Author: jfrederic.clere(a)jboss.com
Date: 2013-02-21 05:13:31 -0500 (Thu, 21 Feb 2013)
New Revision: 2171
Modified:
branches/7.0.x/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Log:
Backport JBWEB-258 for better, more unique DigestAuthenticator nonces.
Modified: branches/7.0.x/java/org/apache/catalina/authenticator/DigestAuthenticator.java
===================================================================
---
branches/7.0.x/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2013-02-21
09:55:40 UTC (rev 2170)
+++
branches/7.0.x/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2013-02-21
10:13:31 UTC (rev 2171)
@@ -294,21 +294,22 @@
/**
* Generate a unique token. The token is generated according to the
* following pattern. NOnceToken = Base64 ( MD5 ( client-IP ":"
- * time-stamp ":" private-key ) ).
+ * client-port ":" time-stamp ":" private-key ) ).
*
* @param request HTTP Servlet request
*/
protected String generateNonce(Request request) {
long currentTime = System.currentTimeMillis();
+ int remotePort = request.getRemotePort();
+ String ipPortTimeKey =
+ request.getRemoteAddr() + ":" + remotePort + ":" +
currentTime + ":" + getKey();
- String ipTimeKey =
- request.getRemoteAddr() + ":" + currentTime + ":" +
getKey();
byte[] buffer = ConcurrentMessageDigest.digestMD5(
- ipTimeKey.getBytes(EncodingToCharset.ISO_8859_1));
- String nonce = currentTime + ":" + MD5Encoder.encode(buffer);
+ ipPortTimeKey.getBytes(EncodingToCharset.ISO_8859_1));
+ String nonce = currentTime + ":" + remotePort + ":" +
MD5Encoder.encode(buffer);
NonceInfo info = new NonceInfo(currentTime, 100);
synchronized (nonces) {
@@ -583,13 +584,19 @@
if (i < 0 || (i + 1) == nonce.length()) {
return false;
}
+ int j = nonce.lastIndexOf(":");
+ if (i == j) {
+ return false;
+ }
long nonceTime;
+ int remotePort;
try {
nonceTime = Long.parseLong(nonce.substring(0, i));
+ remotePort = Integer.parseInt(nonce.substring(i + 1, j));
} catch (NumberFormatException nfe) {
return false;
}
- String md5clientIpTimeKey = nonce.substring(i + 1);
+ String md5clientIpPortTimeKey = nonce.substring(j + 1);
long currentTime = System.currentTimeMillis();
if ((currentTime - nonceTime) > nonceValidity) {
nonceStale = true;
@@ -597,12 +604,13 @@
nonces.remove(nonce);
}
}
- String serverIpTimeKey =
- request.getRemoteAddr() + ":" + nonceTime + ":" +
key;
+ String serverIpPortTimeKey =
+ request.getRemoteAddr() + ":" + remotePort + ":" +
nonceTime + ":" + key;
+
byte[] buffer = ConcurrentMessageDigest.digestMD5(
- serverIpTimeKey.getBytes(EncodingToCharset.ISO_8859_1));
- String md5ServerIpTimeKey = MD5Encoder.encode(buffer);
- if (!md5ServerIpTimeKey.equals(md5clientIpTimeKey)) {
+ serverIpPortTimeKey.getBytes(EncodingToCharset.ISO_8859_1));
+ String md5ServerIpPortTimeKey = MD5Encoder.encode(buffer);
+ if (!md5ServerIpPortTimeKey.equals(md5clientIpPortTimeKey)) {
return false;
}
Show replies by date