According to the Mojarra API Documentation ExternalContext.isUserInRole(String role) should throw a NullPointerException.
As of now it does not.
Looking at the Servlet API's for HttpServletResponse.isUserInRole(String role), (which is what we call through to) states the following.
a boolean indicating whether the user making this request belongs to a given role; false if the user has not been authenticated
So they are handling "null" and just returning false.