I am using spring-security-facebook:0.10.4 to integrate Facebook authentication for SSO in our Grails application. One of our requirements is to allow a user to turn SSO on or off (via some control in our app). If it’s turned on, then we want to use the spring-security-facebook filter for authentication. If SSO is turned off on our app, we want to use the default spring security filter for authentication (regardless of whether a Facebook cookie/auth token exists or not).

I’m not sure how to configure the spring-security-facebook plugin to allow for this use case. Right now, I have the Transparent cookie based authorization (FacebookAuthCookieTransparentFilter) working, and it works great. The problem is that it will try to authenticate through Facebook on every page. I can’t see a way that I can control this so I can check to see if a user has turned on SSO in our app, and only use the Facebook auth filter if SSO is turned on.

I’m thinking I have to use Manual cookie based authorization (FacebookAuthCookieDirectFilter) instead, but I don’t know how to configure it. The documentation (located here… http://splix.github.com/grails-spring-security-facebook/guide/3%20Usage.html#3.4%20Client%20Side%20Authorization) says… “Same as FacebookAuthCookieTransparentFilter, it parse Facebook cookie, but only for specified url. Like username/password filter from spring-security-core or similar. After successful authorization it can redirect user to specified url.”

Is Manual cookie based authorization the way to go for my requirement? How can I configure it to work only for users who have turned on SSO in our app? How do I configure it to “…redirect user to specified url.”?