Consider preventing role names from including the role prefix in `SecurityExpressionRoot`

[sjohnr]

As a follow-up to gh-17585, consider preventing role names from including the role prefix in SecurityExpressionRoot for more consistent behavior. This would break passivity in Spring Security 7.

Context:

Currently, SecurityExpressionRoot allows the defaultRolePrefix to be included in a given role name. For example, the SpEL expression in @PreAuthorize("hasRole('ROLE_A')") is allowed, and works the same as @PreAuthorize("hasRole('A')") (assuming the default role prefix is ROLE_).

When switching from standalone logic in SecurityExpressionRoot to using an AuthorizationManager created by AuthorizationManagerFactory, we pick up the behavior of AuthorityAuthorizationManager.hasAnyRole(String rolePrefix, String[] roles) (here), which does not allow a role to start with the given role prefix.

Now, the SpEL expression in @PreAuthorize("hasRole('ROLE_A')") would throw an IllegalArgumentException with the message:

ROLE_A should not start with ROLE_ since ROLE_ is automatically prepended when using hasAnyRole. Consider using hasAnyAuthority instead.

To work around this for passivity, we can strip the role prefix from any role name before passing it to this method. See updates to SecurityExpressionRoot in #17673 for context.

Instead, we can consider preventing role names from including the role prefix, which would be enforced by AuthorityAuthorizationManager in the absence of any workaround.