I want my controller to return the right HTTP response code when the user lacks permission to view a particular page.
You can also just throw
org.springframework.security.access.AccessDeniedException("403 returned");
This returns a 403 in the response header.