DefaultAuthorizationManagerFactory.anonymous() applies additionalAuthorization

[junhyeong9812]

Describe the bug

DefaultAuthorizationManagerFactory.anonymous() applies the configured additionalAuthorization, which contradicts the documented contract of setAdditionalAuthorization(...):

This does not affect anonymous, permitAll, or denyAll.

permitAll() and denyAll() are correctly unaffected, but anonymous() is affected.

To Reproduce

DefaultAuthorizationManagerFactory<String> factory = new DefaultAuthorizationManagerFactory<>();
// any additional gate that an anonymous user cannot satisfy (e.g. an MFA factor requirement)
factory.setAdditionalAuthorization((authentication, object) -> new AuthorizationDecision(false));

AuthorizationManager<String> anonymous = factory.anonymous();
Authentication anonymousToken = new AnonymousAuthenticationToken("key", "anonymousUser",
        AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));

// Expected (per the contract): granted, because anonymous() is not affected by additionalAuthorization
boolean granted = anonymous.authorize(() -> anonymousToken, "").isGranted();
// Actual: false

Equivalently, when configured through AuthorizationManagerFactories.multiFactor().requireFactors(...), anonymous requests are denied because an anonymous user holds none of the required factors.

Expected behavior

anonymous() is not affected by additionalAuthorization (as documented), so an anonymous authentication is granted.

Root cause

anonymous() routes through the same createManager(AuthenticatedAuthorizationManager) path as authenticated(), fullyAuthenticated(), and rememberMe(), which wraps the manager via withAdditionalAuthorization(...). permitAll() and denyAll() are inherited interface defaults and never go through that path, so they remain unaffected.

I will submit a PR with a regression test.