SEC-3128: RoleVoter supports null Authentication

core/src/main/java/org/springframework/security/access/vote/RoleVoter.java

@@ -92,6 +92,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {
     }
 
     public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
+        if(authentication == null) {
+            return ACCESS_DENIED;
+        }
         int result = ACCESS_ABSTAIN;
         Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);
 

core/src/test/java/org/springframework/security/access/vote/RoleVoterTests.java

@@ -1,6 +1,7 @@
 package org.springframework.security.access.vote;
 
 import static org.junit.Assert.*;
+import static org.fest.assertions.Assertions.*;
 
 import org.junit.Test;
 import org.springframework.security.access.AccessDecisionVoter;
@@ -21,4 +22,13 @@ public class RoleVoterTests {
         // Vote on attribute list that has two attributes A and C (i.e. only one matching)
         assertEquals(AccessDecisionVoter.ACCESS_GRANTED, voter.vote(userAB, this, SecurityConfig.createList("A","C")));
     }
+
+    // SEC-3128
+    @Test
+    public void nullAuthenticationDenies() {
+        RoleVoter voter = new RoleVoter();
+        voter.setRolePrefix("");
+        Authentication notAuthenitcated = null;
+        assertThat(voter.vote(notAuthenitcated, this, SecurityConfig.createList("A"))).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
+    }
 }