cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julien Thimonier (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-3073) org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe
Date Tue, 19 Oct 2010 16:00:34 GMT
org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe
-------------------------------------------------------------------

                 Key: CXF-3073
                 URL: https://issues.apache.org/jira/browse/CXF-3073
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 2.2.11, 2.3.0, 2.2.10, 2.0.13, 2.1.10, 2.2.9, 2.2.8, 2.2.7, 2.2.6, 2.2.5,
2.2.4, 2.2.3, 2.2.2, 2.2.1, 2.2
            Reporter: Julien Thimonier
            Priority: Minor


It seems that DigestAuthSupplier is not Thread safe and that multiple access can rarely trigger
this kind of exceptions :

java.lang.ArrayIndexOutOfBoundsException
      at java.lang.System.arraycopy(Native Method)
      at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:102)
      at sun.security.provider.MD5.implDigest(MD5.java:100)
      at sun.security.provider.DigestBase.engineDigest(DigestBase.java:161)
      at sun.security.provider.DigestBase.engineDigest(DigestBase.java:140)
      at java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java:531)
      at java.security.MessageDigest.digest(MessageDigest.java:309)
      at java.security.MessageDigest.digest(MessageDigest.java:355)
      at org.apache.cxf.transport.http.DigestAuthSupplier.createCnonce(DigestAuthSupplier.java:248)
      at org.apache.cxf.transport.http.DigestAuthSupplier$DigestInfo.generateAuth(DigestAuthSupplier.java:178)
      at org.apache.cxf.transport.http.DigestAuthSupplier.getAuthorizationForRealm(DigestAuthSupplier.java:118)
      at org.apache.cxf.transport.http.HTTPConduit.authorizationRetransmit(HTTPConduit.java:1601)
      at org.apache.cxf.transport.http.HTTPConduit.processRetransmit(HTTPConduit.java:1428)
      at org.apache.cxf.transport.http.HTTPConduit.access$300(HTTPConduit.java:140)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRetransmits(HTTPConduit.java:2011)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2038)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1941)

Access to non thread safe MessageDigest 'MD5_HELPER' should be synchronized.
In fact, currently access to the digest is centralized in DigestInfo.generateAuth which is
synchronized, but as the method is not static and that a new DigestInfo is instanciated at
each call, 'synchronized' is useless :)

Simply replacing this should correct the problem :
    public static String createCnonce() throws UnsupportedEncodingException {
    	synchronized(MD5_HELPER)
    	{
	        String cnonce = Long.toString(System.currentTimeMillis());
	        return encode(MD5_HELPER.digest(cnonce.getBytes("US-ASCII")));
    	}
    }

Regards,
THIMONIER Julien



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message