access for logged in users regardless the role they have

[ant]

Hi,

for my application I need the following feature: some pages may be accessed only by users who are logged in - they do not need to have any role. I've achieved this by writing my own Voter, which recognizes LOGIN_REQUIRED attribute.

Now I can write:

\A/for-logged-in/*\Z=LOGIN_REQUIRED

and my Voter lets the logged-in user in. It this attribute is not present Voter returns ACCESS_ABSTAIN.

I wonder if this it the only and the best way of implementing this feature? Is it possible to write it simpler without my own voter? I know that I could give every user a special role ROLE_VISITOR, or something like that, but I'd like to avoid giving the user a role only to recognize the situation she/he is logged in.

The most transparent solution would be when RoleVoter would recognize some keywords like:
- ROLE_ANY (user should have at least one role - does it make sens anyway?),
- ROLE_NOT_REQUIRED (the user should be logged in, but there is no need of having any roles - that make sens).

Just a thought.

[Ben Alex]

I think it best to use an additional voter and the appropriate AccessDecisionManager implementation. For example, if you have your new MustBeLoggedInVoter and RoleVoter both voting on the same access decision, you need to carefully decide the desired behaviour (refer to the JavaDocs for AffirmativeBased, ConsensusBased, UnanimousBased for the subtle differences).