The DigestAuthenticator class contains a small but significant leak. In the generateNOnce method, the nOnceValue is inserted into a Hashtable with an expire time. This feature does not appear to be fully implemented and as a result the Hashtable "nOnceTokens" will continue to grow un-bounded. The short term solution to this problem is to remove the Hashtable insert since it isn't apparently being used. Longer term, the host-expireTime-otherState tuple could be encoded in client-opaque nOnceValue and used across multiple TC5 instances.
Created attachment 13633 [details] Patch
Fix committed (with additional clean ups) for Tomcat 5.0.31 and 5.5.6. Thanks for pointing this out.