Uploaded image for project: 'JBoss Web'
  1. JBoss Web
  2. JBWEB-258

DigestAuthenticator generates duplicate nonces

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: JBossWeb-2.1.12.GA, JBossWeb-7.0.16.GA, JBossWeb-7.2.0.Alpha3
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      DigestAuthenticator currently generates nonces as a hash of the client's remote ip, the current time at generation time, and an internal server key. With high concurrent load in a scenario where many clients show a single ip (such as behind a loadbalancer/proxy), then it is very easy for DigestAuthenticator to give out duplicate nonces when they are generated at the same time.

      This then leads to authentication failues as counts for the duplicate nonces get out of whack.

        Gliffy Diagrams

          Attachments

          1. 21x.diff
            3 kB
          2. 70x.diff
            3 kB
          3. 72x.diff
            3 kB

            Activity

              People

              • Assignee:
                rmaucher Remy Maucherat
                Reporter:
                aogburn Aaron Ogburn
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: