security:authorize ifAllGranted
hi all...
i'm trying to hide a button when a user does not have the 'ROLE_SUPERVISOR' role. i used the @Secured annotation on my service impl and that's working great when the user does not have the ROLE_SUPERVISOR role. but, within my view, the button is still being displayed.
my page is defined as:
My security-config:Code:<ui:composition xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" xmlns:sf="http://www.springframework.org/tags/faces" xmlns:security="http://www.springframework.org/security/tags" template="/WEB-INF/layouts/standard.xhtml"> ........ <div class="buttonGroup"> <security:authorize ifAllGranted="ROLE_SUPERVISOR"> <h:commandButton id="enroll" action="enroll" value="Enroll Employee"/>* </security:authorize> <h:commandButton id="cancel" action="cancel" value="Back to Search"/> </div>
i'm using version 2.0.4 of spring-security-taglibs and spring-security-core-tiger and that's included in my deployed war.Code:<security:global-method-security secured-annotations="enabled" /> <security:authentication-provider> <security:password-encoder hash="md5" /> <security:user-service> <security:user name="admin" password="xxx" authorities="ROLE_USER, ROLE_SUPERVISOR" /> <security:user name="employee" password="xxx" authorities="ROLE_USER" /> </security:user-service> </security:authentication-provider>
both the 'admin' user and 'employee' user display the 'Enroll Employee' button. I'm sure what i missed or where i can start to debug?
thanks
