Bug 54141 - Configuration does not allow Realms to be nested more than 2 levels deep
Summary: Configuration does not allow Realms to be nested more than 2 levels deep
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.32
Hardware: PC Mac OS X 10.4
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-13 01:55 UTC by Christopher Schultz
Modified: 2012-11-13 14:20 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Schultz 2012-11-13 01:55:35 UTC
The use case is to have one Realm that is configured for lock-out with another that is not: the two should be combined together.

The obvious configuration attempt is this:

<CombinedRealm>
  <LockoutRealm>
     <DataSourceRealm/>
  </LockoutRealm>
  <UserDatabaseRealm/>
</CombinedRealm>

Unfortunately, this configuration yields an error:

  No rules found matching 'Server/Service/Engine/Realm/Realm/Realm'

org.apache.catalina.startup.RealmRuleSet.addRuleInstances only goes 2 levels deep when it comes to Realms (that is, only allows "Realm" and "Realm/Realm"). Adding a 3rd level would certainly work here and might be sufficient. Another option would be to configure the digester to allow arbitrary levels of Realm-nesting for even the most pathological cases.

For reference, see this link to a question over on StackOverflow: http://stackoverflow.com/questions/13274696/tomcat-7-nesting-combinedrealm-lockoutrealm-and-datasourcerealm
Comment 1 Mark Thomas 2012-11-13 14:20:44 UTC
Default increased from 2 levels to 3 and the maximum is supported via a system property.