We have a static method in a utility class that will download a file from a URL. An authenticator has been set up so that if a username and password is required, the credentials can be retrieved. The problem is that the credentials from the first successful connection are used for every connection afterwords, as long as the credentials are valid. This is a problem because our code is multi user, and since the credentials are not checked for every connection, it's possible that a user without proper credentials could download a file.

我们在实用程序类中有一个静态方法，可以从 URL 下载文件。已设置身份验证器，以便在需要用户名和密码时可以检索凭据。问题是第一次成功连接的凭据用于每个连接后记，只要凭据有效。这是一个问题，因为我们的代码是多用户的，并且由于没有为每个连接检查凭据，没有正确凭据的用户可能会下载文件。

Here's the code we're using

这是我们正在使用的代码

private static URLAuthenticator auth;

public static File download(String url, String username, String password, File newFile)
{
    auth.set(username, password);
    Authenticator.setDefault(auth);
    URL fURL = new URL(url);
    OutputStream out = new BufferedOutputStream(new FileOutputStream(newFile));
    URLConnection conn = fURL.openConnection();
    InputStream in = conn.getInputStream();

    try
    {
        copyStream(in, out);
    }
    finally
    {
        if (in != null)
            in.close();
        if (out != null)
            out.close();
    }

    return newFile;
}

public class URLAuthenticator extends Authenticator
{
    private String username;
    private String password;

    public URLAuthenticator(String username, String password)
    {
         set(username, password);
    }

    public void set(String username, String password)
    {
        this.username = username;
        this.password = password;
    }

    protected PasswordAuthentication getPasswordAuthentication()
    {
        log.debug("Retrieving credentials '" + username + "', '" + password + "'.");
        return new PasswordAuthentication(username, password.toCharArray());
    }
}

I only see the log statement from getPasswordAuthentication once, the first time that a file is downloaded. After that first successful attempt, getPasswordAuthentication is not called again, even though the credentials have been reset. The result is that after the first successful connection, invalid credentials can be entered, and a successful connection can still be made. Is this possibly a result of the download method being static, and in a static class?

我只在第一次下载文件时看到 getPasswordAuthentication 的日志语句一次。在第一次成功尝试之后，即使凭据已重置，也不会再次调用 getPasswordAuthentication。结果是第一次连接成功后，可以输入无效的凭据，仍然可以连接成功。这可能是由于下载方法是静态的，并且在静态类中吗？

EditI forgot to mention that this is in a JSF webapp running under tomcat - maybe one of those technologies is setting some default credentials somewhere?

编辑我忘了提到这是在 tomcat 下运行的 JSF webapp 中 - 也许这些技术之一是在某处设置一些默认凭据？

I've pulled the URLAuthenticator out into its own class, and made it as non-static as possible, but the problem still exists. I've read that if the default authenticator is set to null with Authenticator.setDefault(null), then on windows the NTLM authentication will be used. That shouldn't be the problem here since I'm setting the Authenticator everytime, but I thought I'd throw it out there. The NTLM authentication is definately getting used, because if the server is run as a user that has access to the downloaded file, the credentials aren't even asked for, the file just downloads. So something obviously is grabbing my credentials and passing them in before the authenticator is called.

我已经将 URLAuthenticator 拉到它自己的类中，并使其尽可能非静态，但问题仍然存在。我读过，如果使用 Authenticator.setDefault(null) 将默认身份验证器设置为 null，则在 Windows 上将使用 NTLM 身份验证。这不应该是这里的问题，因为我每次都设置身份验证器，但我想我会把它扔在那里。NTLM 身份验证肯定会得到使用，因为如果服务器以有权访问下载文件的用户身份运行，则甚至不需要凭据，只需下载文件。所以很明显，在调用身份验证器之前，某些东西正在获取我的凭据并传递它们。