想不通的一个问题~权限与角色springsecurity

  if (privilege.equals(user.getBeizhu())) {

//             return new org.springframework.security.core.userdetails.User(username, user.getPwd(), AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_admin,admin"));
             return new org.springframework.security.core.userdetails.User(username,
                     user.getPwd(),
                     AuthorityUtils.commaSeparatedStringToAuthorityList("admin,ROLE_abc"));
        }

配置是这样的,

        .and()
                .authorizeHttpRequests()
                .antMatchers("/img/*","/login.html","/login.html","/fail.html","/showFail").permitAll()
                .antMatchers("/abc")
                .hasAnyRole("abc")
                .antMatchers("/efg")
                .hasAnyRole("abc")
                .antMatchers("/hij")
                .hasRole("abc")
                .anyRequest().authenticated()

这里设置具有abc角色的可以访问/abc,

但是运行后都是403,无权限,想不通,不应该呀,是那里漏了?