On 17/11/2022 10:07, Rémy Maucherat wrote:
On Wed, Nov 16, 2022 at 6:14 PM Christopher Schultz
<snip/>
I guess we could add a configuration option to CombinedRealm:
inheritCredentialHandler="first|last|numeric-position|false/off/no"
?
Then you'd only have to declare it once and then you have the
flexibility of inheriting it or not. But you'd have to opt-into it
instead of getting a surprise.
Right now the feature is simply too weird, so I'll simply improve it:
- It doesn't work if this is a CombinedRealm, so since they are now
used all the time this is rather annoying.
- For some reason it only sets the attribute if the Realm is on the
Context. For example it will not set anything if the realm is on the
Host.
So instead, I will make these changes:
- CombinedRealm will get its own special credential handler if none is
set (it will behave like the nested credential handler, except on
nested realm.getCredentialHandler()).
- In StandardContext, the attribute will be set based on getRealm()
instead of getRealmInternal().
I don't think we do that as it creates a security concern. An untrusted
application would be able to brute force a Realm it hasn't defined.
A trusted app can obtain a reference to the Realm via other means.
I know untrusted apps are rare and becoming rarer but at long as we have
to support the SecurityManager (hopefully not for much longer) then we
have to consider untrusted apps.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
