Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.1.10, 2.0.13, 2.2.10, 2.3, 2.2.11
-
None
Description
It seems that DigestAuthSupplier is not Thread safe and that multiple access can rarely trigger this kind of exceptions :
java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:102)
at sun.security.provider.MD5.implDigest(MD5.java:100)
at sun.security.provider.DigestBase.engineDigest(DigestBase.java:161)
at sun.security.provider.DigestBase.engineDigest(DigestBase.java:140)
at java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java:531)
at java.security.MessageDigest.digest(MessageDigest.java:309)
at java.security.MessageDigest.digest(MessageDigest.java:355)
at org.apache.cxf.transport.http.DigestAuthSupplier.createCnonce(DigestAuthSupplier.java:248)
at org.apache.cxf.transport.http.DigestAuthSupplier$DigestInfo.generateAuth(DigestAuthSupplier.java:178)
at org.apache.cxf.transport.http.DigestAuthSupplier.getAuthorizationForRealm(DigestAuthSupplier.java:118)
at org.apache.cxf.transport.http.HTTPConduit.authorizationRetransmit(HTTPConduit.java:1601)
at org.apache.cxf.transport.http.HTTPConduit.processRetransmit(HTTPConduit.java:1428)
at org.apache.cxf.transport.http.HTTPConduit.access$300(HTTPConduit.java:140)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRetransmits(HTTPConduit.java:2011)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2038)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1941)
Access to non thread safe MessageDigest 'MD5_HELPER' should be synchronized.
In fact, currently access to the digest is centralized in DigestInfo.generateAuth which is synchronized, but as the method is not static and that a new DigestInfo is instanciated at each call, 'synchronized' is useless
Simply replacing this should correct the problem :
public static String createCnonce() throws UnsupportedEncodingException {
synchronized(MD5_HELPER)
}
Regards,
THIMONIER Julien