Author: aogburn Date: 2015-02-03 11:17:45 -0500 (Tue, 03 Feb 2015) New Revision: 2588 Modified: branches/7.5.x/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java Log: [JBWEB-258] Ensure concurrent requests that require DIGEST auth receive unique nonces Modified: branches/7.5.x/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java =================================================================== --- branches/7.5.x/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2015-01-27 12:51:50 UTC (rev 2587) +++ branches/7.5.x/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2015-02-03 16:17:45 UTC (rev 2588) @@ -90,6 +90,14 @@ /** + * The last timestamp used to generate a nonce. Each nonce should get a + * unique timestamp. + */ + protected long lastTimestamp = 0; + protected final Object lastTimestampLock = new Object(); + + + /** * Maximum number of server nonces to keep in the cache. If not specified, * the default value of 1000 is used. */ @@ -303,6 +311,13 @@ long currentTime = System.currentTimeMillis(); + synchronized (lastTimestampLock) { + if (currentTime > lastTimestamp) { + lastTimestamp = currentTime; + } else { + currentTime = ++lastTimestamp; + } + } String ipTimeKey = request.getRemoteAddr() + ":" + currentTime + ":" + getKey();