We are having the same issue. Our system needs to catch these exceptions in order to know when to show a login screen (tomcat can't manage this, since we only have one JSP used to make calls on the backend).
I was hoping this was similiar to how JBoss handles other exceptions, which is annoying but at least manageable, wherein it wraps them in Server and EJBExceptions (I assume JBoss does this so rollbacks get made?). Unfortunately, iterating through the causes of the exception, via exception.getCause(), isn't getting back to a SecurityException.
Please help us to solve this issue! I'm researching on how to customize the SecurityInterceptor, but hoping there is an easier/cleaner way. I also really don't want to have to parse the exception message to make it work (although I'm just doing that for now so I can keep coding other stuff, but it's a pretty sad hack).
Thanks in advance,