I think I’m missing a very obvious solution here, but I’ll ask anyway. I’ve got a grails application that uses the Spring Security Plugin for my AAS. I want to start doing daily build and deploys of the application using Hudson onto a test server (running Apache2/Tomcat6) as the ROOT application. When the application goes live, anonymous users will be able to access the site, along with registered users. However, during the testing/development phase I want to restrict users to those who have been invited.

I’ve created logic to generate an invitation code, and a temporary “login / registration on invite” view to be used during this dev/test phase. Currently I’m using a filter to redirect any non-logged in users to that view. The problem is the filter is catching any request, so any additional applications (IE Bugzilla), URL’s that would normally invoke a 404, etc are also being filtered, and the user is redirected to that same login page, even if they are already authenticated.

I had opted to go the filter route, instead of modifications to Spring Security settings, since this process is only a temporary solution, and I feel it will be much easier to remove at a later date. Is this a good Idea or is really not worth the hassle? What is the proper way to force only users of the application to log-in, but ignore requests to other URLs?