Handle Empty Role

Closes gh-13079

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -130,7 +130,7 @@ public final class AuthorityAuthorizationManager<T> implements AuthorizationMana
 		String[] result = new String[roles.length];
 		for (int i = 0; i < roles.length; i++) {
 			String role = roles[i];
-			Assert.isTrue(!role.startsWith(rolePrefix), () -> role + " should not start with " + rolePrefix + " since "
+			Assert.isTrue(rolePrefix.isEmpty() || !role.startsWith(rolePrefix), () -> role + " should not start with " + rolePrefix + " since "
 					+ rolePrefix
 					+ " is automatically prepended when using hasAnyRole. Consider using hasAnyAuthority instead.");
 			result[i] = rolePrefix + role;

core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java

@@ -266,4 +266,9 @@ public class AuthorityAuthorizationManagerTests {
 		assertThat(manager.check(authentication, object).isGranted()).isTrue();
 	}
 
+	// gh-13079
+	@Test
+	void hasAnyRoleWhenEmptyRolePrefixThenNoException() {
+		AuthorityAuthorizationManager.hasAnyRole("", new String[] { "USER" });
+	}
 }