AuthConfigFactoryImpl.removeRegistration() removes the registration from the in-memory structures, but in case the registration is persistent it should also remove the provider from the persistent storage. The result is that even when a provider is removed, if the providers list is reloaded from persistent storage the removed provider appears again.
This pull request contains a test case which illustrates the problem and a fix for it: https://github.com/apache/tomcat/pull/91
Once again, many thanks. Fixed in: - trunk for 9.0.2 onwards - 8.5.x for 8.5.24 onwards