Re: hundreds of url and perms relationship management
A realm authenticates a user and retrieves authorizations for a user, without taking into account the current url.
There is a filter to check permissions accesses : the PermissionsAuthorizationFilter.
According to your security configuration, the filter is applied to the incoming url.
For your problem, I would create a specific filter, apply it to a more generic url :
/moduleA/** = superPermissionsFilter
This superPermissionsFilter would inherit from the AuthorizationFilter class and would override the isAccessAllowed method.
This method would be closed to the isAccessAllowed method in the PermissionsAuthorizationFilter class, just replacing the line :
String perms = (String) mappedValue;
String perms = readPermissionsFromDatabaseAccordingToTheUrl(request);
and creating this readPermissionsFromDatabaseAccordingToTheUrl method to load from database (or weherever you want, use cache if necessary) the right permissions according to the url.