The fix to bug 52953 introduces a NullPointerException at line 409 in RealBase.java For example compare: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_26/java/org/apache/catalina/realm/RealmBase.java and http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_27/java/org/apache/catalina/realm/RealmBase.java String md5a1 = getDigest(username, realm); was changed to String md5a1 = getDigest(username, realm).toLowerCase(Locale.ENGLISH); If getDigest(username,realm) returns null if the user is not found and as a result you get a NPE when toLowerCase() is invoked on the null. I looked in the trunk, and the code hasn't changed. Seems like there should already be a bug posted on this as it makes digest authentication useless, but I can't find one!
There's also an issue with logging and this bug as the NullPointerException is not logged in any of the standard log file (catalina.out etc). For example, this is what is returned in a web browser, but no mention of this is found in any of the log files. HTTP Status 500 - type Exception report message description The server encountered an internal error that prevented it from fulfilling this request. exception java.lang.NullPointerException org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:409) org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:111) org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:150) org.apache.catalina.authenticator.DigestAuthenticator$DigestInfo.authenticate(DigestAuthenticator.java:720) org.apache.catalina.authenticator.DigestAuthenticator.authenticate(DigestAuthenticator.java:294) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) java.lang.Thread.run(Thread.java:680) note The full stack trace of the root cause is available in the Apache Tomcat/7.0.34 logs.
Thanks for the report. This has been fixed in trunk and 7.0.x and will be included in 7.0.36 onwards.