When a user authenticates, the first subrealm inside a CombinedRealm that has the right credentials will be the realm to which the user is authenticated.
Is there a way to find out which realm this is?
For instance, if I have created a CombinedRealm with a JNDIRealm and a JDBCRealm inside it, and the user is authenticated to the JDBCRealm, is there a way to detect this other than connecting to the SQL database and seeing if the user exists?
I would expect that you can do this by setting the Tomcat logger to output diagnostic messages.
In practical terms, the Combined Realm should be concatenating the sub-Realms and if they are concatenated in the order in which you've listed them, actually you'd probably be better off looking at the JNDI (LDAP?) database first.
One thing I learned (the hard way) from IBM's OS/2, however is that you should never attempt to keep important information in more than one place. Backups, mirrors, etc. are fine, but the authoritative info should be located in one and only one location. That's not really a technical issue, it's a managerial one, and if you have definite rules on where to find stuff, then you won't need to clutter your logfiles with diagnostics because the only time you'll need to check is for cases where someone has violated those rules.
Customer surveys are for companies who didn't pay proper attention to begin with.