Along with a middleware to allow catching the exception it raises when
the user is missing roles, redirecting them appropriately.
A distinction is made between roles which are obtained at the SSO,
stored in session, and roles which the user could have, statically
stored in database.
todo: ce commit dépend totalement du provisionning tel qu'implémenté par
hobo, il faudrait améliorer ça