A Principal represents someone who could potentially authenticate with your application. The Principal’s name depends on the authentication method used:

• a username such as “fred” (in the case of HTTP Basic authentication)
• a Distinguished Name such as “CN=bob,O=myorg” (in the case of X.509 client certificates – in which case a X500Principal may be returned)

getRemoteUser() returns “the login of the user” which, in the case of HTTP Basic authentication, will also be the username; it doesn’t map cleanly in the X.509 client certificate case though, since the user doesn’t enter a “login” as such – in the example above, we could use the Distinguished Name or simply the CN, “bob”.

The Javadocs state that “whether the user name is sent with each subsequent request depends on the browser and type of authentication”, suggesting that getRemoteUser() was originally meant to provide data only for requests in which a username was entered. This, however, would result in it returning null for the majority of requests when cookie-based auth is in use – not too helpful!

In reality, getRemoteUser() often just calls getUserPrincipal().getName(); verified in Tomcat 6 and Jetty 6/7.