Bug 54521 - DigestAuthenticator: nonceCountValid() fails in case of simultaneous asynchronous requests of the same client
DigestAuthenticator: nonceCountValid() fails in case of simultaneous asynchro...
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
PC All
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2013-02-04 10:54 UTC by Sven Stieber
Modified: 2013-02-08 08:41 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Sven Stieber 2013-02-04 10:54:16 UTC
Concerned components:

A multithreaded client sends two requests within one millisecond. The DigestAuthenticator creates for each request a nonce as well as a NonceInfo instance. The two nonces are equal, as they were created within the same millisecond. When writing data into the cache (method generateNonce()), the second NonceInfo instance overwrites the first one (same key!).

The two client threads then send a second request with a digest authentication header. In both requests, “nc” (nonce count) is equal “1”, as the nonce has been newly created. In the NonceInfo of the first request, array “seen” is set to “true” for index ((nonceCount + offset) % seen.length). In the second request the same NonceInfo instance is used, as the instance is retrieved from map “nonces” using “nonce” as a key, that is, in both requests the same key is used. Consequently, method “nonceCountValid()“ returns „false“, as  seen[(nonceCount + offset) % seen.length)] has already been set to „true“.  Therefore the authentication fails, although the client has sent a valid digest authentication header.

Working with multi-threaded clients with many requests, digest authentication does not function reliably.
Comment 1 Mark Thomas 2013-02-07 11:03:58 UTC
Thanks for the report.

This has been fixed in trunk and 7.0.x and will be included in 7.0.37 onwards.
Comment 2 Sven Stieber 2013-02-08 08:41:43 UTC
Thank you for fixing this that quick. One additional question: Will this fix be included into the next Tomcat 6 Release, too?