diff --git a/core/src/main/java/org/acegisecurity/userdetails/User.java b/core/src/main/java/org/acegisecurity/userdetails/User.java
index e4a2bd8b6b..45c3e532eb 100644
--- a/core/src/main/java/org/acegisecurity/userdetails/User.java
+++ b/core/src/main/java/org/acegisecurity/userdetails/User.java
@@ -48,6 +48,8 @@ public class User {
      *        is enabled
      *
      * @throws IllegalArgumentException if a <code>null</code> value was passed
+     *         either as a parameter or as an element in the
+     *         <code>GrantedAuthority[]</code> array
      */
     public User(String username, String password, boolean enabled,
         GrantedAuthority[] authorities) throws IllegalArgumentException {
@@ -56,6 +58,14 @@ public class User {
                 "Cannot pass null values to constructor");
         }
 
+        for (int i = 0; i < authorities.length; i++) {
+            if (authorities[i] == null) {
+                throw new IllegalArgumentException("Granted authority element "
+                    + i
+                    + " is null - GrantedAuthority[] cannot contain any null elements");
+            }
+        }
+
         this.username = username;
         this.password = password;
         this.enabled = enabled;
diff --git a/core/src/test/java/org/acegisecurity/providers/dao/UserTests.java b/core/src/test/java/org/acegisecurity/providers/dao/UserTests.java
index c4a672e177..8490947518 100644
--- a/core/src/test/java/org/acegisecurity/providers/dao/UserTests.java
+++ b/core/src/test/java/org/acegisecurity/providers/dao/UserTests.java
@@ -84,6 +84,19 @@ public class UserTests extends TestCase {
         }
     }
 
+    public void testNullWithinGrantedAuthorityElementIsRejected()
+        throws Exception {
+        try {
+            User user = new User(null, "koala", true,
+                    new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_ONE"), new GrantedAuthorityImpl(
+                            "ROLE_TWO"), null, new GrantedAuthorityImpl(
+                            "ROLE_THREE")});
+            fail("Should have thrown IllegalArgumentException");
+        } catch (IllegalArgumentException expected) {
+            assertTrue(true);
+        }
+    }
+
     public void testUserGettersSetter() throws Exception {
         User user = new User("marissa", "koala", true,
                 new GrantedAuthority[] {new GrantedAuthorityImpl("ROLE_ONE"), new GrantedAuthorityImpl(