Hi,

When using a basic async servlet, where the request processing is transferred to an @Asynchronous method, there's a NPE at the end of the request:

Exception in thread "default task-107" java.lang.NullPointerException
    at org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism.wasAuthExceptionThrown(JASPIAuthenticationMechanism.java:164)
    at org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism.access$100(JASPIAuthenticationMechanism.java:72)
    at org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism$1.wrap(JASPIAuthenticationMechanism.java:240)
    at org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism$1.wrap(JASPIAuthenticationMechanism.java:234)
    at io.undertow.server.HttpServerExchange$WrapperStreamSinkConduitFactory.create(HttpServerExchange.java:2017)
    at io.undertow.server.HttpServerExchange.getResponseChannel(HttpServerExchange.java:1167)
    at io.undertow.servlet.spec.ServletOutputStreamImpl.close(ServletOutputStreamImpl.java:619)
    at io.undertow.servlet.spec.HttpServletResponseImpl.closeStreamAndWriter(HttpServletResponseImpl.java:451)
    at io.undertow.servlet.spec.HttpServletResponseImpl.responseDone(HttpServletResponseImpl.java:525)
    at io.undertow.servlet.spec.AsyncContextImpl$3.run(AsyncContextImpl.java:294)
    at io.undertow.servlet.spec.AsyncContextImpl$6.run(AsyncContextImpl.java:432)

The direct cause is that JASPIAuthenticationMechanism#wasAuthExceptionThrown tries to access the security context as-in the following line:

SecurityContextAssociation.getSecurityContext().getData().get(AuthException.class.getName()) != null

Only, for an async request processing thread SecurityContextAssociation.getSecurityContext() is always null, causing the NPE. I created a test that functions as a reproducer here: https://github.com/arjantijms/javaee7-samples/tree/master/jaspic/async-authentication It also looks like there's something not entirely right with the async time out on Undertow, but I haven't nailed that one down yet.

Kind regards,
Arjan