Bug 54141

Summary: Configuration does not allow Realms to be nested more than 2 levels deep
Product: Tomcat 7 Reporter: Christopher Schultz <chris>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 7.0.32   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X 10.4   

Description Christopher Schultz 2012-11-13 01:55:35 UTC
The use case is to have one Realm that is configured for lock-out with another that is not: the two should be combined together.

The obvious configuration attempt is this:


Unfortunately, this configuration yields an error:

  No rules found matching 'Server/Service/Engine/Realm/Realm/Realm'

org.apache.catalina.startup.RealmRuleSet.addRuleInstances only goes 2 levels deep when it comes to Realms (that is, only allows "Realm" and "Realm/Realm"). Adding a 3rd level would certainly work here and might be sufficient. Another option would be to configure the digester to allow arbitrary levels of Realm-nesting for even the most pathological cases.

For reference, see this link to a question over on StackOverflow: http://stackoverflow.com/questions/13274696/tomcat-7-nesting-combinedrealm-lockoutrealm-and-datasourcerealm
Comment 1 Mark Thomas 2012-11-13 14:20:44 UTC
Default increased from 2 levels to 3 and the maximum is supported via a system property.