diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java
index 6fb8607..2bb24ee 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java
@@ -182,7 +182,7 @@
      *             if not authorized
      */
     public void validateSuperUserAccess() {
-        if (config().isAuthenticationEnabled()) {
+        if (config().isAuthenticationEnabled() && config().isAuthorizationEnabled()) {
             String appId = clientAppId();
             if (log.isDebugEnabled()) {
                 log.debug("[{}] Check super user access: Authenticated: {} -- Role: {}", uri.getRequestUri(),
@@ -218,7 +218,7 @@
                 log.debug("Successfully authorized {} (proxied by {}) as super-user",
                           originalPrincipal, appId);
             } else {
-                if (config().isAuthorizationEnabled() && !pulsar.getBrokerService()
+                if (!pulsar.getBrokerService()
                         .getAuthorizationService()
                         .isSuperUser(appId, clientAuthData())
                         .join()) {