DigestAuthenticator currently generates nonces as a hash of the client's remote ip, the current time at generation time, and an internal server key. With high concurrent load in a scenario where many clients show a single ip, then it is very easy for DigestAuthenticator to give out duplicate nonces when they are generated at the same time.
Fixed in JBossWeb 7.5.x by r2588
Created attachment 988260 [details] digestnoncetest.war Here's a simple way to quickly test the Digest nonce generation within a single request. It'll reflect in to the DigestAuthenticator and repeatedly generate a nonce from it 1000 times and check for a duplicate. Without the fix, it easily gets a duplicate since it is able to create many nonces within the same millisecond. Just deploy digestnoncetest.war, and request http://localhost:8080/digestnoncetest/. You'll see "PASSED" if it generated a new nonce each time and a failure message if not.
Since this is already committed in the 7.5 branch, it will be included in the 7.5.6 build which will be in 6.4.0.
Verified with EAP 6.4.0.ER3