Author: aogburn Date: 2015-02-03 15:04:33 -0500 (Tue, 03 Feb 2015) New Revision: 2591 Modified: branches/JBOSSWEB_7_4_9_FINAL_BZ-1188833/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java Log: [BZ-1188833] Ensure concurrent requests that require DIGEST auth receive unique nonces Modified: branches/JBOSSWEB_7_4_9_FINAL_BZ-1188833/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java =================================================================== --- branches/JBOSSWEB_7_4_9_FINAL_BZ-1188833/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2015-02-03 19:43:43 UTC (rev 2590) +++ branches/JBOSSWEB_7_4_9_FINAL_BZ-1188833/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2015-02-03 20:04:33 UTC (rev 2591) @@ -90,6 +90,14 @@ /** + * The last timestamp used to generate a nonce. Each nonce should get a + * unique timestamp. + */ + protected long lastTimestamp = 0; + protected final Object lastTimestampLock = new Object(); + + + /** * Maximum number of server nonces to keep in the cache. If not specified, * the default value of 1000 is used. */ @@ -303,6 +311,13 @@ long currentTime = System.currentTimeMillis(); + synchronized (lastTimestampLock) { + if (currentTime > lastTimestamp) { + lastTimestamp = currentTime; + } else { + currentTime = ++lastTimestamp; + } + } String ipTimeKey = request.getRemoteAddr() + ":" + currentTime + ":" + getKey(); Property changes on: branches/JBOSSWEB_7_4_9_FINAL_BZ-1188833/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/catalina/authenticator/DigestAuthenticator.java:2589