diff --git a/core/src/main/java/org/acegisecurity/providers/jaas/JaasAuthenticationProvider.java b/core/src/main/java/org/acegisecurity/providers/jaas/JaasAuthenticationProvider.java
index 3bf523413f..14ce0b0833 100644
--- a/core/src/main/java/org/acegisecurity/providers/jaas/JaasAuthenticationProvider.java
+++ b/core/src/main/java/org/acegisecurity/providers/jaas/JaasAuthenticationProvider.java
@@ -421,8 +421,12 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      */
     protected void handleLogout(HttpSessionDestroyedEvent event) {
         SecurityContext context = (SecurityContext) event.getSession().getAttribute(HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY);
+        if (context == null) {
+            log.debug("The destroyed session has no SecurityContext");
+            return;
+        }
         Authentication auth = context.getAuthentication();
-        if (auth instanceof JaasAuthenticationToken) {
+        if ((auth != null) && (auth instanceof JaasAuthenticationToken)) {
             JaasAuthenticationToken token = (JaasAuthenticationToken) auth;
             try {
                 LoginContext loginContext = token.getLoginContext();