> It appears to be a Tomcat-specific issue :( This seems to be a problem with Shiro's OncePerRequestFilter and Tomcat. The trouble is, Tomcat completes the execution of the filters on the main request before then (apparently) forwarding to the error handler. So before the error handler is invoked, the Shiro filter clears the thread local variables, including the bound security manager. The security manager is never bound again because the Shiro filter extends OncePerRequestFilter which works out that this is still the same request (it's a forward, you see).
Is this incorrect behaviour in Tomcat? I have no idea. The servlet specification does leave some holes, which means that it's not clear what the correct behaviour should be. Note that Tomcat only appears to perform a forward after completing the current request when it's forwarding to an error handler. Cheers, Peter
