KnowledgeTree login improvements

For the next (open source) version of KnowledgeTree, I've been working on some login improvements. One of the least dynamic parts of the system has always been the login system - you were okay if the user needed to enter a username and password and was already created, whether authenticated internally or via something like LDAP. But not weirder things...

This stuff can get really convoluted. Really quickly. So I tried to make it as simple as possible.

There are three stages in the standard login cycle:

1. the display of the login screen (do_main),
2. the page reached by entering something in the login screen (do_login),
3. the cookie check to see if sessions are going to work out.

The first two have been modified, and in the same way. I've introduced a construct called a "login interceptor", which gets to mess around with how logins work in the system. At both of the first two steps, each configured interceptor is asked whether the user is already authenticated. If a User object is returned, that user is logged in, and passed to the cookie test.

After all the interceptors have been asked whether authentication has already succeeded, they are then each asked if they want to take over authentication entirely.

I had three main test cases (implemented as plugins totally external to the KnowledgeTree system) to see if I had made the system generic enough:

• OpenID, which lets the user insert a URL into the username field. The user is then directed to the OpenID server specified in the URL, and then redirected back to KnowledgeTree, whereupon we know whether the authentication failed or succeeded. The applications of OpenID authentication in KT aren't immediately obvious, but it's a good example of one type of login (ie, with a login page on our side).
• CAS, the Central Authentication Service, used primarily at universities. CAS doesn't display a login page on our side at all - it requires us to redirect to it at a specific URL. It will then tell us if the authentication failed or succeeded. I know (since I wrote it) of at least one university department using a modified login.php to use CAS to log in, and we've had a number of queries about it - an obvious win.
• A "remember me" option added to the login screen. With this set, the user will be able to log in once and not log in again unless they explicitly log out. Not my personal security favourite, but this tests authentication based on things such as cookies or Apache mod_auth_*.

Another aspect of the login improvements is automatic signup of KT users. This means not having to add users to KnowledgeTree from your LDAP or ActiveDirectory servers when they arrive at your organisation - they just log in with their credentials and they exist. With ActiveDirectory, this also means that they're added to all the groups from ActiveDirectory. So, once you've got your system set up, you don't need to spend much time logging in afterwards.

Altogether, this means that KnowledgeTree should be able to log you in from anywhere - cookies, environment variables from Apache, a totally taken over authentication process such as CAS, a some-local some-remote authentication process such as OpenID, and a more standard local authentication process using built-in authentication, LDAP, ActiveDirectory, or other databases.