In case AuthConfigFactoryImpl.detachListener() is called for a combination of layer and appContext for which there is no registration (e.g. because the registration was already removed, or due to wrong layer and/or appContext) the method throws a NPE. It does not check for null the result from the call to findRegistrationContextImpl, which is null if such registration does not exist.
This pull request contains a test case, which illustrates the problem and a fix for it: https://github.com/apache/tomcat/pull/85
Thanks for the patch and bonus points for including a test case. Fixed in: - trunk for 9.0.2 onwards - 8.5.x for 8.5.24 onwards