[jboss-jira] [JBoss JIRA] (JBWEB-258) DigestAuthenticator generates duplicate nonces
Sascha Skorupa (JIRA)
jira-events at lists.jboss.org
Wed Nov 20 05:03:05 EST 2013
[ https://issues.jboss.org/browse/JBWEB-258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12925259#comment-12925259 ]
Sascha Skorupa commented on JBWEB-258:
--------------------------------------
This issue is already fixed in tomcat 7.0.37. Here is the link to the tomcat issue which is the same as this one:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54521
Regards,
sascha
> DigestAuthenticator generates duplicate nonces
> ----------------------------------------------
>
> Key: JBWEB-258
> URL: https://issues.jboss.org/browse/JBWEB-258
> Project: JBoss Web
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: JBossWeb-2.1.12.GA, JBossWeb-7.0.16.GA, JBossWeb-7.2.0.Alpha3
> Reporter: Aaron Ogburn
> Assignee: Remy Maucherat
> Attachments: 21x.diff, 70x.diff, 72x.diff
>
>
> DigestAuthenticator currently generates nonces as a hash of the client's remote ip, the current time at generation time, and an internal server key. With high concurrent load in a scenario where many clients show a single ip (such as behind a loadbalancer/proxy), then it is very easy for DigestAuthenticator to give out duplicate nonces when they are generated at the same time.
> This then leads to authentication failues as counts for the duplicate nonces get out of whack.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list