DigestAuthenticator generates duplicate nonces ---------------------------------------------- Key: JBWEB-258 URL: https://issues.jboss.org/browse/JBWEB-258 Project: JBoss Web Issue Type: Bug Affects Versions: JBossWeb-2.1.12.GA, JBossWeb-7.0.16.GA, JBossWeb-7.2.0.Alpha3 Reporter: Aaron Ogburn Assignee: Remy Maucherat Attachments: 21x.diff, 70x.diff, 72x.diff DigestAuthenticator currently generates nonces as a hash of the client's remote ip, the current time at generation time, and an internal server key. With high concurrent load in a scenario where many clients show a single ip (such as behind a loadbalancer/proxy), then it is very easy for DigestAuthenticator to give out duplicate nonces when they are generated at the same time. This then leads to authentication failues as counts for the duplicate nonces get out of whack.