I guess why Spring Security(formerly Acegi) is adding a ROLE_ prefix, is because Acegi was doing it:

The default AccessDecisionManager (which interprets the access attributes that you specify in the intercept-url element) uses a RoleVoter implementation. By default this looks for the prefix "ROLE_" on the attribute

[Spring Security remove RoleVoter prefix]

Spring security RoleVoter needs a prefix in order to distinguish the granted authorities that are roles

[Why does Spring Security's RoleVoter need a prefix?]

If you don't configure RoleVoter with a prefix then it would check if the user has the authority