The `Set` implementation that holds principals and credentials in a JAAS `Subject` prohibits null elements and any attempt to add, query, or remove a null element will result in a `NullPointerException`. This is especially important when trying to remove principals or credentials from the subject at the logout phase but they are null because of a previous failed login. Various JDK `LoginModule` implementations have been fixed to avoid the exception. An Implementation Note has also been added to the `logout()` method of the `LoginModule` interface. Developers should verify, and if necessary update, any custom `LoginModule` implementations to be compliant with this implementation advice.