The description is the same as for the older bug 39255, except it is produced at org.apache.catalina.authenticator.AuthenticatorBase.register(AuthenticatorBase.java:688) Please, see the following link https://issues.apache.org/bugzilla/show_bug.cgi?id=39255 This bug has been fixed for Tomcat 5.5.16, but it looks to appear again in Tomcat 7. This is the excerpt from AuthenticatorBase.java: public void register(Request request, HttpServletResponse response, Principal principal, String authType, String username, String password) { if (log.isDebugEnabled()) log.debug("Authenticated '" + principal.getName() + "' with type '" + authType + "'"); It is seen that there is no more condition to verify if principal is null. Specifically, the NullPointerException is thrown when calling HttpServletRequest.logout method from a JSF managed bean. According to Java EE 6 documentation, the logout method establishes null as the value returned when getUserPrincipal, getRemoteUser, and getAuthType is called on the request. Hence, the exception thrown.
Looks like this never got applied to 6.0.x (or 7.0.x) I have fixed 7.0.x (will be in 7.0.11 onwards) and proposed the fix for 6.0.x
This has been fixed in trunk and will be included in 6.0.33 onwards.