Index: oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImplTest.java
===================================================================
--- oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImplTest.java	(Revision 1870090)
+++ oak-core/src/test/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImplTest.java	(Arbeitskopie)
@@ -27,6 +27,7 @@
 import org.apache.jackrabbit.oak.api.CommitFailedException;
 import org.apache.jackrabbit.oak.api.ContentSession;
 import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.commons.junit.LogCustomizer;
 import org.apache.jackrabbit.oak.security.internal.SecurityProviderBuilder;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
@@ -44,6 +45,7 @@
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 import org.junit.Test;
+import org.slf4j.event.Level;
 
 import javax.jcr.Credentials;
 import javax.jcr.GuestCredentials;
@@ -56,7 +58,9 @@
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginException;
 import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
 
@@ -133,6 +137,49 @@
     }
 
     @Test
+    public void testLoginLogoutPreexistingSubject() throws Exception {
+        createTestUser();
+        Subject subject = new Subject(true, Collections.singleton(new Principal() {
+            @Override
+            public String getName() {
+                return "JMXPrincipal: foo";
+            }
+        }), Collections.EMPTY_SET, Collections.EMPTY_SET);
+        Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> {
+            LogCustomizer logCustomizer = LogCustomizer
+                    .forLogger("org.apache.jackrabbit.oak.core.ContentSessionImpl")
+                    .enable(Level.ERROR)
+                    .create();
+
+            ContentSession cs = login(new SimpleCredentials(USER_ID, USER_PW.toCharArray()));
+            try {
+                logCustomizer.starting();
+                cs.close();
+                //verify that ContentSessionImpl.close() did not log anything
+                assertEquals(0, logCustomizer.getLogs().size());
+            } finally {
+                logCustomizer.finished();
+            }
+            return null;
+        });
+    }
+
+    @Test(expected = LoginException.class)
+    public void testLoginNullCredentialsPreexistingSubject() throws Exception {
+        Subject subject = new Subject(true, Collections.singleton(new Principal() {
+            @Override
+            public String getName() {
+                return "JMXPrincipal: foo";
+            }
+        }), Collections.EMPTY_SET, Collections.EMPTY_SET);
+        Subject.doAs(subject, (PrivilegedExceptionAction<Void>) () -> {
+            ContentSession cs = login(null);
+            cs.close();
+            return null;
+        });
+    }
+
+    @Test
     public void testUserLogin() throws Exception {
         createTestUser();
         try (ContentSession cs = login(new SimpleCredentials(USER_ID, USER_PW.toCharArray()))) {