I did isolate this NPE problem to a single application. I have several similar applications using rewrite 2.0.8.Final and only one is experiencing the condition. So, I compared the security-constraint url-pattern value and they differ.
I modified the url-pattern to: <url-pattern>/*</url-pattern>
The application is no longer throwing the NPE. I believe I was specifying an overly restrictive pattern causing the request object to be null. Does that make sense to you? While it may be obvious to you, it might be useful to mention in the configuration guide.
Do you play Magic?
Get TopDecked MTG, the #1 Magic App, built by players, for players. Free to use, forever.