diff --git a/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java b/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
index 052b3cc5a774d1ba71fac4098a5e5443369cefa3..10cd0885db8d9ac7c9003d2f56e9996fa3c18c63 100644
--- a/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
+++ b/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
@@ -4,46 +4,54 @@ import java.io.Serializable;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.userdetails.UserDetails;
 
 import de.thm.arsnova.dao.IDatabaseDao;
+import de.thm.arsnova.entities.Session;
+import de.thm.arsnova.exceptions.ForbiddenException;
 import de.thm.arsnova.exceptions.UnauthorizedException;
 
 public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 
 	@Autowired
-	IDatabaseDao dao;
+	private IDatabaseDao dao;
 
 	@Override
 	public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
-		UserDetails user = getUserDetails(authentication);
-		return false;
+		String username = getUsername(authentication);
+
+		if (
+				targetDomainObject instanceof Session
+				&& ! checkSessionPermission(username, ((Session)targetDomainObject).getKeyword(), permission)
+				) {
+			throw new ForbiddenException();
+		}
+		return true;
 	}
 
 	@Override
 	public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
-		UserDetails user = getUserDetails(authentication);
+		String username = getUsername(authentication);
 
-		if ("session".equals(targetType)) {
-			return checkSessionPermission(user, targetId, permission);
+		if ("session".equals(targetType) && ! checkSessionPermission(username, targetId, permission)) {
+			throw new ForbiddenException();
 		}
-		return false;
+		return true;
 	}
 
-	private boolean checkSessionPermission(UserDetails user, Serializable targetId, Object permission) {
+	private boolean checkSessionPermission(String username, Serializable targetId, Object permission) {
 		if (permission instanceof String && permission.equals("owner")) {
-			return dao.getSession(targetId.toString()).getCreator().equals(user.getUsername());
+			return dao.getSession(targetId.toString()).getCreator().equals(username);
 		}
 		return false;
 	}
 
-	private UserDetails getUserDetails(Authentication authentication)
-			throws UnauthorizedException {
-		if (authentication.getPrincipal() == null || authentication.getPrincipal() instanceof String) {
+	private String getUsername(Authentication authentication) {
+		if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
 			throw new UnauthorizedException();
 		}
 
-		return (UserDetails)authentication.getPrincipal();
+		return authentication.getName();
 	}
 }
diff --git a/src/main/java/de/thm/arsnova/services/QuestionService.java b/src/main/java/de/thm/arsnova/services/QuestionService.java
index b47fc1d47e31a8ec5e0c326e7f9a876b8521a447..b68df961578bcef77f66375660bb17759c4a21ae 100644
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -40,7 +40,6 @@ import de.thm.arsnova.entities.Question;
 import de.thm.arsnova.entities.Session;
 import de.thm.arsnova.entities.User;
 import de.thm.arsnova.exceptions.BadRequestException;
-import de.thm.arsnova.exceptions.ForbiddenException;
 import de.thm.arsnova.exceptions.NotFoundException;
 import de.thm.arsnova.exceptions.UnauthorizedException;
 import de.thm.arsnova.socket.ARSnovaSocketIOServer;
@@ -80,17 +79,11 @@ public class QuestionService implements IQuestionService {
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated()")
+	@PreAuthorize("isAuthenticated() and hasPermission(#question.getSessionKeyword(), 'session', 'owner')")
 	public Question saveQuestion(Question question) {
 		Session session = this.databaseDao.getSessionFromKeyword(question.getSessionKeyword());
 		question.setSessionId(session.get_id());
 
-		User user = userService.getCurrentUser();
-
-		if (! session.isCreator(user)) {
-			throw new ForbiddenException();
-		}
-
 		if ("freetext".equals(question.getQuestionType())) {
 			question.setPiRound(0);
 		} else if (question.getPiRound() < 1 || question.getPiRound() > 2) {
diff --git a/src/main/java/de/thm/arsnova/services/SessionService.java b/src/main/java/de/thm/arsnova/services/SessionService.java
index 79f98a6eb6a4f335e317fea9db7d63b05850f7ad..816ea46071b199b0be28a9102432039411a70351 100644
--- a/src/main/java/de/thm/arsnova/services/SessionService.java
+++ b/src/main/java/de/thm/arsnova/services/SessionService.java
@@ -234,7 +234,8 @@ public class SessionService implements ISessionService {
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
+	@PreAuthorize("isAuthenticated() and hasPermission(#session, 'owner')")
+	//@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
 	public Session updateSession(String sessionkey, Session session) {
 		return databaseDao.updateSession(session);
 	}
diff --git a/src/test/java/de/thm/arsnova/services/QuestionServiceTest.java b/src/test/java/de/thm/arsnova/services/QuestionServiceTest.java
index 64e251fc32b43cd8f13ccf563825773572170518..4fb11fe632fc708e7aefc38f18582c663b1e8690 100644
--- a/src/test/java/de/thm/arsnova/services/QuestionServiceTest.java
+++ b/src/test/java/de/thm/arsnova/services/QuestionServiceTest.java
@@ -26,6 +26,7 @@ import java.util.ArrayList;
 import java.util.List;
 
 import org.junit.After;
+import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -38,6 +39,8 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
 import de.thm.arsnova.dao.StubDatabaseDao;
 import de.thm.arsnova.entities.InterposedQuestion;
+import de.thm.arsnova.entities.Question;
+import de.thm.arsnova.exceptions.ForbiddenException;
 import de.thm.arsnova.exceptions.NotFoundException;
 
 @RunWith(SpringJUnit4ClassRunner.class)
@@ -65,17 +68,19 @@ public class QuestionServiceTest {
 			SecurityContextHolder.getContext().setAuthentication(token);
 			userService.setUserAuthenticated(isAuthenticated, username);
 		} else {
-			SecurityContextHolder.setContext(
-					SecurityContextHolder.createEmptyContext()
-					);
 			userService.setUserAuthenticated(isAuthenticated);
 		}
 	}
 
+	@Before
+	public final void startup() {
+		SecurityContextHolder.clearContext();
+	}
+
 	@After
 	public final void cleanup() {
-		databaseDao.cleanupTestData();
-		setAuthenticated(false, "ptsr00");
+		//databaseDao.cleanupTestData();
+		//setAuthenticated(false, "ptsr00");
 	}
 
 	@Test(expected = AuthenticationCredentialsNotFoundException.class)
@@ -123,4 +128,13 @@ public class QuestionServiceTest {
 
 		assertFalse(theQ.isRead());
 	}
+
+	@Test(expected = ForbiddenException.class)
+	public void testShouldSaveQuestion() throws Exception{
+		setAuthenticated(true, "regular user");
+		Question question = new Question();
+		question.setSessionKeyword("12345678");
+		question.setQuestionVariant("freetext");
+		questionService.saveQuestion(question);
+	}
 }
diff --git a/src/test/java/de/thm/arsnova/services/SessionServiceTest.java b/src/test/java/de/thm/arsnova/services/SessionServiceTest.java
index a294544b9c22cae840dce802522a0b8d0b952b36..c8ee1deca6c9db8ec4e2522197c7cb87f8f701cb 100644
--- a/src/test/java/de/thm/arsnova/services/SessionServiceTest.java
+++ b/src/test/java/de/thm/arsnova/services/SessionServiceTest.java
@@ -48,8 +48,8 @@ import de.thm.arsnova.dao.IDatabaseDao;
 import de.thm.arsnova.dao.StubDatabaseDao;
 import de.thm.arsnova.entities.Question;
 import de.thm.arsnova.entities.Session;
+import de.thm.arsnova.exceptions.ForbiddenException;
 import de.thm.arsnova.exceptions.NotFoundException;
-import de.thm.arsnova.exceptions.UnauthorizedException;
 
 @RunWith(SpringJUnit4ClassRunner.class)
 @ContextConfiguration(locations = {
@@ -135,7 +135,7 @@ public class SessionServiceTest {
 		assertNotNull(sessionService.joinSession("11111111"));
 	}
 
-	@Test(expected = UnauthorizedException.class)
+	@Test(expected = ForbiddenException.class)
 	public void testShouldUpdateSession() {
 		setAuthenticated(true, "ptsr00");