I'm using the spring security core 1.1.2 plugin with Requestmaps.

Is it right that when using the "Traditonal Config"  all authority names have to begin with "ROLE_" ?

I was able to use authority names without the prefix "ROLE_"  when I used the SpEl way. Is this discouraged ?

In the Tranditional Config way, when using just e.g. "ADMIN" as authority name it runs into a IllegalArgumentException which is understandable as I guess the

Framework needs to differ between Traditional Config (configAttribute starting with "ROLE_" or "IS_") and SpEl. 

EL1008E:(pos 0): Field or property 'ADMIN' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' 
Caused by: Failed to evaluate expression 'ADMIN' 

On the other hand this could be handled by an boolean flag "use-expressions" which would be sort of what spring-security does (<http use-expression="true">).

I found it unfortunate thou, that this is not document in the docs for the Spring Security Core plugin. I guess its mention worth.

It would be good to make the user clear what the options are.

Cheers