Secman should copy the user's roles into the UserMemento (as obtained via UserService).

The `UserService#getUser()` returns a `UserMemento`, which is a representation of the current user's roles and context (locale, time, timezone etc).  This is independent of security mechanism configured.

The `UserMemento.AUTHORIZED_USER_ROLE` (String constant) is used by the Wicket viewer as a required role for protected pages ; it's the responsibility of the security mechanism to add this role during login.  If Spring is used for authentication, then this is done within `SpringSecurityFilter`.  Thus, when querying `UserService#getUser()` with Spring, the only role we see on `UserMemento` is this one.

The UserMementoRefiner SPI allows security mechanisms to fine-tune this `UserMemento`.  Secman already has an implementation of this (`UserMementoRefinerFromApplicationUser`), which adjusts the timezone etc, but it currently does not yet copy over the secman-defined roles.  It should do this as well.