Spring-security split authentication and the authorization

I'm trying to create a custom login for my flex开发者_如何学Go web app with spring-security. I have an working version where we use the channelset.login with blazeds.

The problem i have is that i would like to split the authentication and the authorization.

I would like to ask the user to make some choices after the authentication to determine its roles.

Since the roles the user is authorized to are determined by this choices.

This means the user has to be authenticated and then the client needs to do a service call to the service and then the authorization process needs to take place.

Does anyone know if this is possible and have some tips of how this can be done?

Thanks in advance,

Arjen

Yes, that doesn't sound too far-fetched. You can store the user roles in the database, make each role for new users something like SIGNUP which will only allow the user to signup, once his new role is determined, simply update that role and restrict the new role from being able to update the role again, unless you're admin.

You can also override the authentication process to do whatever you want to do: http://mark.koli.ch/2010/07/spring-3-and-spring-security-setting-your-own-custom-j-spring-security-check-filter-processes-url.html

The session object might need to be refreshed if you're using some form of ORM.