Bug 32502

Summary: Memory leak in Digest Authentication
Product: Tomcat 5 Reporter: Chris Sharp <csharp>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: critical    
Priority: P2    
Version: 5.0.29   
Target Milestone: ---   
Hardware: Macintosh   
OS: Mac OS X 10.3   
Attachments: Patch

Description Chris Sharp 2004-12-02 23:10:25 UTC
The DigestAuthenticator class contains a small but significant leak. In the generateNOnce method, the 
nOnceValue is inserted into a Hashtable with an expire time. This feature does not appear to be fully 
implemented and as a result the Hashtable "nOnceTokens" will continue to grow un-bounded.

The short term solution to this problem is to remove the Hashtable insert since it isn't apparently being 

Longer term, the host-expireTime-otherState tuple could be encoded in client-opaque nOnceValue and 
used across multiple TC5 instances.
Comment 1 Chris Sharp 2004-12-02 23:19:19 UTC
Created attachment 13633 [details]
Comment 2 Yoav Shapira 2004-12-08 16:48:47 UTC
Fix committed (with additional clean ups) for Tomcat 5.0.31 and 5.5.6.  Thanks 
for pointing this out.