SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator.

The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.

web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java

@@ -129,7 +129,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
             return true;
         }
 
-        if (authentication == null || authentication.getAuthorities().isEmpty()) {
+        if (authentication == null) {
             return false;
         }