Throw an exception instead of sending back a HTTP error code. This is necessary so any demonstration of upgrading from Servlet Spec authorization to Spring Security authorization, as the latter's ExceptionTranslationFilter expects specific exceptions to be thrown if you wish to commence the authentication process.

samples/tutorial/src/main/java/bigbank/web/ListAccounts.java

@@ -3,6 +3,7 @@ package bigbank.web;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.AuthenticationCredentialsNotFoundException;
 import org.springframework.util.Assert;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.mvc.Controller;
@@ -21,8 +22,7 @@ public class ListAccounts implements Controller {
 	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
 		// Security check (this is unnecessary if Spring Security is performing the authorization)
 //		if (request.getUserPrincipal() == null) {
-//			response.sendError(HttpServletResponse.SC_FORBIDDEN, "You must login to view the account list");
-//			return null;
+//			throw new AuthenticationCredentialsNotFoundException("You must login to view the account list (Spring Security message)"); // only for Spring Security managed authentication
 //		}
 		
 		// Actual business logic

samples/tutorial/src/main/java/bigbank/web/PostAccounts.java

@@ -3,6 +3,7 @@ package bigbank.web;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.AccessDeniedException;
 import org.springframework.util.Assert;
 import org.springframework.web.bind.ServletRequestUtils;
 import org.springframework.web.servlet.ModelAndView;
@@ -22,9 +23,8 @@ public class PostAccounts implements Controller {
 
 	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
 		// Security check (this is unnecessary if Spring Security is performing the authorization)
-//		if (request.isUserInRole("ROLE_TELLER")) {
-//			response.sendError(HttpServletResponse.SC_FORBIDDEN, "You must be a teller to post transactions");
-//			return null;
+//		if (!request.isUserInRole("ROLE_TELLER")) {
+//			throw new AccessDeniedException("You must be a teller to post transactions (Spring Security message)"); // only for Spring Security managed authentication
 //		}
 		
 		// Actual business logic