CrowdHttpAuthenticator usage with Crowd 2.3 REST api (IllegalArgumentException: setAttribute)

I'm working on a servlet filter that uses the CrowdHttpAuthenticator class to operate on a request/response. (It's actually a migration effort from the pre2.1 SOAP api to REST, following https://developer.atlassian.com/display/CROWDDEV/Crowd+2.1+REST+Java+Client+Migration+Guide).

The servlet uses a persistent CrowdHttpAuthenticatorImpl() instance which is initialised in the filter's init() function.

I'm using two functions from this class:

• isAuthenticated() to test for valid crowd authentication
• authenticateWithoutValidatingPassword() to forcibly validate a request.

I'm having a problem with the authenticateWithoutValidatingPassword() function - when I call it with a (request, response, username) triplet, I get the following exception:

java.lang.IllegalArgumentException: setAttribute: name parameter cannot be null
        at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1325)
        at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1301)
        at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:130)
        at com.atlassian.crowd.integration.http.util.CrowdHttpTokenHelperImpl.setCrowdToken(CrowdHttpTokenHelperImpl.java:142)
        at com.atlassian.crowd.integration.http.CrowdHttpAuthenticatorImpl.authenticateWithoutValidatingPassword(CrowdHttpAuthenticatorImpl.java:83)

I've pasted below a skeleton example showing how I'm using these classes.

Any idea what's causing the IllegalArgumentException above?

Am I using the CrowdClient/CrowdHttpAuthenticator classes incorrectly?

Thanks,

manuel.

Code:

public class MyFilter implements Filter {

    CrowdClient crowdClient;
    CrowdHttpAuthenticator crowdHttpAuthenticator;

    protected final Logger logger = Logger.getLogger(this.getClass());
    private final static String USERID = "USERID";

    public void init( FilterConfig filterConfig ) throws ServletException 
    {
    	Properties crowd_props = new Properties();
   	crowd_props.load(getClass().getResourceAsStream("/crowd.properties"));
    	ClientProperties clientProperties = ClientPropertiesImpl.newInstanceFromProperties(crowd_props);    	
    	crowdClient = new com.atlassian.crowd.integration.rest.service.factory.RestCrowdClientFactory().newInstance(clientProperties);
    	crowdHttpAuthenticator = new CrowdHttpAuthenticatorImpl(crowdClient, 
    			clientProperties, 
    			CrowdHttpTokenHelperImpl.getInstance(
    					 CrowdHttpValidationFactorExtractorImpl.getInstance()));
    }


    public void doFilter( ServletRequest request,
                ServletResponse response,
                FilterChain chain ) throws IOException, ServletException
    {
        HttpServletRequest req = (HttpServletRequest)request;
        HttpServletResponse resp = (HttpServletResponse)response;

	String userid = req.getHeader(USERID);

	if (crowdHttpAuthenticator.isAuthenticated(req, resp)) {
            logger.debug("Have crowd token.");
        }
        else {
           logger.debug("Authenticating user '"+userid+"'");
           crowdHttpAuthenticator.authenticateWithoutValidatingPassword(req, resp, userid);
            // Verify
            if (!(crowdHttpAuthenticator.isAuthenticated(req, resp))) {
               	throw new MyFilterException("Authenticated user, but failed in verification.");
            }
        }
	chain.doFilter(req, resp);
	return;				
    }
}