Spring Security privacy policy message after successful login

Question

I'm looking for a way to include a warning page after a successful login in my spring security app. The warning page will display a message to the user who has already successfully logged in that by pressing "Yes" they agree to the terms and conditions bla bla... I want to ensure that they can't access any resources unless they click "Yes".

How can I include this in my journey? I've already implemented a custom success handler if that would help.

Thank's in advance.

Answer 1

So the solution is actually somewhat simple. Unfortunately, took a couple of days trying to get to the simplest solution.

Essentially what I did was: In my custom UserDetailService class, I overrode the createUserDetails method and set the combinedAuthorities to be:

List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new GrantedAuthorityImpl("ROLE_NEEDS_TO_ACCEPT_POLICY"));
combinedAuthorities = authorities;

So at the moment, this is their only role, i.e. they aren't authorised to access any of the other resources as mapped in my spring security xml.

In my custom success handler, I forwarded them onto /policy, which can bee seen by users with role ROLE_NEEDS_TO_ACCEPT_POLICY, which is mapped to a Controller which returns a jsp for them to accept/decline the terms and conditions etc...

If they clicked yes, their response is captured in the same controller's post method which then load's their actual roles and grants them.

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(auth.getAuthorities());
authorities.add(new GrantedAuthorityImpl('FETCH_ACTUAL_FROM_ROLES_TABLE'));
Authentication newAuth = new UsernamePasswordToken(auth.getPrincipal(),auth.getCredentials(),authorities)
SecurityContextHolder.getContext().setAuthentication(newAuth);

And that's it... Hope this helps someone.

Answer 2

This will be a matter of choice to implement it.

You can do so by creating custom implementation of UserDetailsService. This interface has only one method namely loadUserByUsername, which returns instance of UserDetails which is again an interface from Spring Security. By implementing UserDetails interface to your User POJO/Entity you can have access to some useful messages which can check user is active or enabled or credentials are non expired, etc. Have a look at javadoc. From there you can handle this that the user has accepted terms and conditions or not.

Another way is to create custom SpEL to check whether user has accepted terms or not.