SecurityContextHolderAwareRequestWrapper do not expose Authentication if user was anonymous (see getAuthentication() method).
It is fine but for example while using with webflow it is not so good. Webflow expose request principal (request.getPrincipal()) as "currentUser". It means we will never have currentUser set if it was anonymous.
It may be good to add some property to SecurityContextHolderAwareRequestWrapper class to tell that we want to expose anonymous user.