We have a static method in a utility class that will download a file from a URL. An authenticator has been set up so that if a username and password is required, the credentials can be retrieved. The problem is that the credentials from the first successful connection are used for every connection afterwords, as long as the credentials are valid. This is a problem because our code is multi user, and since the credentials are not checked for every connection, it’s possible that a user without proper credentials could download a file.

Here’s the code we’re using

private static URLAuthenticator auth;  public static File download(String url, String username, String password, File newFile) {     auth.set(username, password);     Authenticator.setDefault(auth);     URL fURL = new URL(url);     OutputStream out = new BufferedOutputStream(new FileOutputStream(newFile));     URLConnection conn = fURL.openConnection();     InputStream in = conn.getInputStream();      try     {         copyStream(in, out);     }     finally     {         if (in != null)             in.close();         if (out != null)             out.close();     }      return newFile; }  public class URLAuthenticator extends Authenticator {     private String username;     private String password;      public URLAuthenticator(String username, String password)     {          set(username, password);     }      public void set(String username, String password)     {         this.username = username;         this.password = password;     }      protected PasswordAuthentication getPasswordAuthentication()     {         log.debug('Retrieving credentials '' + username + '', '' + password + ''.');         return new PasswordAuthentication(username, password.toCharArray());     } } 

I only see the log statement from getPasswordAuthentication once, the first time that a file is downloaded. After that first successful attempt, getPasswordAuthentication is not called again, even though the credentials have been reset. The result is that after the first successful connection, invalid credentials can be entered, and a successful connection can still be made. Is this possibly a result of the download method being static, and in a static class?

Edit I forgot to mention that this is in a JSF webapp running under tomcat – maybe one of those technologies is setting some default credentials somewhere?

I’ve pulled the URLAuthenticator out into its own class, and made it as non-static as possible, but the problem still exists. I’ve read that if the default authenticator is set to null with Authenticator.setDefault(null), then on windows the NTLM authentication will be used. That shouldn’t be the problem here since I’m setting the Authenticator everytime, but I thought I’d throw it out there. The NTLM authentication is definately getting used, because if the server is run as a user that has access to the downloaded file, the credentials aren’t even asked for, the file just downloads. So something obviously is grabbing my credentials and passing them in before the authenticator is called.