diff --git a/neverpile-commons-authorization/src/main/java/com/neverpile/common/authorization/policy/impl/PolicyBasedAuthorizationService.java b/neverpile-commons-authorization/src/main/java/com/neverpile/common/authorization/policy/impl/PolicyBasedAuthorizationService.java
index d600ed6..696fe6e 100644
--- a/neverpile-commons-authorization/src/main/java/com/neverpile/common/authorization/policy/impl/PolicyBasedAuthorizationService.java
+++ b/neverpile-commons-authorization/src/main/java/com/neverpile/common/authorization/policy/impl/PolicyBasedAuthorizationService.java
@@ -75,7 +75,7 @@ public boolean isAccessAllowed(final String resourceSpecifier, final Set<Action>
     Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
 
     List<AccessRule> matchingRules = policy.getRules().stream() //
-        .filter(authentication.isAuthenticated() //
+        .filter(null != authentication && authentication.isAuthenticated() //
             ? (r) -> matchesAuthentication(r, authentication) //
             : this::matchesAnonymousUser) //
         .filter(r -> matchesResource(r, resourceSpecifier)) //
@@ -101,7 +101,7 @@ public boolean isAccessAllowed(final String resourceSpecifier, final Set<Action>
         policy.getDefaultEffect() != null ? policy.getDefaultEffect() : Effect.DENY;
 
     LOGGER.debug("Authorization for {} on {} with principal {}: {}", actions, resourceSpecifier,
-        authentication.isAuthenticated() ? authentication.getPrincipal() : "anonymous", e);
+        authentication != null && authentication.isAuthenticated() ? authentication.getPrincipal() : "anonymous", e);
 
     return e == Effect.ALLOW;
   }