When authentication takes place via JASPIC and there was no cached user principal, the clientSubject is stored in the request: https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L813 On logout, the stored clientSubject is retrieved in order to pass it as an argument to ServerAuthContext#cleanSubject(): https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L1138 The problem is, when authentication was performed on a previous request (it was cached), the subject is not stored, and so cleanSubject is not called, since the subject must not be null. The solution might be just to always store the subject, despite the authentication being cached. I can provide a PR myself if someone confirms that's a valid solution. I have only tested this on 8.5.20 (TomEE 7.0.4) but the affected code is the same on other versions.
Since it was (IMHO) a one-line change, I provided a PR: https://github.com/apache/tomcat/pull/116
+1 That was pretty much the change I was thinking of after reviewing the code and your bug description. Fixed in: - trunk for 9.0.11 onwards - 8.5.x for 8.5.33 onwards