request.getRemoteUser() sometimes returns null

I have a java-web-application using struts2 combined with old-style servlets. Using Acegi security.

In my servlets, I'm logging what the user is trying to do and which user it is. To get the user im using request.getRemoteUser()

But to my big supprise, the result is not consistent. Most of the times the getRemoteUser() returns the correct username, but every once in a while i get a null-value.

What could be the 开发者_开发问答reason behind this?

EDIT: After your feedback i have figured out that the servlet-urls are not covered by security at all. So that could cause getRemoteUser()to be null. I will now implement security for these and do some more testing before i post back the results.

getRemoteUser() will return the user logged in else it will return null.

What kind of authentication are you using (Jaas with basic/digest, etc)?

Do you see this error for a particular URLs (servlets)? In that case that URL may have other security constraints.

Another reason would be the client (browser) is not sending the user name with the request. That can happen if you are outside the URL tree that asked for the authentication.

Did login form filter by Acegi Security (loginFormUrl of AuthenticationProcessingFilterEntryPoint) ?

If yes, get the logged in username by

SecurityContextHolder.getContext().getAuthentication().getName();

The doc says why you're getting null:

Returns the login of the user making this request, if the user has been authenticated, or null if the user has not been authenticated. Whether the user name is sent with each subsequent request depends on the browser and type of authentication. Same as the value of the CGI variable REMOTE_USER.

You need to investigate the browser that's causing the problem.