Do not setAuthenticated(false) in the event of a public (unsecured) invocation. Thanks to Joseph Dane for reporting this issue on acegisecurity-developer on 3 September 2005.

core/src/main/java/org/acegisecurity/intercept/AbstractSecurityInterceptor.java

@@ -466,19 +466,6 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean,
 
             this.context.publishEvent(new PublicInvocationEvent(object));
 
-            // Set Authentication object (if it exists) to be unauthenticated
-            if (SecurityContextHolder.getContext().getAuthentication() != null) {
-                if (logger.isDebugEnabled()) {
-                    logger.debug(
-                        "Authentication object detected and tagged as unauthenticated");
-                }
-
-                Authentication authenticated = SecurityContextHolder.getContext()
-                                                                    .getAuthentication();
-                authenticated.setAuthenticated(false);
-                SecurityContextHolder.getContext().setAuthentication(authenticated);
-            }
-
             return null; // no further work post-invocation
         }
     }