hasRole needs ‘ROLE_’ prefix by default (on my example, ROLE_ prefix is used at Role enum) on authorities field (on my example at UsernamePasswordAuthenticationToken class) that set at Authentication that return from authenticate method at AuthenticationManager class.

By default if the supplied role does not start with ‘ROLE_’ it will be added.