I have the following user xhtml page:
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:p="http://primefaces.org/ui"
xmlns:sec="http://www.springframework.org/security/tags">
<head>
<title>User</title>
</head>
<body>
<p>User</p>
<sec:authorize access="hasRole('ROLE_ADMIN')">
<p>Only admin can see this !</p>
</sec:authorize>
</body>
</html>
But when I access to the page with a user who hasn't the role ROLE_ADMIN, he still can see the "Only admin can see this !"
EDIT:
Here is my spring security config:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.2.xsd">
<http pattern="/resources" security="none" />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login**" access="permitAll" />
<intercept-url pattern="/denied**" access="permitAll" />
<intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
<intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')" />
<form-login login-page="/login.xhtml"
authentication-failure-url="/denied.xhtml"
authentication-success-handler-ref="securityAuthenticationSuccessHandler" />
<access-denied-handler error-page="/denied.xhtml" />
<logout logout-success-url="/login.xhtml" delete-cookies="JSESSIONID"
invalidate-session="true" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="securityProviderServiceImpl">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
</beans:beans>
Is there something wrong with it?
Thank you..
EDIT 2 :
I have a warning for the security tag lib "xmlns:sec="http://www.springframework.org/security/tags""
NLS missing message: CANNOT_FIND_FACELET_TAGLIB in: org.eclipse.jst.jsf.core.validation.internal.facelet.messages
Is it important? is it the cause of the problem?
My maven security dependencies:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${org.springframework.security.version}</version>
</dependency>