Something has broken from M2 to RC1 with the authorize tag library.
The above code used to work if the user was not logged in... hence this code would execute because a non-authenticated user would not have this role. Now the code does not execute unless a principal is logged in... which defeats the purpose of this code entirely.
Suggestion: If this is really how you want this tag library to work, I suggest created a new tag that works like this:
<a id="loginLink" href="/myapp/rest/login"><img src="/myapp/images/login.gif" alt="Login"/>Login</a>
There are countless situations where I actually don't care what their role is or any of that - I just want to make sure the principal exists. If it does, then show the code. If it doesn't? Then don't render it. Pretty simple.
Having said that, was the breakage of the old code from M2 deliberate?