I am hoping this is common enough of a scenario that someone out there has tackled it already.
I have Users and they have Roles. Each of these roles represents a URL to protect. So far, that's pretty simple with Acegi Security System for Spring. Just wire up a fitler assigning the roles to the url to protect.
My biggest problem is the index page of this app. When a user first come in or their session is invalid, the page should show a login form.
If the user is logged in, it should show links to the URLs they are allowed to go to using the auth tag provided by Acegi Security System for Spring.
How can I achieve this without making the index page protected by some generic role? I ask this mostly because there's user administration in the app and someone could inadvertantly remove this generic role from a user, and that would be bad.
I guess I could add the generic role dynamically when the UserDetails' getGrantedAuthorties() method is called, but that hard codes the generic role in. I'd like to externalize this as much as possible.
Another solution I thought of was writing my own tags to check for authentication. But I had misunderstood the isAuthenticated() method on the Authencation object. I expected it to be set to true if the user was authenticated....but that's only if the url is protected.
Along the lines of my own tag, is it enough that an Authentication object exists in the secure context to ensure that the user has at least been challenged by Acegi and successfully presented credentials? If so, I could just have my tags make a check for just an Authentication object, disregarding the isAuthenticated() method.
Would that work? Any other ideas on how to tackle the problem?