SEC-3128: RoleVoter supports null Authentication

core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -95,6 +95,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {
 
 	public int vote(Authentication authentication, Object object,
 			Collection<ConfigAttribute> attributes) {
+		if(authentication == null) {
+			return ACCESS_DENIED;
+		}
 		int result = ACCESS_ABSTAIN;
 		Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);
 

core/src/test/java/org/springframework/security/access/vote/RoleVoterTests.java

@@ -1,5 +1,6 @@
 package org.springframework.security.access.vote;
 
+import static org.fest.assertions.Assertions.assertThat;
 import static org.junit.Assert.*;
 
 import org.junit.Test;
@@ -22,4 +23,13 @@ public class RoleVoterTests {
 		assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
 				voter.vote(userAB, this, SecurityConfig.createList("A", "C")));
 	}
+
+	// SEC-3128
+	@Test
+	public void nullAuthenticationDenies() {
+		RoleVoter voter = new RoleVoter();
+		voter.setRolePrefix("");
+		Authentication notAuthenitcated = null;
+		assertThat(voter.vote(notAuthenitcated, this, SecurityConfig.createList("A"))).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
+	}
 }