Basic Authentication : Is it possible to setRemoteUser like getRemoteUser()

Question

Hi I am using basic authentication method for protecting some pages in my Webapp. Which have a specified url pattern as follows:

<url-pattern>/Important/*</url-pattern>
<auth-method>BASIC</auth-method>

Now the problem is if the user logs in the normal way using a login form .The data is posted to my servlet which validates the username and password and then proceeds further. Is there a way that i could setRemoteUser in this servlet , because the authentication input appears again once the user tries to access pages in the Important folder. Is there a way that I could inform the authentication mechanism that the user has already signed in ?

Answer 1

This is not possible. If you have actually a HTML <form> for login, then you should change the authentication method from BASIC to FORM.

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
</login-config>

You also need to make sure that your HTML <form> submits to the predefinied URL j_security_check with the username and password as predefinied parameters j_username and j_password.

<form action="j_security_check" method="post">
    <input type="text" name="j_username" />
    <input type="password" name="j_password" />
    <input type="submit" value="login" />
</form>

This way the container will set the login the way you need and the username will be available by getRemoteUser(). Also, any unauthenticated user who accesses the restricted URL directly will automatically be forwarded to the login page. On successful login, it will automatically be forwarded back to the initially requested page.

Also, when using FORM authentication method on a Servlet 3.0 compatible container (Tomcat 7, Glassfish 3, etc), you will be able to programmatically login the user by the Servlet 3.0 introduced HttpServletRequest#login() method in the servlet. This allows more finer grained control over the process and validation. This isn't possible with BASIC authentication.

The BASIC authentication is a completely different thing. It shows a bare JavaScript look-a-like dialog with username/password inputs. This doesn't require/use a HTML <form> or something. It also stores the authentication information in the client side which get sent as a request header on every single subsequent request. It doesn't store the authentication information in the server side session like as FORM authentication.

See also:

• Java EE 6 tutorial - Getting started securing web applications

Answer 2

The method HttpServletRequest.getRemoteUser() willl return null if the user has not logged in.

This is true for all types of Authentications.

Here is what the API documentation says:

java.lang.String getRemoteUser()

Returns the login of the user making this request, if the user has been 
authenticated, or null if the user has not been authenticated. Whether the user 
name is sent with each subsequent request depends on the browser and type of      
authentication. Same as the value of the CGI variable REMOTE_USER.

Returns:
    a String specifying the login of the user making this request, 
   or null if the user login is not known