle.nil?;
+          raise ArgumentError.new("Argument Error in #{self.class}. :attribute is null.") if pds_handle.nil?;
+          pds_uri = URI.parse("#{pds_url}/pds?func=get-attribute&attribute=#{attribute}&calling_system=#{calling_system}&pds_handle=#{pds_handle}")
+          http = Net::HTTP.new(pds_uri.host, pds_uri.port)
+          # Set read timeout to 15 seconds.
+          http.read_timeout = 15
+          http.use_ssl = true if pds_uri.is_a?(URI::HTTPS)
+          http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?
+          response = http.post(pds_uri.path, pds_uri.query)
+          begin
+            response.value
+          rescue Exception => e
+            raise "Error in #{self.class}. Invalid HTTP response status.\n#{e.message}"
+          end
+          # PDS returns as HTML content type, unfortunately.
+          @response = Nokogiri.XML(response.body)
+          @error = @response.at("//error").inner_text unless @response.at("//error").nil?
+          # Don't raise an error, because user not found is reported as an error.
+        end
+      end  
+
+      # Makes a call get-attribute with attribute "bor_info".
+      # Raises an exception if there is an unexpected response.
+      class BorInfo < GetAttribute
+
+        protected
+        def initialize(pds_url, calling_system, pds_handle, bor_info_attributes)
+          super(pds_url, calling_system, pds_handle, "bor_info")
+          raise RuntimeError.new( 
+            "Error in #{self.class}."+
+            "Unrecognized response: #{@response}.") unless @response.root.name.eql?("bor-info") or @response.root.name.eql?("pds")
+          bor_info_attributes.each { |local_attribute, xml_attribute|
+            self.class.send(:attr_reader, local_attribute)
+            instance_variable_set("@#{local_attribute}".to_sym, 
+              @response.at("#{xml_attribute}").inner_text) unless @response.at("//bor-info/#{xml_attribute}").nil?
+          }
+        end
+      end
+    end
+  end
+end

data/lib/authpds/institution.rb

@@ -0,0 +1,41 @@
+class Institution < Struct.new(:display_name, :name, :default_institution, 
+  :application_layout, :ip_addresses, :parent_institution, :view_attributes, :login_attributes)
+
+  # Better initializer than Struct gives us, take a hash instead
+  # of an ordered array. :services=>[] is an array of service ids,
+  # not actual Services!
+  def initialize(h={}, controller)
+    members.each {|m| self.send( ("#{m}=").to_sym , (h.delete(m.to_sym) || h.delete(m))) }
+    default_institution = false unless default_institution
+    # Log the fact that there are left overs in the hash
+    # Rails.logger.warn("The following institution settings were ignored: #{h.inspect}.") unless h.empty?
+  end
+
+  # Instantiates a new copy of all services included in this institution,
+  # returns an array. 
+  def instantiate_services!
+    services.collect {|s|  }
+  end
+  
+  # Check the list of IP addresses for the given IP
+  def includes_ip?(prospective_ip_address)
+    return false if ip_addresses.nil?
+    require 'ipaddr'
+    ip_prospect = IPAddr.new(prospective_ip_address)
+    ip_addresses.each do |ip_address|
+      ip_range = (ip_address.match(/[\-\*]/)) ? 
+        (ip_address.match(/\-/)) ? 
+          (IPAddr.new(ip_address.split("-")[0])..IPAddr.new(ip_address.split("-")[1])) :
+            (ip_address.gsub(/\*/, "0")..ip_address.gsub(/\*/, "255")) :
+              IPAddr.new(ip_address).to_range 
+      return true if ip_range === ip_prospect unless ip_range.nil?
+    end
+    return false;
+  end
+  
+  def to_h
+    h = {}
+    members.each {|m| h[m.to_sym] = self.send(m)}
+    h
+  end
+end

data/lib/authpds/institution_list.rb

@@ -0,0 +1,63 @@
+class InstitutionList
+  include Singleton # get the instance with InstitutionList.instance
+  @@institutions_yaml_path = nil
+
+  def initialize
+    @institutions = nil
+  end
+
+  # Used for initialization and testing
+  def self.yaml_path=(path)
+    @@institutions_yaml_path = path
+    self.instance.reload
+  end
+  
+  def self.institutions_defined?
+    return !@@institutions_yaml_path.nil?
+  end
+
+  # Returns an Institution
+  def get(name)
+    return institutions[name]
+  end
+
+  # Returns an array of Institutions
+  def default_institutions
+    return institutions.values.find_all {|institution| institution.default_institution == true}
+  end
+
+  # Returns an array of Institutions
+  def institutions_with_ip(ip)
+    return institutions.values.find_all { |institution| institution.includes_ip?(ip) }
+  end
+
+  # Reload institutions from the YAML file.
+  def reload
+    @institutions = nil
+    institutions
+    true
+  end
+
+  # Load institutions from the YAML file and return as a hash.
+  def institutions
+    unless @institutions
+      raise ArgumentError.new("institutions_yaml_path was not specified.") if @@institutions_yaml_path.nil?
+      raise NameError.new(
+        "The file #{@@institutions_yaml_path} does not exist. "+
+        "In order to use the institution feature you must create the file."
+      ) unless File.exists?(@@institutions_yaml_path)
+      institution_list = YAML.load_file( @@institutions_yaml_path )
+      @institutions = {}
+      # Turn the institution hashes to Institutions
+      institution_list.each_pair do |institution_name, institution_hash|
+        institution_hash["name"] = institution_name
+        # Merge with parent institution
+        institution_hash = 
+        institution_list[institution_hash["parent_institution"]].
+          merge(institution_hash) unless institution_hash["parent_institution"].nil?
+        @institutions[institution_name] = Institution.new(institution_hash)
+      end
+    end
+    return @institutions
+  end
+end

data/lib/authpds/session.rb

@@ -0,0 +1,335 @@
+module Authpds
+  # == Overview
+  # The Auth module mixes in callbacks to Authlogic::Session::Base for persisting, 
+  # validating and managing the destruction of sessions.  The module also provides
+  # instance methods used by the SessionController for managing UserSessions before 
+  # login and redirecting to login and logout urls.
+  # The methods in this module are intended to be overridden for custom authentication/authorization
+  # needs.  The documentation below describes the methods available for overriding, convenience methods
+  # available for use by custom implementations, instructions for mixing in custom implementations and
+  # further details about the module.
+  # 
+  # == Methods Available for Overriding
+  # :on_every_request:: Used for creating a UserSession without the User having to explicitly login, thereby supporting single sign-on. 
+  #                     When overridden, implementations should update the UserSession User, via UserSession#get_user based
+  #                     on custom authentication/authorization criteria.  Authlogic will take care of the rest by saving the User
+  #                     and creating the UserSession.
+  # :before_login:: Allows for custom logic immediately before a login is initiated.  If a controller :redirect_to or :render 
+  #                 is performed, the directive will supercede :login_url. Precedes :login_url.
+  # :login_url::  Should return a custom login URL for redirection to when logging in via a remote system.
+  #               If undefined, /login will go to the UserSession login view,
+  #               default user_session/new).  Preceded by :before_login.
+  # :after_login::  Used for creating a UserSession after login credentials are provided.  When overridden, 
+  #                 custom implementations should update the UserSession User, via UserSession#get_user based 
+  #                 on authentication/authorization criteria.  Authlogic will take care of the rest
+  #                 by saving the User and creating the UserSession.
+  # :before_logout:: Allows for custom logic immediately before logout is performed
+  # :after_logout:: Allows for custom logic immediately after logout is performed
+  # :redirect_logout_url:: Should return a custom logout URL for redirection to after logout has been performed.  
+  #               Allows for single sign-out via a remote system.
+  #
+  # == Convenience Methods for Use by Custom Implementations
+  # UserSession#controller::  Returns the current controller.  Used for accessing cookies and session information,
+  #                           performing redirects, etc.
+  # UserSession#get_user::  Returns the User for updating by :on_every_request and :after_login.  Returns an existing User
+  #                         if she exists, otherwise creates a new User.
+  # UserSession#validate_url:: Returns the URL for validating a UserSession on return from a remote login system.
+  # User#expiration_period=:: Sets the expiration date for the User. Default is one week ago.
+  # User#refreshed_at=:: Sets the last time the User was refreshed and saves the value to the database.
+  # User#expired?:: Returns a boolean based on whether the User has been refreshed recently.  
+  #                 If User#refreshed_at is older than User#expiration_date, the User is expired and the data
+  #                 may need to be refreshed.
+  # User#user_attributes=:: "Smart" updating of user_attributes.  Maintains user_attributes that are not explicity overwritten.
+  # 
+  # == Mixing in Custom Implementations
+  # Once you've built your class, you can mix it in to Authlogic with the following config setting in config/environment.rb
+  #       config.app_config.login = { 
+  #         :module => :PDS,
+  #         :cookie_name => "user_credentials_is_the_default"
+  #         :remember_me => true|false
+  #         :remember_me_for => seconds, e.g. 5.minutes }
+  #
+  # == Further Implementation Details 
+  # === Persisting a UserSession in AuthLogic
+  # When persisting a UserSession, Authlogic attempts to create the UserSession based on information available 
+  # without having to perform an actual login by calling the :persisting? method. Authologic provides several callbacks from the :persisting?
+  # method, e.g. :before_persisting, :persist, :after_persisting.  We're using the :persist callback and setting it to :on_every_request.
+  # 
+  # === Validating a UserSession in AuthLogic
+  # When validating a UserSession, Authlogic attempts to create the UserSession based on information available 
+  # from login by calling the :valid? method. Authologic provides several callbacks from the :valid?
+  # method, e.g. :before_validation, :validate, :after_validation.  We're using the :validate callback and setting it to :after_login.
+  #
+  # === Access to the controller in UserSession
+  # The class that UserSession extends, Authologic::Session::Base, has an explicit handle to the current controller via the instance method 
+  # :controller.  This gives our custom instance methods the access to cookies, session information, loggers, etc. and also allows them to 
+  # perform redirects and renders.
+  #
+  # === :before_login vs. :login_url
+  # :before_login allows for customized processing before the UserSessionController invokes a redirect or render to a /login page.  It is
+  # is fully generic and can be used for any custom purposes.  :login_url is specific for the case of logging in from a remote sytem.  The
+  # two methods can be used in conjuction, but any redirects or renders performed in :before_login, will supercede a redirect to :login_url.
+  #
+  # === UserSession#get_user vs. UserSession#attempted_record
+  # Both UserSession#get_user and UserSession#attempted_record provide access to the instance variable @attempted_record, but 
+  # UserSession#get_user set the instance variable to either an existing User (based on the username parameter), or creates a new User
+  # for use by implementing systems.  If custom implementations want to interact directly with UserSession#attempted_record and 
+  # @attempted_record, they are welcome to do so.
+  module Session
+    def self.included(klass)
+      klass.class_eval do
+        extend Config
+        include AuthpdsCallbackMethods
+        include InstanceMethods
+        include AuthlogicCallbackMethods
+        persist :persist_session
+        validate :after_login
+        before_destroy :before_logout
+        after_destroy :after_logout
+      end
+    end
+    
+    module Config
+      # Base pds url
+      def pds_url(value = nil)
+        rw_config(:pds_url, value)
+      end
+      alias_method :pds_url=, :pds_url
+
+      # Name of the system
+      def calling_system(value = nil)
+        rw_config(:calling_system, value, "authpds")
+      end
+      alias_method :calling_system=, :calling_system
+
+      # Does the system allow anonymous access?
+      def anonymous(value = nil)
+        rw_config(:anonymous, value, true)
+      end
+      alias_method :anonymous=, :anonymous
+
+      # Mapping of PDS attributes
+      def pds_attributes(value = nil)
+        rw_config(:pds_attributes, value, {:id => "id", :email => "email", :firstname => "name", :lastname => "name" })
+      end
+      alias_method :pds_attributes=, :pds_attributes
+
+      # Custom redirect logout url
+      def redirect_logout_url(value = nil)
+        rw_config(:redirect_logout_url, value, "")
+      end
+      alias_method :redirect_logout_url=, :redirect_logout_url
+
+      # Custom url to redirect to in case of system outage
+      def login_inaccessible_url(value = nil)
+        rw_config(:login_inaccessible_url, value, "")
+      end
+      alias_method :redirect_logout_url=, :redirect_logout_url
+
+      # PDS user method to call to identify record
+      def pds_record_identifier(value = nil)
+        rw_config(:pds_record_identifier, value, :id)
+      end
+      alias_method :pds_record_identifier=, :pds_record_identifier
+    end 
+    
+    module AuthpdsCallbackMethods
+      # Hook for more complicated logic to determine PDS user record identifier
+      def pds_record_identifier
+        self.class.pds_record_identifier
+      end
+      
+      # Hook to determine if we should set up an SSO session
+      def valid_sso_session?
+        return false
+      end
+      
+      # Hook to provide additional authorization requirements
+      def additional_authorization
+        return true
+      end
+
+      # Hook to add additional user attributes.
+      def additional_attributes
+        {}
+      end
+      
+      # Hook to update expiration date if necessary
+      def expiration_date
+        1.week.ago
+      end
+    end 
+    
+    module InstanceMethods
+      require "cgi"
+
+      def self.included(klass)
+        klass.class_eval do
+          cookie_key "#{calling_system}_credentials"
+        end
+      end
+
+      # Called by the user session controller login is initiated.
+      # Precedes :login_url
+      def before_login(params={})
+      end
+
+      # URL to redirect to for login.
+      # Preceded by :before_login
+      def login_url(params={})
+        return "#{self.class.pds_url}/pds?func=load-login&institute=#{institution_attributes["link_code"]}&calling_system=#{self.class.calling_system}&url=#{CGI::escape(validate_url(params))}"
+      end
+
+      # URL to redirect to after logout.
+      def logout_url(params={})
+        return "#{self.class.pds_url}/pds?func=logout&url=#{CGI::escape(CGI::escape(self.class.redirect_logout_url))}"
+      end
+      
+      # URL to redirect to in the case of establishing a SSO session.
+      def sso_url(params=nil)
+        return "#{self.class.pds_url}pds?func=sso&institute=#{institution_attributes["link_code"]}&calling_system=#{self.class.calling_system}&url=#{CGI::escape(validate_url(params))}"
+      end
+
+      def pds_user
+        begin
+          @pds_user ||= Authpds::Exlibris::Pds::BorInfo.new(self.class.pds_url, self.class.calling_system, pds_handle, pds_attributes) unless pds_handle.nil?
+          return @pds_user unless @pds_user.nil? or @pds_user.error
+        rescue Exception => e
+          # Delete the PDS_HANDLE, since this isn't working.
+          # controller.cookies.delete(:PDS_HANDLE) unless pds_handle.nil?
+          handle_login_exception e
+          return nil
+        end
+      end
+      
+      private
+      def authenticated?
+        authenticate
+      end
+
+      def authenticate
+        return false if controller.cookies["#{self.class.calling_system}_inaccessible".to_sym] == session_id
+        # If PDS session already established, authenticate
+        return true unless pds_user.nil?
+        # Establish a PDS session if the user logged in via an alternative SSO mechanism and this isn't being called after login
+        controller.redirect_to sso_url({
+          :return_url => controller.request.url }) if valid_sso_user? unless controller.params["action"] =="validate" or controller.performed?
+        # Otherwise, do not authenticate
+        return false
+      end
+
+      def authorized?
+        # Set all the information that is needed to make an authorization decision
+        set_record and return authorize
+      end
+
+      def authorize
+        # If PDS user is not nil (PDS session already established), authorize
+        !pds_user.nil? && additional_authorization
+      end
+      
+      # Get the record associated with this PDS user.
+      def get_record(username)
+        raise ArgumentError.new("Argument Error in #{self.class}. :pds_record_identifier given.") if pds_record_identifier.nil?
+    		record = klass.send(:find_by_username, username)
+        record = klass.new :username => username if record.nil?
+        return record
+      end
+
+      # Set the record information associated with this PDS user.
+      def set_record
+        self.attempted_record = get_record(pds_user.send(pds_record_identifier))
+        self.attempted_record.expiration_date = expiration_date
+        # Do this part only if user data has expired.
+        if self.attempted_record.expired?
+          pds_attributes.each { |user_attr, pds_attr|
+            self.attempted_record.send("#{user_attr}=".to_sym, pds_user.send(pds_attr.to_sym)) if user.respond_to?("#{user_attr}=".to_sym) }
+          # Set default pds user attributes
+          pds_attributes.each_key { |user_attr|
+            self.attempted_record.user_attributes = {
+              user_attr.to_sym => pds_user.send(user_attr.to_sym) }}
+        end
+        self.attempted_record.user_attributes= additional_attributes
+      end
+      
+    	# Returns the URL for validating a UserSession on return from a remote login system.
+    	def validate_url(params={})
+    		url = controller.url_for(:controller => '/', :action => :validate, :return_url => controller.user_session_redirect_url(params[:return_url]))
+        return url if params.nil? or params.empty?
+        url << "?" if url.match('\?').nil?
+        params.each do |key, value|
+          next if [:controller, :action, :return_url].include?(key)
+          url << "&#{self.class.calling_system}_#{key}=#{value}"
+        end
+        return url
+    	end
+
+      def institution_attributes
+        @institution_attributes = 
+          (controller.current_primary_institution.nil? or controller.current_primary_institution.login_attributes.nil?) ?
+            {} : controller.current_primary_institution.login_attributes
+      end
+      
+      def pds_attributes
+        @pds_attributes ||= self.class.pds_attributes
+      end
+
+      def session_id
+        @session_id ||=
+          (controller.session.respond_to?(:session_id)) ?
+            (controller.session.session_id) ?
+              controller.session.session_id : controller.session[:session_id] : controller.session[:session_id]
+      end
+
+      def anonymous?
+        self.class.anonymous
+      end
+
+      def pds_handle
+        return controller.cookies[:PDS_HANDLE] || controller.params[:pds_handle]
+      end
+
+      def handle_login_exception(error)
+        # Set a cookie saying that we've got some invalid stuff going on
+        # in this session.  Either PDS is screwy, OpenSSO is screwy, or both.
+        # Either way, we want to skip logging in since it's problematic (if anonymous).
+        controller.cookies["#{self.class.calling_system}_inaccessible".to_sym] = {
+          :value => session_id,
+          :path => "/" } if anonymous?
+        # If anonymous access isn't allowed, we can't rightfully set the cookie.
+        # We probably should send to a system down page.
+        controller.redirect_to(self.class.login_inaccessible_url)
+        alert_the_authorities error
+      end
+
+      def alert_the_authorities(error)
+        controller.logger.error("Error in #{self.class}. Something is amiss with PDS authentication. #{error.message}")
+      end
+    end
+
+    module AuthlogicCallbackMethods
+      private
+      # Callback method from Authlogic.
+      # Called while trying to persist the session.
+      def persist_session
+        destroy unless (authenticated? and authorized?) or anonymous?
+      end
+      
+      # Callback method from Authlogic.
+      # Called while validating on session save.
+      def after_login
+        authenticated? and authorized?
+      end
+
+      # Callback method from Authlogic.
+      # Called before destroying UserSession.
+      def before_logout
+      end
+
+      # Callback method from Authlogic.
+      # Called after destroying UserSession.
+      def after_logout
+      end
+    end
+  end
+end