1188744 – [GSS] (6.4.z) DigestAuthenticator generates duplicate nonces

Bug 1188744 - [GSS] (6.4.z) DigestAuthenticator generates duplicate nonces

Summary: [GSS] (6.4.z) DigestAuthenticator generates duplicate nonces

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web
Sub Component:
Version:	6.4.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	ER3
Target Release:	EAP 6.4.0
Assignee:	Aaron Ogburn
QA Contact:	Michael Cada
Docs Contact:
URL:
Whiteboard:
Depends On:	1192530
Blocks:	1188833
TreeView+	depends on / blocked

Reported:	2015-02-03 15:42 UTC by Aaron Ogburn
Modified:	2019-08-02 07:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-02 07:31:07 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
digestnoncetest.war (1004 bytes, application/zip) 2015-02-04 19:20 UTC, Aaron Ogburn	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBWEB-258	0	Major	Open	DigestAuthenticator generates duplicate nonces	2015-09-25 09:07:53 UTC

Description Aaron Ogburn 2015-02-03 15:42:37 UTC

DigestAuthenticator currently generates nonces as a hash of the client's remote ip, the current time at generation time, and an internal server key. With high concurrent load in a scenario where many clients show a single ip, then it is very easy for DigestAuthenticator to give out duplicate nonces when they are generated at the same time.

Comment 1 Aaron Ogburn 2015-02-03 16:20:13 UTC

Fixed in JBossWeb 7.5.x by r2588

Comment 2 Aaron Ogburn 2015-02-04 19:20:10 UTC

Created attachment 988260 [details]
digestnoncetest.war

Here's a simple way to quickly test the Digest nonce generation within a single request.  It'll reflect in to the DigestAuthenticator and repeatedly generate a nonce from it 1000 times and check for a duplicate.  Without the fix, it easily gets a duplicate since it is able to create many nonces within the same millisecond.

Just deploy digestnoncetest.war, and request http://localhost:8080/digestnoncetest/.  You'll see "PASSED" if it generated a new nonce each time and a failure message if not.

Comment 3 Rémy Maucherat 2015-02-12 15:09:49 UTC

Since this is already committed in the 7.5 branch, it will be included in the 7.5.6 build which will be in 6.4.0.

Comment 5 Radim Hatlapatka 2015-02-26 13:31:53 UTC

Verified with EAP 6.4.0.ER3

Note You need to log in before you can comment on or make changes to this bug.