AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains

Closes gh-10950

web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java

@@ -51,7 +51,7 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implement
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
 		AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
 				filterInvocation.getHttpRequest());
-		return decision != null && decision.isGranted();
+		return decision == null || decision.isGranted();
 	}
 
 }

web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java

@@ -65,4 +65,11 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 		assertThat(allowed).isFalse();
 	}
 
+	@Test
+	void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
+		given(this.authorizationManager.check(any(), any())).willReturn(null);
+		boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
+		assertThat(allowed).isTrue();
+	}
+
 }