How do I extract the username and password out of a URL in a servlet filter?

Question

I've created a BasicAuthFilter and it has this signature:

@Override
public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain) throws IOException, ServletException 

This is working if someone calls the filter with an Authorization header set the right way. But, if someone on chrome or firefox visits the url like this:

http://username:password@localhost:8888

The browsers are not populating the Authorization header with that information (which surprised me). I looked at the information sent by chrome and the username and password are in the request URL but nowhere else.

I can't figure out how to extract that information from the URL. I've tried a lot of getters on the HttpServletRequest, but haven't found anything that gives me the username and password.

NOTE: Yes, I know this is insecure, it's just really convenient to use when you're trying to test your system.

Answer 1

My coworker found this thread that implies this isn't possible in modern browsers. They refuse to send the username:password part of a url over the wire for security reasons.

Answer 2

    URL url = new URL(custom_url);
    String userInfo = url.getUserInfo();

    String[] userInfoArray = userInfo.split(":");
    System.out.println("username"+userInfoArray[0]);
    System.out.println("password"+userInfoArray[1]);   

Answer 3

I'll add something to this answer

If the password contains the character :, you must specify a limit on your split.

So:

String[] userInfoArray = userInfo.split(":");

Becomes:

String[] userInfoArray = userInfo.split(":", 2);

2 means the pattern : is applied only one time (so the resulting length array is at maximum 2)

Answer 4

For passwords with '@', e.g. "http://user:p@ssw0rd@private.uri.org/some/service":

    final String authority = uri.getAuthority();

    if (authority != null) {
        final String[] userInfo = authority.split(":", 2);

        if (userInfo.length > 1) {
            this.username = userInfo[0];
            int passDelim = userInfo[1].lastIndexOf('@');

            if (passDelim != -1) {
                this.password = userInfo[1].substring(0, passDelim);
            }
        }
    }

Note that in this case trying to use getUserInfo() won't help since userInfo of the URI is null.