Feb 28th, 2011, 08:23 PM
Spring Security Behind Tomcat Security
I'm trying to setup a website for a "beta" test and want to have an initial authentication to get to the site, at which point the users can access the beta site, but will have to login/register to use the locked parts of the site.
Initially, I tried doing this by adding basic security to tomcat or apache, but in both cases, it seemed to defer to the spring security level (the login box says something like "Spring Application Authentication").
So my question is, is there any way to do this? It doesn't necessary have to be using the web containers, it could use spring directly as well.
Feb 28th, 2011, 10:24 PM
The simplest way of doing this would be to have different access levels. Making it as simple as possible (and as closely related to the documentation you will find) you could create a ROLE_BETA and ROLE_REGISTERED. You would that have two different AuthenticationProviders (one that authenticates with only the ROLE_BETA and one that provides the ROLE_REGISTERED). If a ROLE_BETA user accesses a ROLE_REGISTERED url they would be sent to the access denied page (which you could configure to be a page that tells them they need to register or login).