Hi Peter, I committed a fix for SHIRO-141 [1] earlier today and it looks good - tests pass and sample apps run well. However, before closing the issue, I wanted to address your comment with the two stack traces.
The first stack trace shows SecurityUtils lazily creating a Subject via the Subject.Builder. SecurityUtils would only do this if there is no existing thread-bound WebSubject. In a webapp, there should always be a WebSubject bound to the current thread. Any idea why there wouldn't be one in that stack trace? The second stack trace looks to be from the same problem after the subject has been created. Any idea? - Les [1] https://issues.apache.org/jira/browse/SHIRO-141
