diff --git a/samples/tutorial/src/main/java/bigbank/web/ListAccounts.java b/samples/tutorial/src/main/java/bigbank/web/ListAccounts.java
index 6c2c5b810e..d0ea3ed67b 100644
--- a/samples/tutorial/src/main/java/bigbank/web/ListAccounts.java
+++ b/samples/tutorial/src/main/java/bigbank/web/ListAccounts.java
@@ -3,6 +3,7 @@ package bigbank.web;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.AuthenticationCredentialsNotFoundException;
 import org.springframework.util.Assert;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.mvc.Controller;
@@ -21,8 +22,7 @@ public class ListAccounts implements Controller {
 	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
 		// Security check (this is unnecessary if Spring Security is performing the authorization)
 //		if (request.getUserPrincipal() == null) {
-//			response.sendError(HttpServletResponse.SC_FORBIDDEN, "You must login to view the account list");
-//			return null;
+//			throw new AuthenticationCredentialsNotFoundException("You must login to view the account list (Spring Security message)"); // only for Spring Security managed authentication
 //		}
 		
 		// Actual business logic
diff --git a/samples/tutorial/src/main/java/bigbank/web/PostAccounts.java b/samples/tutorial/src/main/java/bigbank/web/PostAccounts.java
index 58fb342215..e5967b52e3 100644
--- a/samples/tutorial/src/main/java/bigbank/web/PostAccounts.java
+++ b/samples/tutorial/src/main/java/bigbank/web/PostAccounts.java
@@ -3,6 +3,7 @@ package bigbank.web;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.AccessDeniedException;
 import org.springframework.util.Assert;
 import org.springframework.web.bind.ServletRequestUtils;
 import org.springframework.web.servlet.ModelAndView;
@@ -22,9 +23,8 @@ public class PostAccounts implements Controller {
 
 	public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
 		// Security check (this is unnecessary if Spring Security is performing the authorization)
-//		if (request.isUserInRole("ROLE_TELLER")) {
-//			response.sendError(HttpServletResponse.SC_FORBIDDEN, "You must be a teller to post transactions");
-//			return null;
+//		if (!request.isUserInRole("ROLE_TELLER")) {
+//			throw new AccessDeniedException("You must be a teller to post transactions (Spring Security message)"); // only for Spring Security managed authentication
 //		}
 		
 		// Actual business logic