SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint.

core/src/main/java/org/acegisecurity/intercept/web/SecurityEnforcementFilter.java

@@ -19,6 +19,7 @@ import net.sf.acegisecurity.AccessDeniedException;
 import net.sf.acegisecurity.AuthenticationException;
 import net.sf.acegisecurity.AuthenticationTrustResolver;
 import net.sf.acegisecurity.AuthenticationTrustResolverImpl;
+import net.sf.acegisecurity.InsufficientAuthenticationException;
 import net.sf.acegisecurity.context.security.SecureContextUtils;
 import net.sf.acegisecurity.ui.AbstractProcessingFilter;
 import net.sf.acegisecurity.util.PortResolver;
@@ -198,7 +199,9 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
                         accessDenied);
                 }
 
-                sendStartAuthentication(fi, null);
+                sendStartAuthentication(fi,
+                    new InsufficientAuthenticationException(
+                        "Full authentication is required to access this resource"));
             } else {
                 if (logger.isDebugEnabled()) {
                     logger.debug("Access is denied (user is not anonymous); sending back forbidden response",

doc/xdocs/changes.xml

@@ -26,7 +26,7 @@
   </properties>
   <body>
     <release version="0.8.1" date="In CVS">
-      <action dev="benalex" type="add">...</action>
+      <action dev="benalex" type="fix">SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint</action>
     </release>
     <release version="0.8.0" date="2005-03-03">
       <action dev="benalex" type="add">Added Digest Authentication support (RFC 2617 and RFC 2069)</action>