@@ -3,12 +3,13 @@ package login

 import (

 	"net/http"

 	"net/url"

+	"strings"

 )

 func failed(reason string, w http.ResponseWriter, req *http.Request) {

 	uri, err := getBaseURL(req)

 	if err != nil {

-		http.Redirect(w, req, req.URL.Path, http.StatusTemporaryRedirect)

+		http.Redirect(w, req, req.URL.Path, http.StatusFound)

 		return

 	}

 	query := url.Values{}

@@ -17,7 +18,7 @@ func failed(reason string, w http.ResponseWriter, req *http.Request) {

 		query.Set("then", req.URL.Query().Get("then"))

 	}

 	uri.RawQuery = query.Encode()

-	http.Redirect(w, req, uri.String(), http.StatusTemporaryRedirect)

+	http.Redirect(w, req, uri.String(), http.StatusFound)

 }

 func getBaseURL(req *http.Request) (*url.URL, error) {

@@ -28,3 +29,22 @@ func getBaseURL(req *http.Request) (*url.URL, error) {

 	uri.Scheme, uri.Host, uri.RawQuery, uri.Fragment = req.URL.Scheme, req.URL.Host, "", ""

 	return uri, nil

 }

+

+func postForm(url string, body url.Values) (resp *http.Response, err error) {

+	tr := &http.Transport{}

+	req, err := http.NewRequest("POST", url, strings.NewReader(body.Encode()))

+	if err != nil {

+		return nil, err

+	}

+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

+	return tr.RoundTrip(req)

+}

+

+func getUrl(url string) (resp *http.Response, err error) {

+	tr := &http.Transport{}

+	req, err := http.NewRequest("GET", url, nil)

+	if err != nil {

+		return nil, err

+	}

+	return tr.RoundTrip(req)

+}

@@ -123,6 +123,8 @@ var DefaultConfirmFormRenderer = confirmTemplateRenderer{}

 type confirmTemplateRenderer struct{}

 func (r confirmTemplateRenderer) Render(form ConfirmForm, w http.ResponseWriter, req *http.Request) {

+	w.Header().Add("Content-Type", "text/html")

+	w.WriteHeader(http.StatusOK)

 	if err := confirmTemplate.Execute(w, form); err != nil {

 		glog.Errorf("Unable render confirm template: %v", err)

 	}

@@ -93,20 +93,21 @@ func TestImplicit(t *testing.T) {

 		var resp *http.Response

 		if testCase.PostValues != nil {

-			r, err := http.PostForm(server.URL+testCase.Path, testCase.PostValues)

+			r, err := postForm(server.URL+testCase.Path, testCase.PostValues)

 			if err != nil {

 				t.Errorf("%s: unexpected error: %v", k, err)

 				continue

 			}

 			resp = r

 		} else {

-			r, err := http.Get(server.URL + testCase.Path)

+			r, err := getUrl(server.URL + testCase.Path)

 			if err != nil {

 				t.Errorf("%s: unexpected error: %v", k, err)

 				continue

 			}

 			resp = r

 		}

+		defer resp.Body.Close()

 		if testCase.ExpectStatusCode != 0 && testCase.ExpectStatusCode != resp.StatusCode {

 			t.Errorf("%s: unexpected response: %#v", k, resp)

@@ -1,6 +1,12 @@

 package login

-import ()

+import "net/http"

+

+// mux is an object that can register http handlers.

+type Mux interface {

+	Handle(pattern string, handler http.Handler)

+	HandleFunc(pattern string, handler func(http.ResponseWriter, *http.Request))

+}

 type CSRF interface {

 	Generate() (string, error)

@@ -3,6 +3,7 @@ package login

 import (

 	"html/template"

 	"net/http"

+	"strings"

 	"github.com/golang/glog"

@@ -46,6 +47,15 @@ func NewLogin(csrf CSRF, auth PasswordAuthenticator, render LoginFormRenderer) *

 	}

 }

+// Install registers the login handler into a mux. It is expected that the

+// provided prefix will serve all operations. Path MUST NOT end in a slash.

+func (l *Login) Install(mux Mux, paths ...string) {

+	for _, path := range paths {

+		path = strings.TrimRight(path, "/")

+		mux.HandleFunc(path, l.ServeHTTP)

+	}

+}

+

 func (l *Login) ServeHTTP(w http.ResponseWriter, req *http.Request) {

 	switch req.Method {

 	case "GET":

@@ -118,6 +128,8 @@ var DefaultLoginFormRenderer = loginTemplateRenderer{}

 type loginTemplateRenderer struct{}

 func (r loginTemplateRenderer) Render(form LoginForm, w http.ResponseWriter, req *http.Request) {

+	w.Header().Add("Content-Type", "text/html")

+	w.WriteHeader(http.StatusOK)

 	if err := loginTemplate.Execute(w, form); err != nil {

 		glog.Errorf("Unable to render login template: %v", err)

 	}

@@ -130,6 +142,6 @@ var loginTemplate = template.Must(template.New("loginForm").Parse(`

   <input type="hidden" name="csrf" value="{{ .Values.CSRF }}">

   <label>Login: <input type="text" name="username" value="{{ .Values.Username }}"></label>

   <label>Password: <input type="password" name="password" value=""></label>

-  <input type="submit" name="Login">

+  <input type="submit" value="Login">

 </form>

 `))

@@ -142,20 +142,21 @@ func TestLogin(t *testing.T) {

 		var resp *http.Response

 		if testCase.PostValues != nil {

-			r, err := http.PostForm(server.URL+testCase.Path, testCase.PostValues)

+			r, err := postForm(server.URL+testCase.Path, testCase.PostValues)

 			if err != nil {

 				t.Errorf("%s: unexpected error: %v", k, err)

 				continue

 			}

 			resp = r

 		} else {

-			r, err := http.Get(server.URL + testCase.Path)

+			r, err := getUrl(server.URL + testCase.Path)

 			if err != nil {

 				t.Errorf("%s: unexpected error: %v", k, err)

 				continue

 			}

 			resp = r

 		}

+		defer resp.Body.Close()

 		if testCase.ExpectStatusCode != 0 && testCase.ExpectStatusCode != resp.StatusCode {

 			t.Errorf("%s: unexpected response: %#v", k, resp)

@@ -42,3 +42,13 @@ func (a *SessionAuthenticator) AuthenticateRequest(req *http.Request) (api.UserI

 		Name: name,

 	}, true, nil

 }

+

+func (a *SessionAuthenticator) AuthenticationSucceeded(user api.UserInfo, w http.ResponseWriter, req *http.Request) error {

+	session, err := a.store.Get(req, a.name)

+	if err != nil {

+		return err

+	}

+	values := session.Values()

+	values[UserNameKey] = user.GetName()

+	return a.store.Save(w, req)

+}

@@ -3,12 +3,15 @@ package origin

 import (

 	"fmt"

 	"net/http"

+	"net/url"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/tools"

 	"github.com/openshift/origin/pkg/auth/api"

+	"github.com/openshift/origin/pkg/auth/authenticator"

 	"github.com/openshift/origin/pkg/auth/oauth/handlers"

 	"github.com/openshift/origin/pkg/auth/oauth/registry"

+	"github.com/openshift/origin/pkg/auth/server/login"

 	"github.com/openshift/origin/pkg/auth/server/session"

 	cmdutil "github.com/openshift/origin/pkg/cmd/util"

 	oauthetcd "github.com/openshift/origin/pkg/oauth/registry/etcd"

@@ -18,6 +21,7 @@ import (

 const (

 	OpenShiftOAuthAPIPrefix = "/oauth"

+	OpenShiftLoginPrefix    = "/login"

 )

 type AuthConfig struct {

@@ -41,7 +45,7 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {

 		storage,

 		osinserver.AuthorizeHandlers{

 			handlers.NewAuthorizeAuthenticator(

-				emptyAuth{},

+				&redirectAuthHandler{RedirectURL: OpenShiftLoginPrefix, ThenParam: "then"},

 				sessionAuth,

 			),

 			handlers.NewGrantCheck(

@@ -55,8 +59,12 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {

 	)

 	server.Install(mux, OpenShiftOAuthAPIPrefix)

+	login := login.NewLogin(emptyCsrf{}, &sessionPasswordAuthenticator{emptyPasswordAuth{}, sessionAuth}, login.DefaultLoginFormRenderer)

+	login.Install(mux, OpenShiftLoginPrefix)

+

 	return []string{

 		fmt.Sprintf("Started OAuth2 API at %%s%s", OpenShiftOAuthAPIPrefix),

+		fmt.Sprintf("Started login server at %%s%s", OpenShiftLoginPrefix),

 	}

 }

@@ -69,6 +77,32 @@ func (emptyAuth) AuthenticationError(err error, w http.ResponseWriter, req *http

 	fmt.Fprintf(w, "<body>AuthenticationError - %s</body>", err)

 }

+// Captures the original request url as a "then" param in a redirect to a login flow

+type redirectAuthHandler struct {

+	RedirectURL string

+	ThenParam   string

+}

+

+func (auth *redirectAuthHandler) AuthenticationNeeded(w http.ResponseWriter, req *http.Request) {

+	redirectURL, err := url.Parse(auth.RedirectURL)

+	if err != nil {

+		auth.AuthenticationError(err, w, req)

+		return

+	}

+	if len(auth.ThenParam) != 0 {

+		redirectURL.RawQuery = url.Values{

+			auth.ThenParam: {req.URL.String()},

+		}.Encode()

+	}

+	http.Redirect(w, req, redirectURL.String(), http.StatusFound)

+}

+

+func (auth *redirectAuthHandler) AuthenticationError(err error, w http.ResponseWriter, req *http.Request) {

+	w.Header().Add("Content-Type", "text/html")

+	w.WriteHeader(http.StatusForbidden)

+	fmt.Fprintf(w, "<body>AuthenticationError - %s</body>", err)

+}

+

 type emptyGrant struct{}

 func (emptyGrant) GrantNeeded(grant *api.Grant, w http.ResponseWriter, req *http.Request) {

@@ -78,3 +112,55 @@ func (emptyGrant) GrantNeeded(grant *api.Grant, w http.ResponseWriter, req *http

 func (emptyGrant) GrantError(err error, w http.ResponseWriter, req *http.Request) {

 	fmt.Fprintf(w, "<body>GrantError - %s</body>", err)

 }

+

+type emptyCsrf struct{}

+

+func (emptyCsrf) Generate() (string, error) {

+	return "", nil

+}

+

+func (emptyCsrf) Check(string) (bool, error) {

+	return true, nil

+}

+

+//

+// Approves any login attempt with non-blank username and password

+//

+type emptyPasswordAuth struct{}

+

+func (emptyPasswordAuth) AuthenticatePassword(user, password string) (api.UserInfo, bool, error) {

+	if user == "" || password == "" {

+		return nil, false, nil

+	}

+	return &api.DefaultUserInfo{

+		Name: user,

+	}, true, nil

+}

+

+//

+// Saves the username of any successful password authentication in the session

+//

+type sessionPasswordAuthenticator struct {

+	passwordAuthenticator authenticator.Password

+	sessionAuthenticator  *session.SessionAuthenticator

+}

+

+// for login.PasswordAuthenticator

+func (auth *sessionPasswordAuthenticator) AuthenticatePassword(user, password string) (api.UserInfo, bool, error) {

+	return auth.passwordAuthenticator.AuthenticatePassword(user, password)

+}

+

+// for login.PasswordAuthenticator

+func (auth *sessionPasswordAuthenticator) AuthenticationSucceeded(user api.UserInfo, then string, w http.ResponseWriter, req *http.Request) {

+	err := auth.sessionAuthenticator.AuthenticationSucceeded(user, w, req)

+	if err != nil {

+		fmt.Fprintf(w, "<body>Could not save session, err=%#v</body>", err)

+		return

+	}

+

+	if len(then) != 0 {

+		http.Redirect(w, req, then, http.StatusFound)

+	} else {

+		fmt.Fprintf(w, "<body>PasswordAuthenticationSucceeded - user=%#v</body>", user)

+	}

+}