spring boot security oauth2 Resource Server端权限需要怎么认证?

这是Resource Server端部分的配置:这是Resource Server端部分的一个Controller:我通过在认证中心认证后拿到token,然后访问Resource Server端这个/api/user 后得到如下结果:
user page 
.....
getAuthentication = {"authenticated":true,"authorities":[{"authority":"admin"}],"clientOnly":false,"credentials":"","details":{"remoteAddress":"0:0:0:0:0:0:0:1","sessionId":"D15E150D3492DC0545B49B5DB56668A0","tokenType":"Bearer","tokenValue":"a0274f6d-0096-4a72-9d3b-8a551c552d90"},"name":"user","oAuth2Request":{"approved":true,"authorities":[],"clientId":"demo","extensions":{},"refresh":false,"requestParameters":{"client_id":"demo"},"resourceIds":[],"responseTypes":[],"scope":["read","write"]},"principal":"user","userAuthentication":{"authenticated":true,"authorities":[{"$ref":"$.authorities[0]"}],"credentials":"N/A","name":"user","principal":"user"}}从{"authority":"admin"}可以看出来该用户只有admin的权限,但是他却能访问这个/api/user(需要userdsad权限)的页面,我很奇怪。所以我最后想问的是,单点登录系统,在Resource Server端,怎么使用@PreAuthorize("hasAuthority('admin')") 这种注解,怎么使这种注解生效?