Any not mandatory requests will throw following error when the Security Manager is enabled: SCHWERWIEGEND: Exception Processing /login/login.jsp java.lang.SecurityException: Es wird versucht, ein Objekt hinzuzufügen, das keine Instanz von java.security.Principal für eine Principal-Gruppe eines Subjekts ist at javax.security.auth.Subject$SecureSet.add(Subject.java:1125) at java.util.Collections$SynchronizedCollection.add(Collections.java:2035) at org.apache.catalina.connector.Request.newSubject(Request.java:1969) at org.apache.catalina.connector.Request.setUserPrincipal(Request.java:1953) at org.apache.catalina.authenticator.AuthenticatorBase.authenticateJaspic(AuthenticatorBase.java:765) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:562) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Sorry for the German error message, but the it basically says that it is not allowed to add 'null' as a principal to the Subject. This is when I forward the user to the login page where I can't have a Principal because the user is not logged in yet. And for not mandatory requests I shouldn't require a principal at all or I'm completely wrong?
Fixed in: - trunk for 9.0.8 onwards - 8.5.x for 8.5.31 onwards