I'm trying to integrate jcaptcha and acegi.
First of all, what a great framework! Many thanks and congratulations to the acegi team!
Authenticating an user as human is a security matter but not an identity one : you may be human and anonymous, or human and identified. These two notions are independent.
-It would be great to use the same security management framework to enforce both concerns (identity AND humanity).
-basically, humanity of a user would be implemented by a flag added to its current identity (even if its identity is ANONYMOUS) without modifying it.
-Adding some custom attributes to identity would be great, like the number of human restricted ressources requested, that may be checked afterwards to decide wether the user needs to re-authenticate
A possible solution implemented with acegi would be :
-Implement a CaptchaAuthenticationProcessingFilter that checks a challenge response and flag the current Authentication.
-Implement a CaptchaSecurityEnforcementFilter and a CaptchaVoter that checks the flag and redirect to a custom captchaAuthenticationProcessingFilterEntryPoint if failed.
-Does this solution sounds good? does it breaks the spririt of the acegi framework?
-How to implement the flag stuff ? : i can't find a way to add some information to an existing authentication.