two-level authentication with Spring Security

Question

Background

Our site allows someone to login using their registered email and password. Now we want to allow users to register using only their Facebook identity (as an alternative authentication method). We plan to do this using Spring Social + Spring Security 3.1

The question

There is a section in the website that requires you to have a password, no matter what authentication provider you use. Email registered user are not affected by this, but Facebook users are (because they don't have a password). They need to generate one in a lazy way (the first time the Facebook user clicks in the link), because a small percentage of users will use this feature (and we don't want all Facebook users to be bothered creating a password when they register).

So, how would you model this?

For example: we know that it is possible to define a a security role named "REGISTERED_WITH_PASSWORD" and make those pages available only for that role. Is it possible to set up Spring in a way that when a logged in "no-password" Facebook user attempts to enter thate page, redirect him to a password creation page, so they can create on and retry? (instead of handling that as an Authorisation exception).

Any other ideas? Any elegant design will be welcomed, no matter if it relies in things specific to Spring Sec 3.1.

Thank you,

Answer 1

Naive implementation thoughts, maybe better way exists:

• write custom filter and add it to springSecurityFilterChain
• make filter active only for URL you want (e.g. check url manually)
• check in it user auth type and 'login/password passed' flag and redirect facebook users without flag to login/password page
• save 'login/password passed' flag to session

SecurityContext remains untouched so this approach seems non-intrusive for spring.

edit:formatting