Adam Dyga (Migrated from SEC-1321) said:
RoleVoter throws null pointer exception if Authentication object's granted authorities array is null.
If a user doesn't have any roles, there is not point in passing it 0-size array (memory inefficient), so RoleVoter should handle such situation.
Luke Taylor said:
I'd prefer to tighten up the contract and disallow null values in the authentication object. The argument about memory doesn't really apply in 3.0, as a single empty collection can be shared throughout the entire application.
This isn't actually a bug in any case, as the existing contract says that the authorities should only be null in the case where the token hasn't been authentcated.