[jboss-jira] [JBoss JIRA] (AS7-5915) HTTP Digest Fails when cnonce is Repeated

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Mon Nov 12 11:09:18 EST 2012 

    [ https://issues.jboss.org/browse/AS7-5915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733449#comment-12733449 ] 

Remy Maucherat commented on AS7-5915:
-------------------------------------

I resynced the digest authenticator a few weeks back, so you're not looking at the latest version. Specifically, this looks fixed [the map key is the nonce].

About the building part, it needs building web, not the full AS. The web JAR can then be replaced in the as/web module.
                
> HTTP Digest Fails when cnonce is Repeated
> -----------------------------------------
>
>                 Key: AS7-5915
>                 URL: https://issues.jboss.org/browse/AS7-5915
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Web
>    Affects Versions: 7.1.1.Final
>         Environment: Windows 7
>            Reporter: Adam Halbardier
>            Assignee: Remy Maucherat
>
> HTTP digest authentication requests seem to fail when the cnonce from the browser is repeated across multiple requests. (Firefox often does this.) For example:
> 1) Request resource protected by HTTP digest authentication
> 2) Receive response with header: WWW-Authenticate=Digest realm="helios", qop="auth", nonce="1352490667388:dbdb24005a909963fabb3fd5e18711a9", opaque="Yy4sDZbcknyS26MFy7VH2tfm"
> 3) Send auth request with header: authorization=Digest username="helios", realm="helios", nonce="1352490667388:dbdb24005a909963fabb3fd5e18711a9", uri="/rest-services/rs/architecture/ui/waveforms", response="b4900878b8ffdf49e8216d706420871e", opaque="Yy4sDZbcknyS26MFy7VH2tfm", qop=auth, nc=00000001, cnonce="082c875dcb2ca740"
> 4) Receive an HTTP 200
> 5) Close Firefox
> 6) Open Firefox and send request to same resource
> 7) Receive response with header: WWW-Authenticate=Digest realm="helios", qop="auth", nonce="1352490696962:b2318fc8d36fda0a46e9b8b4de62c597", opaque="Yy4sDZbcknyS26MFy7VH2tfm"
> 8) Send request with header: authorization=Digest username="helios", realm="helios", nonce="1352490696962:b2318fc8d36fda0a46e9b8b4de62c597", uri="/rest-services/rs/architecture/ui/waveforms", response="03c3ee574d29c7ce911b645b9a4e7f0c", opaque="Yy4sDZbcknyS26MFy7VH2tfm", qop=auth, nc=00000001, cnonce="082c875dcb2ca740"
> 9) Receive an HTTP 401 with header: WWW-Authenticate=Digest realm="helios", qop="auth", nonce="1352490703289:9ce53cff6e7ba74f12b8d440bd4ec04c", opaque="Yy4sDZbcknyS26MFy7VH2tfm"
> 10) Send request with header: authorization=Digest username="helios", realm="helios", nonce="1352490703289:9ce53cff6e7ba74f12b8d440bd4ec04c", uri="/rest-services/rs/architecture/ui/waveforms", response="43acf50b9a019c9c26464e5cd43b0942", opaque="Yy4sDZbcknyS26MFy7VH2tfm", qop=auth, nc=00000001, cnonce="1522e61005789929"
> 11) Receives HTTP 200
> Notice that the cnonce in the first and second auth requests are the same. In the third the cnonce changes and the auth request is accepted. This pattern is repeatable over and over again (sometimes the cnonce does not change for many attempts, all of which fail, but as soon as the browser changes it, the request succeeds). In all cases, the response is computed correctly. This behavior does not appear consistent with RFC 2617 (it's acceptable to repeat the nc and cnonce values across different 401 challenges). Further investigation found that when the 401 is returned in the second case, the storeDigestCallback is never executed, suggesting the failure happens before the response digest is ever evaluated.
> This is the security domain configuration in standalone.xml
>                 <security-domain name="helios" cache-type="default">
>                     <authentication>
>                         <login-module code="UsersRoles" flag="required">
>                             <module-option name="usersProperties" value="${jboss.server.config.dir}/helios-users.properties"/>
>                             <module-option name="rolesProperties" value="${jboss.server.config.dir}/helios-roles.properties"/>
>                             <module-option name="hashAlgorithm" value="MD5"/>
>                             <module-option name="hashEncoding" value="RFC2617"/>
>                             <module-option name="hashUserPassword" value="false"/>
>                             <module-option name="hashStorePassword" value="true"/>
>                             <module-option name="passwordIsA1Hash" value="true"/>
>                             <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
>                         </login-module>
>                     </authentication>
>                 </security-domain>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list