Author: aogburn
Date: 2012-12-11 17:38:27 -0500 (Tue, 11 Dec 2012)
New Revision: 2136
Modified:
branches/JBOSSWEB_2_1_12_GA_patch03_JBPAPP-10306/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Log:
[JBPAPP-10306] backport JBWEB-258 for better, more unique DigestAuthenticator nonces
Modified:
branches/JBOSSWEB_2_1_12_GA_patch03_JBPAPP-10306/java/org/apache/catalina/authenticator/DigestAuthenticator.java
===================================================================
---
branches/JBOSSWEB_2_1_12_GA_patch03_JBPAPP-10306/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2012-12-06
18:21:07 UTC (rev 2135)
+++
branches/JBOSSWEB_2_1_12_GA_patch03_JBPAPP-10306/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2012-12-11
22:38:27 UTC (rev 2136)
@@ -294,21 +294,21 @@
/**
* Generate a unique token. The token is generated according to the
* following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":"
- * time-stamp ":" private-key ) ).
+ * client-port ":" time-stamp ":" private-key ) ).
*
* @param request HTTP Servlet request
*/
protected String generateNonce(Request request) {
long currentTime = System.currentTimeMillis();
+ int remotePort = request.getRemotePort();
+ String ipPortTimeKey =
+ request.getRemoteAddr() + ":" + remotePort + ":" +
currentTime + ":" + getKey();
- String ipTimeKey =
- request.getRemoteAddr() + ":" + currentTime + ":" +
getKey();
+ byte[] buffer = ConcurrentMessageDigest.digestMD5(ipPortTimeKey.getBytes());
+ String nonce = currentTime + ":" + remotePort + ":" +
MD5Encoder.encode(buffer);
- byte[] buffer = ConcurrentMessageDigest.digestMD5(ipTimeKey.getBytes());
- String nonce = currentTime + ":" + MD5Encoder.encode(buffer);
-
NonceInfo info = new NonceInfo(currentTime, 100);
synchronized (nonces) {
nonces.put(nonce, info);
@@ -567,13 +567,19 @@
if (i < 0 || (i + 1) == nonce.length()) {
return false;
}
+ int j = nonce.lastIndexOf(":");
+ if (i == j) {
+ return false;
+ }
long nonceTime;
+ int remotePort;
try {
nonceTime = Long.parseLong(nonce.substring(0, i));
+ remotePort = Integer.parseInt(nonce.substring(i + 1, j));
} catch (NumberFormatException nfe) {
return false;
}
- String md5clientIpTimeKey = nonce.substring(i + 1);
+ String md5clientIpPortTimeKey = nonce.substring(j + 1);
long currentTime = System.currentTimeMillis();
if ((currentTime - nonceTime) > nonceValidity) {
nonceStale = true;
@@ -581,12 +587,12 @@
nonces.remove(nonce);
}
}
- String serverIpTimeKey =
- request.getRemoteAddr() + ":" + nonceTime + ":" +
key;
+ String serverIpPortTimeKey =
+ request.getRemoteAddr() + ":" + remotePort + ":" +
nonceTime + ":" + key;
byte[] buffer = ConcurrentMessageDigest.digestMD5(
- serverIpTimeKey.getBytes());
- String md5ServerIpTimeKey = MD5Encoder.encode(buffer);
- if (!md5ServerIpTimeKey.equals(md5clientIpTimeKey)) {
+ serverIpPortTimeKey.getBytes());
+ String md5ServerIpPortTimeKey = MD5Encoder.encode(buffer);
+ if (!md5ServerIpPortTimeKey.equals(md5clientIpPortTimeKey)) {
return false;
}
Show replies by date