Support renew=true parameter for our CAS IdP

[labkey-adam]

Rationale

Add a "force re-auth" mode to our standard login workflow. This mode requires the user to re-enter credentials, ignoring any existing login (i.e., current user session).

Summary of standard login changes:

• A forceReauth=true parameter provided to the login action enables "force re-auth" mode. LoginUrls.getForceReauthURL() encapsulates the details for callers.
• If provided, the action always displays the login page, even if the user is logged in
• Upon valid credential submission, LoginApiAction generates a secure token and stashes it & the re-auth user in session. It adds the token to the redirect URL as reauthToken=XXXXX. Any existing user session is left untouched.
• The redirect target action (e.g., cas-login) should check the validity of the re-auth token (via AuthenticationManager.getAndClearReauthUser()) to ensure re-auth took place immediately before action invocation
• If successfully validated, the re-auth token is removed from the session, eliminating any chance of token playback

Use by cas-login with renew=true option

• Our CAS IdP leverages the "force re-auth" mode above to implement renew=true
• The bulk of this handling is in CAS LoginAction
• A LoginAction.checkPermissions() override checks for the renew parameter. If not present, it proceeds normally (super.checkPermissions()).
• If renew is requested, it checks for a valid re-auth token
• If present and valid, it proceeds to create a CAS ticket and mark it as "renew"
• Otherwise, it redirects to getForceReauthURL()
• If ServiceValidateAction is invoked with a ticket and renew parameter, it returns an error if the ticket is not marked as "renew"

Related Pull Requests

• https://github.com/LabKey/premiumModules/pull/565

Largely Unrelated Changes

• Make AssayIntegrationTestCase.jsp pass on SQL Server
• Get rid of unused login page remember parameter handling
• ViewContext.getRequestOrThrow() to reduce NPE warnings