From 19146bd81e1bb73530d49b96220f2ee2ba929f00 Mon Sep 17 00:00:00 2001
From: lprimak <lenny@flowlogix.com>
Date: Mon, 22 Jun 2026 09:53:52 -0500
Subject: [PATCH] bugfix: fix login() once again accepts null subject

---
 .../main/java/org/apache/shiro/mgt/DefaultSecurityManager.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java b/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
index 1a3ba503c9..ebf05622f1 100644
--- a/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
+++ b/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java
@@ -305,7 +305,7 @@ public Subject login(Subject subject, AuthenticationToken token) throws Authenti
      * @param subject Subject
      */
     protected void beforeSuccessfulLogin(Subject subject) {
-        Session session = subject.getSession(false);
+        Session session = subject != null ? subject.getSession(false) : null;
         if (session != null) {
             Map<Object, Object> attributes = new HashMap<>();
             session.getAttributeKeys().forEach(key -> attributes.put(key, session.getAttribute(key)));