Handle null Authentication.getAuthorities() in AuthorizeTag.

core/src/main/java/org/acegisecurity/taglibs/authz/AuthorizeTag.java

@@ -25,7 +25,12 @@ import org.springframework.util.StringUtils;
 
 import org.springframework.web.util.ExpressionEvaluationUtils;
 
-import java.util.*;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
 
 import javax.servlet.jsp.JspException;
 import javax.servlet.jsp.tagext.Tag;
@@ -130,6 +135,11 @@ public class AuthorizeTag extends TagSupport {
             return Collections.EMPTY_LIST;
         }
 
+        if ((null == currentUser.getAuthorities())
+            || (currentUser.getAuthorities().length < 1)) {
+            return Collections.EMPTY_LIST;
+        }
+
         Collection granted = Arrays.asList(currentUser.getAuthorities());
 
         return granted;

doc/xdocs/changes.xml

@@ -28,6 +28,7 @@
     <release version="0.8.2" date="In CVS">
       <action dev="benalex" type="fix">Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml</action>
       <action dev="benalex" type="fix">TokenBasedRememberMeServices changed to use long instead of int for tokenValiditySeconds (SPR-807)</action>
+      <action dev="benalex" type="fix">Handle null Authentication.getAuthorities() in AuthorizeTag</action>
       <action dev="benalex" type="update">Add credentialsExpiredFailureUrl getter/setter to AbstractProcessingFilter</action>
       <action dev="benalex" type="update">Update commons-codec dependency to 1.3</action>
     </release>