This is pretty much assumed anyway by most of the internal code which processes the Authentication object. Previously it was assumed that null should mean that the token hadn't been authenticated. It should be made clear that getAuthorities never returns null. Since we are now using a Collection internal and in the API, it is easy to always return the same instance, so there is no concern about using resources unnecessarily. It also simplifies internal and external logic as the null case doesn't have to be dealt with separately.