SEC-375: Publish AuthorizationFailureEvent event when AccessDeniedException thrown by AfterInvocationProvider.

core/src/main/java/org/acegisecurity/event/authorization/AuthorizationFailureEvent.java

@@ -15,13 +15,19 @@
 
 package org.acegisecurity.event.authorization;
 
+import org.acegisecurity.AccessDecisionManager;
 import org.acegisecurity.AccessDeniedException;
+import org.acegisecurity.AfterInvocationManager;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.ConfigAttributeDefinition;
 
 
 /**
- * Indicates a secure object invocation failed because the principal could not be authorized for the request.
+ * Indicates a secure object invocation failed because the principal could not
+ * be authorized for the request.
+ *
+ * <p>This event might be thrown as a result of either an
+ * {@link AccessDecisionManager} or an {@link AfterInvocationManager}.
  *
  * @author Ben Alex
  * @version $Id$

core/src/main/java/org/acegisecurity/intercept/AbstractSecurityInterceptor.java

@@ -148,8 +148,17 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A
         }
 
         if (afterInvocationManager != null) {
-            returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),
+            // Attempt after invocation handling
-                    token.getAttr(), returnedObject);
+            try {
+                returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),
+                        token.getAttr(), returnedObject);
+            } catch (AccessDeniedException accessDeniedException) {
+                AuthorizationFailureEvent event = new AuthorizationFailureEvent(token.getSecureObject(),
+                		token.getAttr(), token.getAuthentication(), accessDeniedException);
+                publishEvent(event);
+
+                throw accessDeniedException;
+            }
         }
 
         return returnedObject;