How the request.getRemoteUser() works and the remote username value is stored?

Question

I have Tomcat authentication (form authentication) in my application. After successful authentication, I am able to get the username from the request.getRemoteUser() method in my servlet.

Where I can find request.getRemoteUser() code? How does this work? Where has the RemoteUser has been set and stored? Since HTTP requests are stateless and execute independently, how this giving the username in all subsequent requests?

Answer 1

In order to deal with authentication, every context in Tomcat has a Valve that extends AuthenticatorBase, that:

1. tries to authenticate the user using the data in the HttpServletRequest,
2. checks the authorization requirements for the URL,
3. if authentication is required, but absent, sends an appropriate response to the browser, asking for authentication. This usually means a 401 response with a WWW-Authenticate header for most authentication methods or a 302 redirect to the login page for form authentication.
4. if authentication is present, but the access is not authorized, it sends a 403 response.
5. otherwise calls Request#setUserPrincipal and proceeds with the next valve.

For the details check the AuthenticatorBase#invoke method.

Most authentication methods are based on the Authorization header sent by the browser (the form authenticator uses request parameters).

If a session is present (e.g. you called HttpServletRequest#getSession), the authenticated user will be cached in the session and subsequent requests will not need to authenticate any more. You can force session creation using the alwaysUseSession attribute on the authenticator valves (cf. documentation). The server can recognize the presence of a previously established session through many methods:

1. A JSESSIONID Cookie header in the request,
2. A jsessionid path parameter in the URL,
3. If you use TLS, the TLS session can be also be used to detect the appropriate HTTP session.