[jboss-jira] [JBoss JIRA] (JBWEB-258) DigestAuthenticator generates duplicate nonces
Aaron Ogburn (JIRA)
jira-events at lists.jboss.org
Thu Dec 6 11:57:17 EST 2012
Aaron Ogburn created JBWEB-258:
----------------------------------
Summary: DigestAuthenticator generates duplicate nonces
Key: JBWEB-258
URL: https://issues.jboss.org/browse/JBWEB-258
Project: JBoss Web
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: JBossWeb-2.1.12.GA, JBossWeb-7.0.16.GA
Reporter: Aaron Ogburn
Assignee: Remy Maucherat
DigestAuthenticator currently generates nonces as a hash of the client's remote ip, the current time at generation time, and an internal server key. With high concurrent load in a scenario where many clients show a single ip (such as behind a loadbalancer/proxy), then it is very easy for DigestAuthenticator to give out duplicate nonces when they are generated at the same time.
This then leads to authentication failues as counts for the duplicate nonces get out of whack.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list