To recreate the bug using a default AppFuse Struts2 modular app do the following:

1) start the webapp (mvn jetty:run)
2) login as "user/user"
3) edit the user profile, change the Username to "user2"
4) press Save button

See this error:

Yikes!
org.acegisecurity.AccessDeniedException: Access Denied: Only administrators are allowed to modify other users.
at org.appfuse.service.UserSecurityAdvice.before(UserSecurityAdvice.java:63)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:49)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy22.saveUser(Unknown Source)
at org.appfuse.webapp.action.UserAction.save(UserAction.java:155)
[SNIP]

Problem: Users should be able to change their username. UserSecurityAdvice checks for users based on username when it should check based on id.

Discovered thanks to APF-800.