Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3073

org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.1.10, 2.0.13, 2.2.10, 2.3, 2.2.11
    • 2.2.12, 2.3.1
    • Transports
    • None

    Description

      It seems that DigestAuthSupplier is not Thread safe and that multiple access can rarely trigger this kind of exceptions :

      java.lang.ArrayIndexOutOfBoundsException
      at java.lang.System.arraycopy(Native Method)
      at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:102)
      at sun.security.provider.MD5.implDigest(MD5.java:100)
      at sun.security.provider.DigestBase.engineDigest(DigestBase.java:161)
      at sun.security.provider.DigestBase.engineDigest(DigestBase.java:140)
      at java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java:531)
      at java.security.MessageDigest.digest(MessageDigest.java:309)
      at java.security.MessageDigest.digest(MessageDigest.java:355)
      at org.apache.cxf.transport.http.DigestAuthSupplier.createCnonce(DigestAuthSupplier.java:248)
      at org.apache.cxf.transport.http.DigestAuthSupplier$DigestInfo.generateAuth(DigestAuthSupplier.java:178)
      at org.apache.cxf.transport.http.DigestAuthSupplier.getAuthorizationForRealm(DigestAuthSupplier.java:118)
      at org.apache.cxf.transport.http.HTTPConduit.authorizationRetransmit(HTTPConduit.java:1601)
      at org.apache.cxf.transport.http.HTTPConduit.processRetransmit(HTTPConduit.java:1428)
      at org.apache.cxf.transport.http.HTTPConduit.access$300(HTTPConduit.java:140)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRetransmits(HTTPConduit.java:2011)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2038)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1941)

      Access to non thread safe MessageDigest 'MD5_HELPER' should be synchronized.
      In fact, currently access to the digest is centralized in DigestInfo.generateAuth which is synchronized, but as the method is not static and that a new DigestInfo is instanciated at each call, 'synchronized' is useless

      Simply replacing this should correct the problem :
      public static String createCnonce() throws UnsupportedEncodingException {
      synchronized(MD5_HELPER)

      { String cnonce = Long.toString(System.currentTimeMillis()); return encode(MD5_HELPER.digest(cnonce.getBytes("US-ASCII"))); }

      }

      Regards,
      THIMONIER Julien

      Attachments

        Activity

          People

            dkulp Daniel Kulp
            jthimonier Julien Thimonier
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: