...
This login handler is, under the covers, a Java Servlet. That is, it's a bit of Java code addressed by a URL. This code looks for a value in the REMOTE_USER header and uses this as the username for the user sitting at the browser. The assumption is that if the container (web server or servlet container) set this than can set REMOTE_USER, then it should be trusted.
Therefore, to use this handler you must protect the URL of the remote user servlet (see below for this path) with some authentication mechanism within your container. If you do not know how to do this, you must refer to your container's documentation.
...
Additionally the login handler must contain one or more <AuthenticationMethod> element elements whose content is the authentication method(s) serviced by the login handler.
...