/** * Is this current user in the given list of roles * @param req The users request * @param roles The list of roles to check * @throws SecurityException if this user is not allowed by the list of roles */ protected static void assertAllowedByRoles(HttpServletRequest req, Set<String> roles) throws SecurityException { for (String role : roles) { if ("*".equals(role) || req.isUserInRole(role)) { return; } } throw new AccessDeniedException("User is not in role for this method."); }