<sec:authorize> doesn't work

Question

I have the following user xhtml page:

<html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:p="http://primefaces.org/ui"
    xmlns:sec="http://www.springframework.org/security/tags">
<head>
<title>User</title>
</head>

<body>
    <p>User</p>
    <sec:authorize access="hasRole('ROLE_ADMIN')">
        <p>Only admin can see this !</p>
    </sec:authorize>
</body>
</html>

But when I access to the page with a user who hasn't the role ROLE_ADMIN, he still can see the "Only admin can see this !"

---

EDIT:

Here is my spring security config:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/util 
        http://www.springframework.org/schema/util/spring-util-3.2.xsd">

    <http pattern="/resources" security="none" />

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/login**" access="permitAll" />

        <intercept-url pattern="/denied**" access="permitAll" />
        <intercept-url pattern="/user/*" access="hasRole('ROLE_USER')" />
        <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')" />


        <form-login login-page="/login.xhtml"
            authentication-failure-url="/denied.xhtml"
            authentication-success-handler-ref="securityAuthenticationSuccessHandler" />

        <access-denied-handler error-page="/denied.xhtml" />

        <logout logout-success-url="/login.xhtml" delete-cookies="JSESSIONID"
            invalidate-session="true" />
    </http>

    <authentication-manager>
        <authentication-provider user-service-ref="securityProviderServiceImpl">
            <password-encoder hash="md5" />
        </authentication-provider>
    </authentication-manager>
</beans:beans>

Is there something wrong with it?

Thank you..

---

EDIT 2 :

I have a warning for the security tag lib "xmlns:sec="http://www.springframework.org/security/tags""

NLS missing message: CANNOT_FIND_FACELET_TAGLIB in: org.eclipse.jst.jsf.core.validation.internal.facelet.messages

Is it important? is it the cause of the problem?

My maven security dependencies:

        <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-core</artifactId>
                <version>${org.springframework.security.version}</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${org.springframework.security.version}</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${org.springframework.security.version}</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>${org.springframework.security.version}</version>
        </dependency>

Answer 1

Finally I solved the problem.

Here is the links which helped me a lot:

1) The answer of "Amreesh Tyagi" here How to use the Spring Security Facelets tag library in JSF.

and

2) The 3rd part (III Security tags for Facelet) of this article http://doanduyhai.wordpress.com/2012/02/26/spring-security-part-v-security-tags/

I have used the springsecurity.taglib.xml file of Amreesh Tyagi rather that the one of the article, because I had a problem whith the access function.

Answer 2

Adding one answer here as I had the same symptoms but found a different issue. Our tag was not working as intended. Everyone could see the secured content. The solution was that our XML namespace was misspelled on the page.

 xmlns="http://www.sprinfgramework.org/schema/security"

This took a while to find because there was no errors produced with the misspelling (which was surprising), and it simply ignored the security tag and displayed the content it contained.

Hope this helps someone.