[jboss-jira] [JBoss JIRA] (JBWEB-258) DigestAuthenticator generates duplicate nonces
RH Bugzilla Integration (Jira)
issues at jboss.org
Fri Aug 2 03:32:02 EDT 2019
[ https://issues.jboss.org/browse/JBWEB-258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13766262#comment-13766262 ]
RH Bugzilla Integration commented on JBWEB-258:
-----------------------------------------------
Jan Kurik <jkurik at redhat.com> changed the Status of [bug 1188744|https://bugzilla.redhat.com/show_bug.cgi?id=1188744] from VERIFIED to CLOSED
> DigestAuthenticator generates duplicate nonces
> ----------------------------------------------
>
> Key: JBWEB-258
> URL: https://issues.jboss.org/browse/JBWEB-258
> Project: JBoss Web
> Issue Type: Bug
> Affects Versions: JBossWeb-2.1.12.GA, JBossWeb-7.0.16.GA, JBossWeb-7.2.0.Alpha3
> Reporter: Aaron Ogburn
> Assignee: Remy Maucherat
> Priority: Major
> Attachments: 21x.diff, 70x.diff, 72x.diff
>
>
> DigestAuthenticator currently generates nonces as a hash of the client's remote ip, the current time at generation time, and an internal server key. With high concurrent load in a scenario where many clients show a single ip (such as behind a loadbalancer/proxy), then it is very easy for DigestAuthenticator to give out duplicate nonces when they are generated at the same time.
> This then leads to authentication failues as counts for the duplicate nonces get out of whack.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list