You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/02/04 11:54:16 UTC
[Bug 54521] New: DigestAuthenticator: nonceCountValid() fails in
case of simultaneous asynchronous requests of the same client
https://issues.apache.org/bugzilla/show_bug.cgi?id=54521
Bug ID: 54521
Summary: DigestAuthenticator: nonceCountValid() fails in case
of simultaneous asynchronous requests of the same
client
Product: Tomcat 7
Version: 7.0.35
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: sven.stieber@traveltainment.de
Classification: Unclassified
Concerned components:
org.apache.catalina.authenticator.DigestAuthenticator
org.apache.catalina.authenticator.DigestAuthenticator.NonceInfo
Scenario:
A multithreaded client sends two requests within one millisecond. The
DigestAuthenticator creates for each request a nonce as well as a NonceInfo
instance. The two nonces are equal, as they were created within the same
millisecond. When writing data into the cache (method generateNonce()), the
second NonceInfo instance overwrites the first one (same key!).
Problem:
The two client threads then send a second request with a digest authentication
header. In both requests, “nc” (nonce count) is equal “1”, as the nonce has
been newly created. In the NonceInfo of the first request, array “seen” is set
to “true” for index ((nonceCount + offset) % seen.length). In the second
request the same NonceInfo instance is used, as the instance is retrieved from
map “nonces” using “nonce” as a key, that is, in both requests the same key is
used. Consequently, method “nonceCountValid()“ returns „false“, as
seen[(nonceCount + offset) % seen.length)] has already been set to „true“.
Therefore the authentication fails, although the client has sent a valid digest
authentication header.
Conclusion:
Working with multi-threaded clients with many requests, digest authentication
does not function reliably.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54521] DigestAuthenticator: nonceCountValid() fails in case of
simultaneous asynchronous requests of the same client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54521
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54521] DigestAuthenticator: nonceCountValid() fails in case of
simultaneous asynchronous requests of the same client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54521
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report.
This has been fixed in trunk and 7.0.x and will be included in 7.0.37 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54521] DigestAuthenticator: nonceCountValid() fails in case of
simultaneous asynchronous requests of the same client
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54521
--- Comment #2 from Sven Stieber <sv...@traveltainment.de> ---
Thank you for fixing this that quick. One additional question: Will this fix be
included into the next Tomcat 6 Release, too?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org