The reason of this behavior is that anonymous users do not have roles. In other words, the problem is found from your application context configuration file:
You should use the permitAll() expression here. Also, you need to enable expressions since they are disabled by default. The relevant part of your application context configuration file should look as follows: