updates README

uncomment @RolesAllowed

README.adoc

@@ -28,19 +28,26 @@ The application has two users configured via `Custom IdentityStore`, https://git
 
 Admin user (role admin) can access any page while `user` can access only pages under `/pages` path (only car-list page). See https://github.com/adminfaces/admin-starter/blob/master/src/main/webapp/WEB-INF/web.xml[url security constraints^].
 
-Users without access to restricted pages (car-form) will be redirected to `Access Denied` page.
+Users without access to restricted pages (car-form) will be redirected to `Access Denied` page:
+
+.AccessDenied
+image:403.png[link="https://raw.githubusercontent.com/adminfaces/admin-starter/master/403.png"]
+
 
 Admin have permissions for all CRUD operations on top of Car entity while common user can only view/list cars.
 
-At page level buttons are disabled using following EL:
+At page level buttons (like delete) are disabled using following EL:
 
 ----
 
 disabled="#{not externalContext.isUserInRole('ADMIN')"
 ----
 
+
 At method level `@RolesAllowed("ADMIN")` annotation is used.
 
+TIP: Try using `find by ID` on car-list page with non admin user, it should redirect to Access Denied page.
+
 == Running
 
 It should run in any JavaEE 8 application server.