Performs a security restricted check for the given web resource.
The returned value indicates which roles the user must be in to access the restricted resource.
Parameters:
url - the web resource
Returns:
null if not restricted, otherwise * (wildcard) matches any roles, otherwise a comma separated String with roles