This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Yow! I'm all for container-based security, but this is a bit much. Did you assign a unique security role for each user?
About the most number of roles I've ever needed was 8. Something like: anonymous (not logged in), user, app_administrator, sysadmin, programmer, auditor, data_loader, scoring_table_modiifier and querent.
If I really needed more distinct roles than that, I'd probably do them fine-grained and add supporting logic.
I also normally zone out my URLs. For example, all admin functionality is under /admin, so that I can do a pattern-matched rule check rather than a rule for each discrete URL.
An IDE is no substitute for an Intelligent Developer.