Concerned components: org.apache.catalina.authenticator.DigestAuthenticator org.apache.catalina.authenticator.DigestAuthenticator.NonceInfo Scenario: A multithreaded client sends two requests within one millisecond. The DigestAuthenticator creates for each request a nonce as well as a NonceInfo instance. The two nonces are equal, as they were created within the same millisecond. When writing data into the cache (method generateNonce()), the second NonceInfo instance overwrites the first one (same key!). Problem: The two client threads then send a second request with a digest authentication header. In both requests, “nc” (nonce count) is equal “1”, as the nonce has been newly created. In the NonceInfo of the first request, array “seen” is set to “true” for index ((nonceCount + offset) % seen.length). In the second request the same NonceInfo instance is used, as the instance is retrieved from map “nonces” using “nonce” as a key, that is, in both requests the same key is used. Consequently, method “nonceCountValid()“ returns „false“, as seen[(nonceCount + offset) % seen.length)] has already been set to „true“. Therefore the authentication fails, although the client has sent a valid digest authentication header. Conclusion: Working with multi-threaded clients with many requests, digest authentication does not function reliably.
Thanks for the report. This has been fixed in trunk and 7.0.x and will be included in 7.0.37 onwards.
Thank you for fixing this that quick. One additional question: Will this fix be included into the next Tomcat 6 Release, too?