From 984604b0262ac796d172b5a3fa075af6ca238019 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Thu, 28 Jan 2010 17:10:10 +0000
Subject: [PATCH] SEC-1384: Removed check for empty authority list from
 DefaultWebInvocationPrivilegeEvaluator.

The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
---
 .../web/access/DefaultWebInvocationPrivilegeEvaluator.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
index 869f5dfabf..d60d3bdcb4 100644
--- a/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
+++ b/web/src/main/java/org/springframework/security/web/access/DefaultWebInvocationPrivilegeEvaluator.java
@@ -129,7 +129,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
             return true;
         }
 
-        if (authentication == null || authentication.getAuthorities().isEmpty()) {
+        if (authentication == null) {
             return false;
         }