ServletSecurityRoleHandler throws NullPointerException if securityDisabled is true. Test case: import java.io.IOException; import java.io.Writer; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import io.undertow.Undertow; import io.undertow.server.HttpHandler; import io.undertow.server.handlers.PathHandler; import io.undertow.servlet.api.DeploymentInfo; import io.undertow.servlet.api.DeploymentManager; import io.undertow.servlet.api.ServletContainer; import io.undertow.servlet.api.ServletInfo; public class DisableSecurityTest { public static class HelloWorldServlet extends HttpServlet { private static final long serialVersionUID = 1L; @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { try (Writer writer = resp.getWriter()) { writer.write( "hi" ); } } } public static void main( String [] args) { DeploymentInfo deployment = new DeploymentInfo(); deployment.setContextPath( "/" ); deployment.setDeploymentName( "test" ); deployment.setClassLoader( Thread .currentThread().getContextClassLoader()); deployment.setSecurityDisabled( true ); deployment.addServlet( new ServletInfo( "HelloWorldServlet" , HelloWorldServlet.class) .addMapping( "/hi" )); ServletContainer container = ServletContainer.Factory.newInstance(); DeploymentManager manager = container.addDeployment(deployment); HttpHandler handler; PathHandler root; try { manager.deploy(); handler = manager.start(); root = new PathHandler(); root.addPrefixPath(deployment.getContextPath(), handler); } catch (ServletException e) { throw new RuntimeException(e); } Undertow server = Undertow .builder() .addHttpListener(8080, "localhost" ) .setHandler(root) .build(); server.start(); } } Bug fix: public class ServletPathMatches { private static ServletChain servletChain(HttpHandler next, final ManagedServlet managedServlet, final String servletPath, final DeploymentInfo deploymentInfo, boolean defaultServlet) { ++++ if (!deploymentInfo.isSecurityDisabled()) { HttpHandler servletHandler = new ServletSecurityRoleHandler(next, deploymentInfo.getAuthorizationManager()); servletHandler = wrapHandlers(servletHandler, managedServlet.getServletInfo().getHandlerChainWrappers()); ++++ return new ServletChain(servletHandler, managedServlet, servletPath, defaultServlet); ++++ } return new ServletChain(next, managedServlet, servletPath, defaultServlet); } } Stack Trace: java.lang.NullPointerException at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:55) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:745)