spring security : Accept terms and conditions after login

Question

I have a use case to make the user accepts terms and conditions after login. The user cannot access any URL after login unless he accepts the terms and conditions. Is it possible to implement the same using spring security? If yes, how?

Answer 1

It is possible to add user one privilege after successful login, and just allow him to access terms and conditions page (ex. TERMS_AND_CONDITIONS_PRIVILEGE). After success post with accepted terms you can get permissions for user from database and grant it to his security context. Here is nice post how to do it

http://forum.spring.io/forum/spring-projects/security/60663-change-user-logged-authorities-on-the-fly
First you have to get SecurityContextHolder by calling SecurityContextHolder.getContext() Next you have to get Authentication from it by callingcontext.getAuthentication(). From Authentication you can get Principal and cast it to User object.
Remember to check if SecurityContextHolder.getContext() does not return null value and also if Authentication a = context.getAuthentication() is not null.
I also recomend to check if a.getPrincipal() is instance of User class
I hope it helps

Answer 2

I'd suggest to add check box in the login page. This check box will be checked when user acceps terms & conditions. The login page will be a JSP, so upon submission, you can check if the check box is checked, meaning the user has accespted the terms and conditions.

It is simpler to implement (you do not need another redirect), and I think it is better UX (user experience).

HTH.