apachecon | A mosaic of things that should not be | Map library

Now that the use cases are clear. What you mention in your edits is correct. It starts with the RealmBase class (refer: protected void startInternal() method). This, if teh credential handler is null (which in your case it is on LockoutRealm), sets the default credential handler as MessageDigestCredentialHandler without any algorithm, the behaviour of the credential handler if no algorithm is specified is to use plainText.

Next look at the StandardContext (refer: protected synchronized void startInternal() method, line 5016-5027), lines 5019 and 5024 are important. Here the realm is being retrieved with the 'getRealmInternal()' call, which returns the configured realm, which in your case is LockoutRealm and the subsequent 'getCredentialHandler()' returns the default credential handler as mentioned above (as the method is dispatched to RealmBase, a point to be noted, the CombinedRealm or the LockoutRealm does not override this method).

This is why the password is not being mutated.

What you require looks to be possible. It is apparent from the above that when the 'getCredentialHandler()' is called on the realm, the realm should handle it instead of dispatching to RealmBase.

Therefore, you could do the below:

1. Extend LockoutRealm with your realm class (say XRealm)
2. Override the getCredentialHandler method
3. In the method, access the 'protected final List realms' of CombinedRealm, your DataSourceRealm should be the 0th element
4. Call the getCredentialHandler on the DataSourceRealm and return
5. When StandardContext calls getCredentialHandler, it should get the NestedCredentialHandler you have configured

The above should solve the problem.