Redirecting to different action upon failed restriction in deadbolt2

Question

With deadbolt2 and play-authenticate I can define restrictions on the controller and action level based on a user's roles and permissions. If the current user does not satisfy these restrictions, AbstractDeadboltHandler.onAuthFailure in the configured deadbolt handler is called.

Now, what I'd like to achieve is to have different user roles (eg trial_user, basic_user, pro_user, admin, …) and allow only some users to call specific actions (in other words: block the other users from calling the action. For instance, a trial_user should not be allowed to create new posts).

This works so far, as users without the required roles cannot call the action. But, here is the problem: As soon as a restriction is not met, the user gets redirected to the generic "auth failure" page which asks him to log in. This is not correct in my opinion, since the user is actually logged in and is only lacking a certain role (or has a role which must not perform the action).

How can I react in the onAuthFailure method on this case? How can I differentiate between "user not logged in" and "user does not have a certain role". Obviously, always asking the user to login is not the right thing to do. I'd prefer to have a notice "You do not have the rights to access the page".

How can I know the specific reason behind an auth failure? Is that even possible with deadbolt2?

Answer 1

You could try implementing your DeadboltHandler#onAuthFailure method in this way

public F.Promise<Result> onAuthFailure(Http.Context context,
                                       String content) {
    Subject subject = getSubject();
    if (subject == null) {
        // 401 Unauthorized
    } else {
        // 403 Forbidden
    }
}