Is it possible to authenticate a user by checking for an existing HttpSession within Spring Security? I would like users to authenticate via CAS at one URL (http://example.com/auth), but not the other URLs. For example, if they go straight to http://example.com/content, then I'd like to check for the HttpSession and return a 401 Unauthorized code if they haven't logged into CAS yet. If they've already gone to the /auth page and logged in, then going to /content will return the content. The main reason for this is to avoid any redirects that CAS causes during authentication.
I am kind of new to Spring Security and can't figure out if I need a custom AuthenticationManager, AuthenticationEntryPoint, both, or something else. The AuthenticationManager doesn't have a way for me to access the HttpSession, and the AuthenticationEntryPoint doesn't seem to be the right place to implement this functionality.
Any ideas?
