Currently there is no check in the LastGrantedAuthorities when we add the "authenticated" role to the list we return. In case the SecurityRealm already provide such role, we must ensure there is only "authenticated" role at the end.