This is how spring-security works by default.
From the docs:
Note that there is no real conceptual difference between a user who is “anonymously authenticated” and an unauthenticated user. Spring Security’s anonymous authentication just gives you a more convenient way to configure your access-control attributes. Calls to servlet API calls such as
getCallerPrincipal, for example, will still return null even though there is actually an anonymous authentication object in theSecurityContextHolder.There are other situations where anonymous authentication is useful, such as when an auditing interceptor queries the
SecurityContextHolderto identify which principal was responsible for a given operation. Classes can be authored more robustly if they know theSecurityContextHolderalways contains anAuthenticationobject, and never null.
If you need to check if it is an anonymousUser then you can check whether Authentication object is AnonymousAuthenticationToken instance or not.