2-stage preauthentication

[garytr25]

Our scheme uses a 2-stage authentication system. A users x509 certificate is validated using the x509preauthprocessingfilter, and we have a custom preAuthenticationAuthenticationProvider that provides some final checks on the certificate and throws exceptions if it's bad. The next stage loads our userdetails from a database based on an association from x509 to the user. However, if the user has a valid certificate but is not registered, I want to send him to a registration page. What's the simplest way to do that?

I've considered an exceptionTranslationFilter, however it looks like it handles every exception and I'd only want it to catch UserNotFoundException. I've also considered returning a dummy user object and redirecting based on his roles. However, this feels dirty and there must be something simple I'm missing. Any thoughts?

[Rob Winch]

The ExceptionTranslationFilter has a way to specify which exceptions you want to handle, but it would not catch an Exception thrown by a PreAuthFilter since it is earlier in the FilterChain. My recommendation to you would be to use an AuthenticationFailureHandler similar to how the AbstractAuthenticationProcessingFilter works.