I think that a fix to more gracefully handle this situation and help diagnose the issue is definitely warranted. The Subject should not be null at all though - so that is your underlying issue.
I think a null check and maybe an ERROR level log message that there seems to be something wrong with authentication resulting in a null Subject at identity assertion time. In terms of behavior changes, perhaps an IllegalStateException makes sense. My inclination is to think this is a dev time or test env issue where this would probably work. Throw an IllegalStateException with a message indicating that the Subject should have been established from authentication/federation and has not. Thank you for reporting it. Please file a JIRA and attach a patch for the fix. On Wed, Dec 20, 2017 at 12:18 PM, Rick Kellogg <rmkell...@comcast.net> wrote: > Greetings, > > While debugging my Kerberos woes, I think I have identified an issue. I > have enabled the default identity-assertion provider which uses > CommonIdentityAssertionFilter. Within the doFilter method this calls > evaluates the Subject: > > Subject subject = Subject.getSubject(AccessController.getContext()); > > In my case, the subject is null and subsequent call to determine the > principalName cause a NullPointerException. > > Can/should we add a check for null after the line above? I just don't know > the correct behavior. Do we throw another exception or simply set > mappedPrincipalName and groups to null? > > Thoughts? > Rick Kellogg > > > > >