I have an application where the Role based authentication is starting to get a little more complicated. I have the following scenario that I am hoping someone can give guidance on how to implement.

User "Main" has role ROLE_CAN_SUBMIT_APPLICATION. This allows the user to go to the application page and submit. The new requirement is that the person should only be able to submit the application based on a session scoped bean variable called isApplicationTest. This boolean variable can change based on user selection. If the user has the role and isApplicationTest=true, then they should be able to see the page, if they have the role and isApplicationTest=false they shouldn't be able to access the page, or if they do it should be read only.

I can go through the methods checking for the role as the boolean variable. But I was hoping to be able to do this somehow in applicationcontextsecurity, or some custom spring extension like a filter or authenticator.