I'm not sure yet whether I have some type of misconfiguration which triggers this error, but I'm pretty confident that this is a bug in the Tomcat code either way. Line 2767 in org.apache.catalina.connector.Request.logout() throws a NullPointerException when Context.getAuthenticator() returns is null. I believe that this is inappropriate, a null check should be performed, per the Javadoc for org.apache.catalina.Context.getAuthenticator(): /** * @return the {@link Authenticator} that is used by this context or * <code>null</code> if none is used. */ If null is a valid return value per the API contract, then any calling code should probably do a null check rather than throwing an NPE. There are null checks elsewhere in org.apache.catalina.connector.Request, they simply throw new ServletException("no authenticator").
Different error, but same root cause. We probably need to clean-up the code now an Authenticator is always present but that is a separate issue. *** This bug has been marked as a duplicate of bug 62104 ***