I've been trying to figure out how to do something using Acegi (0.8.2) and still it escapes me. The simplest case is that once a user successfully authenticates, I want to send them to a license agreement page. Upon accepting the agreement, they can access the rest of the application, otherwise they can't do much but logout.
The Authenticattion (principal) will maintain this state (persisted in db). I need a successful authentication to get the Authentication and I want to stymie any attempts to access anything but the license agreement. So, it does not make sense to try to do this with the authentication manager. I could throw an exception, and setup the properties (exception class to page) so the user is redirected to the license page, but then they are basically unauthenticated (context set to null). Once they agree, I don't want to have them authenticate again. Also, I don't want them entering some other URL to bypass the license page.
The SecurityEnforcementFilter looks like a good spot, but once again throwing an exception to the authentication manager, will null the context. The access decision manager looks like another hook, but throwning AccessDeniedException will result in a forbidden being returned. I'd rather have them sent to the license page.
I guess I want the Authentication to remain in the context, yet for each request, send them to the license page if they've not yet accepted it. I have a similar need for enforcing concurrent sessions, and give the user the ability to terminate another session (one where they forgot to logout in another office say), in order to proceed with the current one. Again, the user has authenticated, I just want to get in their face until they've made the decision to either terminate the other session, or decline to do so, and then be logged out of the current session.
Perhaps I have to make a new filter to add in the chain between the authentication filter and the security enforcement filter? Say, MakeUserDoTasksFilter or something, and in a similar manner have a provider manager invoke managers and direct the user according to any exceptions thrown (or URL returned). This way the user will remain authenticated, but not be able to roam freely.
Does anybody else have a clever solution for this?