On Thu, Nov 17, 2022 at 11:22 AM Mark Thomas <ma...@apache.org> wrote: > > On 17/11/2022 10:07, Rémy Maucherat wrote: > > On Wed, Nov 16, 2022 at 6:14 PM Christopher Schultz > > <snip/> > > >> I guess we could add a configuration option to CombinedRealm: > >> > >> inheritCredentialHandler="first|last|numeric-position|false/off/no" > >> > >> ? > >> > >> Then you'd only have to declare it once and then you have the > >> flexibility of inheriting it or not. But you'd have to opt-into it > >> instead of getting a surprise. > > > > Right now the feature is simply too weird, so I'll simply improve it: > > - It doesn't work if this is a CombinedRealm, so since they are now > > used all the time this is rather annoying. > > - For some reason it only sets the attribute if the Realm is on the > > Context. For example it will not set anything if the realm is on the > > Host. > > > > So instead, I will make these changes: > > - CombinedRealm will get its own special credential handler if none is > > set (it will behave like the nested credential handler, except on > > nested realm.getCredentialHandler()). > > - In StandardContext, the attribute will be set based on getRealm() > > instead of getRealmInternal(). > > I don't think we do that as it creates a security concern. An untrusted > application would be able to brute force a Realm it hasn't defined. > > A trusted app can obtain a reference to the Realm via other means. > > I know untrusted apps are rare and becoming rarer but at long as we have > to support the SecurityManager (hopefully not for much longer) then we > have to consider untrusted apps.
Ok, I (kind of) understand, and I will remove that part of the change then. Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
