As a follow-up to gh-17585, consider preventing a null defaultRolePrefix in SecurityExpressionRoot and subclasses of AbstractSecurityExpressionHandler for more consistent behavior. This would break passivity in Spring Security 7.

Context:

Currently, SecurityExpressionRoot and subclasses of AbstractSecurityExpressionHandler allow a null defaultRolePrefix to be configured. The javadoc states:

If null or empty, then no default role prefix is used.

When switching to using an AuthorizationManager created by AuthorizationManagerFactory in SecurityExpressionRoot, we can no longer set a null role prefix. To work around this for passivity, we can set the role prefix to blank before setting it on an AuthorizationManagerFactory. See updates to SecurityExpressionRoot in #17673 for context.

Instead, we can consider throwing an IllegalArgumentException when null is passed into any setDefaultRolePrefix method.