From 0f517cb8e2bbbb30681008d75170262016f91b95 Mon Sep 17 00:00:00 2001
From: Ben Alex <ben.alex@springsource.com>
Date: Sun, 12 Nov 2006 22:06:37 +0000
Subject: [PATCH] SEC-375: Publish AuthorizationFailureEvent event when
 AccessDeniedException thrown by AfterInvocationProvider.

---
 .../authorization/AuthorizationFailureEvent.java    |  8 +++++++-
 .../intercept/AbstractSecurityInterceptor.java      | 13 +++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/event/authorization/AuthorizationFailureEvent.java b/core/src/main/java/org/acegisecurity/event/authorization/AuthorizationFailureEvent.java
index b872e477ab..52d588b075 100644
--- a/core/src/main/java/org/acegisecurity/event/authorization/AuthorizationFailureEvent.java
+++ b/core/src/main/java/org/acegisecurity/event/authorization/AuthorizationFailureEvent.java
@@ -15,13 +15,19 @@
 
 package org.acegisecurity.event.authorization;
 
+import org.acegisecurity.AccessDecisionManager;
 import org.acegisecurity.AccessDeniedException;
+import org.acegisecurity.AfterInvocationManager;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.ConfigAttributeDefinition;
 
 
 /**
- * Indicates a secure object invocation failed because the principal could not be authorized for the request.
+ * Indicates a secure object invocation failed because the principal could not
+ * be authorized for the request.
+ *
+ * <p>This event might be thrown as a result of either an
+ * {@link AccessDecisionManager} or an {@link AfterInvocationManager}.
  *
  * @author Ben Alex
  * @version $Id$
diff --git a/core/src/main/java/org/acegisecurity/intercept/AbstractSecurityInterceptor.java b/core/src/main/java/org/acegisecurity/intercept/AbstractSecurityInterceptor.java
index f16075af77..58cc29bde9 100644
--- a/core/src/main/java/org/acegisecurity/intercept/AbstractSecurityInterceptor.java
+++ b/core/src/main/java/org/acegisecurity/intercept/AbstractSecurityInterceptor.java
@@ -148,8 +148,17 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
         }
 
         if (afterInvocationManager != null) {
-            returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),
-                    token.getAttr(), returnedObject);
+            // Attempt after invocation handling
+            try {
+                returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),
+                        token.getAttr(), returnedObject);
+            } catch (AccessDeniedException accessDeniedException) {
+                AuthorizationFailureEvent event = new AuthorizationFailureEvent(token.getSecureObject(),
+                		token.getAttr(), token.getAuthentication(), accessDeniedException);
+                publishEvent(event);
+
+                throw accessDeniedException;
+            }
         }
 
         return returnedObject;