hmrc · ayubAz · Dec 8, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/app/config/FrontendAppConfig.scala b/app/config/FrontendAppConfig.scala
@@ -33,12 +33,16 @@ class FrontendAppConfig @Inject() (configuration: Configuration) {
   def feedbackUrl(implicit request: RequestHeader): String =
     s"$contactHost/contact/beta-feedback?service=$contactFormServiceIdentifier&backUrl=${host + request.uri}"
 
-  val loginUrl: String             = configuration.get[String]("urls.login")
-  val loginContinueUrl: String     = configuration.get[String]("urls.loginContinue")
-  val signOutUrl: String           = configuration.get[String]("urls.signOut")
-  val govUkSDLTGuidanceUrl: String = configuration.get[String]("urls.govUkSDLTGuidance")
   lazy val feedbackFrontend: String = configuration.get[String]("feedback-frontend.host")
 
+  val loginUrl: String                      = configuration.get[String]("urls.login")
+  val loginContinueUrl: String              = configuration.get[String]("urls.loginContinue")
+  val signOutUrl: String                    = configuration.get[String]("urls.signOut")
+  val govUkSDLTGuidanceUrl: String          = configuration.get[String]("urls.govUkSDLTGuidance")
+  lazy val govUKUrl: String                 = configuration.get[String]("urls.govUK")
+  lazy val howToPayUrl: String              = configuration.get[String]("urls.howToPay")
+  lazy val hmrcOnlineServiceDeskUrl: String = configuration.get[String]("urls.hmrcOnlineServiceDesk")
+
   private val agentServiceBaseUrl: String       = configuration.get[String]("stamp-duty-land-tax-agent.host")
   val startAddAgentUrl: String                  = s"$agentServiceBaseUrl/stamp-duty-land-tax-agent/agent-details/start-add-agent"
   val agentOverviewUrl: String                  = s"$agentServiceBaseUrl/stamp-duty-land-tax-agent"
@@ -57,10 +61,5 @@ class FrontendAppConfig @Inject() (configuration: Configuration) {
   val countdown: Int = configuration.get[Int]("timeout-dialog.countdown")
 
   val cacheTtl: Long = configuration.get[Int]("mongodb.timeToLiveInSeconds")
-
-  lazy val howToPayUrl: String = configuration.get[String]("urls.howToPay")
-
-  lazy val hmrcOnlineServiceDeskUrl: String = configuration.get[String]("urls.hmrcOnlineServiceDesk")
-  lazy val govUKUrl: String = configuration.get[String]("urls.govUK")
 }
 
diff --git a/app/controllers/AccessDeniedController.scala b/app/controllers/AccessDeniedController.scala
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2025 HM Revenue & Customs
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package controllers
+import config.FrontendAppConfig
+import javax.inject.Inject
+import play.api.i18n.{I18nSupport, MessagesApi}
+import play.api.mvc.{Action, AnyContent, MessagesControllerComponents}
+import uk.gov.hmrc.play.bootstrap.frontend.controller.FrontendBaseController
+import views.html.AccessDeniedView
+
+class AccessDeniedController @Inject() (
+                                         override val messagesApi: MessagesApi,
+                                         val controllerComponents: MessagesControllerComponents,
+                                         view: AccessDeniedView
+                                       )(implicit appConfig: FrontendAppConfig)
+  extends FrontendBaseController
+    with I18nSupport {
+
+  def onPageLoad: Action[AnyContent] = Action { implicit request =>
+    Ok(view())
+  }
+}
diff --git a/app/controllers/actions/AuthenticatedIdentifierAction.scala b/app/controllers/actions/AuthenticatedIdentifierAction.scala
@@ -71,7 +71,7 @@ class AuthenticatedIdentifierAction @Inject()(
         case _ =>
           logger.error("[AuthenticatedIdentifierAction][authorised] - authentication failure")
           Future.successful(
-            Redirect(routes.UnauthorisedController.onPageLoad()))
+            Redirect(routes.AccessDeniedController.onPageLoad()))
       } recover {
       case _: NoActiveSession =>
         logger.error("[AuthenticatedIdentifierAction][authorised] - recover::NoActiveSession")

diff --git a/app/handlers/ErrorHandler.scala b/app/handlers/ErrorHandler.scala
@@ -16,27 +16,33 @@
 
 package handlers
 
+import config.FrontendAppConfig
+
 import config.FrontendAppConfig
 import views.html.PageNotFoundView
 import javax.inject.{Inject, Singleton}
 import play.api.i18n.{I18nSupport, MessagesApi}
 import play.api.mvc.RequestHeader
 import play.twirl.api.Html
 import uk.gov.hmrc.play.bootstrap.frontend.http.FrontendErrorHandler
-import views.html.ErrorTemplate
+import views.html.{AccessDeniedView, ErrorTemplate}
 
 import scala.concurrent.{ExecutionContext, Future}
 
 @Singleton
 class ErrorHandler @Inject()(
                               val messagesApi: MessagesApi,
                               view: ErrorTemplate,
+                              accessDeniedView: AccessDeniedView,
                               notFoundView: PageNotFoundView
-                            )(override implicit val ec: ExecutionContext, appConfig: FrontendAppConfig) extends FrontendErrorHandler with I18nSupport {
+                            )(implicit val ec: ExecutionContext, appConfig: FrontendAppConfig) extends FrontendErrorHandler with I18nSupport {
 
   override def standardErrorTemplate(pageTitle: String, heading: String, message: String)(implicit rh: RequestHeader): Future[Html] =
     Future.successful(view(pageTitle, heading, message))
 
+  override def fallbackClientErrorTemplate(implicit request: RequestHeader): Future[Html] =
+    Future.successful(accessDeniedView())
+
   override def notFoundTemplate(implicit request: RequestHeader): Future[Html] =
     Future.successful(notFoundView()(request, appConfig))
 }
diff --git a/app/views/AccessDeniedView.scala.html b/app/views/AccessDeniedView.scala.html
@@ -0,0 +1,46 @@
+@*
+ * Copyright 2025 HM Revenue & Customs
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *@
+
+@import views.html.components._
+@import uk.gov.hmrc.hmrcfrontend.views.html.components.HmrcPageHeading
+@import config.FrontendAppConfig
+
+@this(
+layout: templates.Layout,
+hmrcPageHeading: HmrcPageHeading,
+paragraph: Paragraph,
+link: Link
+)
+
+@()(implicit request: RequestHeader, appConfig: FrontendAppConfig, messages: Messages)
+
+@layout(
+    pageTitle = titleNoForm(messages("accessDenied.title")),
+    showBackLink = false,
+    showSignOut = false
+) {
+
+    @hmrcPageHeading(PageHeading(
+        text           = messages("accessDenied.heading"),
+        headingClasses = Some("govuk-heading-l")
+    ))
+    @paragraph(message = messages("accessDenied.p1"))
+    @link(
+        linkTextKey  = "accessDenied.link",
+        linkUrl      = appConfig.govUKUrl,
+        extraClasses = "govuk-!-margin-bottom-4"
+    )
+}
diff --git a/app/views/templates/Layout.scala.html b/app/views/templates/Layout.scala.html
@@ -50,7 +50,9 @@
 
 @content = {
     @contentBlock
+    <div class="govuk-!-margin-top-8 govuk-body-s">
     @hmrcReportTechnicalIssueHelper()
+    </div>
 }
 
 @hmrcStandardPage(HmrcStandardPageParams(

diff --git a/conf/app.routes b/conf/app.routes
@@ -12,6 +12,8 @@ GET         /refresh-session                             controllers.KeepAliveCo
 
 GET         /there-is-a-problem                          controllers.JourneyRecoveryController.onPageLoad(continueUrl: Option[RedirectUrl] ?= None)
 
+GET         /access-denied                               controllers.AccessDeniedController.onPageLoad()
+
 GET         /page-not-found                              controllers.PageNotFoundController.onPageLoad()
 
 GET         /check-your-answers                          controllers.CheckYourAnswersController.onPageLoad()

diff --git a/conf/application.conf b/conf/application.conf
@@ -73,13 +73,13 @@ mongodb {
 }
 
 urls {
-  login         = "http://localhost:9949/auth-login-stub/gg-sign-in"
-  loginContinue = "http://localhost:9000/sdlt-management-frontend"
-  signOut       = "http://localhost:9553/bas-gateway/sign-out-without-state"
-  govUkSDLTGuidance  = "https://www.gov.uk/stamp-duty-land-tax"
-  howToPay      = "http://www.hmrc.gov.uk/payinghmrc/stamp-land.htm"
+  login                 = "http://localhost:9949/auth-login-stub/gg-sign-in"
+  loginContinue         = "http://localhost:9000/sdlt-management-frontend"
+  signOut               = "http://localhost:9553/bas-gateway/sign-out-without-state"
+  govUK                 = "https://www.tax.service.gov.uk/account"
+  govUkSDLTGuidance     = "https://www.gov.uk/stamp-duty-land-tax"
+  howToPay              = "http://www.hmrc.gov.uk/payinghmrc/stamp-land.htm"
   hmrcOnlineServiceDesk = "https://www.gov.uk/find-hmrc-contacts/technical-support-with-hmrc-online-services"
-  govUK = "https://www.tax.service.gov.uk/account"
 }
 
 host = "http://localhost:9000"

diff --git a/conf/messages.en b/conf/messages.en
@@ -41,6 +41,11 @@ journeyRecovery.startAgain.title = Sorry, there is a problem with the service
 journeyRecovery.startAgain.heading = Sorry, there is a problem with the service
 journeyRecovery.startAgain.guidance = [Add content to explain why the user needs to start again.]
 
+accessDenied.title = Sorry, there is a problem with the service
+accessDenied.heading = Sorry, there is a problem with the service
+accessDenied.p1 = You do not have access to this service.
+accessDenied.link = Continue to your account
+
 pageNotFound.title      = Page not found
 pageNotFound.heading    = Page not found
 pageNotFound.p1         = If you typed the web address, check it is correct.

diff --git a/test/controllers/AccessDeniedControllerSpec.scala b/test/controllers/AccessDeniedControllerSpec.scala
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2025 HM Revenue & Customs
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package controllers
+
+import base.SpecBase
+import config.FrontendAppConfig
+import org.mockito.Mockito.when
+import org.scalatestplus.mockito.MockitoSugar.mock
+import play.api.test.FakeRequest
+import play.api.test.Helpers.*
+import views.html.AccessDeniedView
+
+class AccessDeniedControllerSpec extends SpecBase {
+
+  private val mockAppConfig = mock[FrontendAppConfig]
+
+  "AccessDenied Controller" - {
+
+    "must return OK and the correct view for a GET" in {
+
+      val application = applicationBuilder(userAnswers = Some(emptyUserAnswers)).build()
+      when(mockAppConfig.govUKUrl).thenReturn("https://www.tax.service.gov.uk/account")
+
+      running(application) {
+        val request = FakeRequest(GET, routes.AccessDeniedController.onPageLoad().url)
+
+        val result = route(application, request).value
+
+        val view = application.injector.instanceOf[AccessDeniedView]
+
+        status(result) mustEqual OK
+        contentAsString(result) mustEqual view()(request, mockAppConfig, messages(application)).toString
+      }
+    }
+  }
+}
diff --git a/test/controllers/actions/AuthActionSpec.scala b/test/controllers/actions/AuthActionSpec.scala
@@ -333,7 +333,7 @@ class AuthActionSpec extends SpecBase {
               status(result) mustBe SEE_OTHER
               redirectLocation(
                 result
-              ).value mustBe controllers.routes.UnauthorisedController
+              ).value mustBe controllers.routes.AccessDeniedController
                 .onPageLoad()
                 .url
             }
@@ -386,7 +386,7 @@ class AuthActionSpec extends SpecBase {
           val result = controller.onPageLoad()(FakeRequest())
 
           status(result) mustBe SEE_OTHER
-          redirectLocation(result).value mustBe controllers.routes.UnauthorisedController.onPageLoad().url
+          redirectLocation(result).value mustBe controllers.routes.AccessDeniedController.onPageLoad().url
         }
       }
     }