Requiring a Terms&Conditions re-agreement during login

[hloeblich]

I'm working on a site where the user must agree to certain Terms and Conditions(T&C). It is possible that these T&C can be updated with a new version. In this case, I need to force users to agree to the updated version before they can login.

I'm having a hard time figuring out the best way to go about this.

The plan I have so far is to extend DaoAuthenticationProvider to check if the user has any T&Cs to agree to, and throw a custom TcAgreementRequiredException(extending AuthenticationException) if so.

The part I'm having difficulty with is: i don't want them to be officially logged in, but I want to authenticate the T&C agreement form submission somehow since they already entered their username/pass, and then log them in once they have agreed. Any ideas how to handle such a situation?

[Rob Winch]

One option is have your login form controller determine if they require viewing the terms and conditions. If so display the terms and conditions, otherwise display the login form. To ensure that they don't just attempt to bypass the terms and conditions you can write a custom UserDetailsChecker and wire it in as the preAuthenticationChecks.

[hloeblich]

I can't check if they've already agreed to the updated terms & conditions, unti lthey verify who they are first. This has to happen after the login form is displayed, in fact after it has been submitted.

[Rob Winch]

Good point...I clearly did not think this through very well and I apologize for that. The easiest way I can think of doing this is to add another Filter that if the user is authenticated ensures that the terms and conditions have been viewed. All of this could be performed outside of Spring Security. I'm not sure how much I like this solution (or how much you will like it). Hopefully this at least gets you a solution that works and is isolated enough from the rest the code it can easily be refactored later.