cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (CXF-3073) org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe
Date Wed, 20 Oct 2010 19:30:25 GMT

     [ https://issues.apache.org/jira/browse/CXF-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daniel Kulp resolved CXF-3073.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.1
                   2.2.12
         Assignee: Daniel Kulp

> org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe
> -------------------------------------------------------------------
>
>                 Key: CXF-3073
>                 URL: https://issues.apache.org/jira/browse/CXF-3073
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9,
2.1.10, 2.0.13, 2.2.10, 2.3.0, 2.2.11
>            Reporter: Julien Thimonier
>            Assignee: Daniel Kulp
>            Priority: Minor
>             Fix For: 2.2.12, 2.3.1
>
>
> It seems that DigestAuthSupplier is not Thread safe and that multiple access can rarely
trigger this kind of exceptions :
> java.lang.ArrayIndexOutOfBoundsException
>       at java.lang.System.arraycopy(Native Method)
>       at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:102)
>       at sun.security.provider.MD5.implDigest(MD5.java:100)
>       at sun.security.provider.DigestBase.engineDigest(DigestBase.java:161)
>       at sun.security.provider.DigestBase.engineDigest(DigestBase.java:140)
>       at java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java:531)
>       at java.security.MessageDigest.digest(MessageDigest.java:309)
>       at java.security.MessageDigest.digest(MessageDigest.java:355)
>       at org.apache.cxf.transport.http.DigestAuthSupplier.createCnonce(DigestAuthSupplier.java:248)
>       at org.apache.cxf.transport.http.DigestAuthSupplier$DigestInfo.generateAuth(DigestAuthSupplier.java:178)
>       at org.apache.cxf.transport.http.DigestAuthSupplier.getAuthorizationForRealm(DigestAuthSupplier.java:118)
>       at org.apache.cxf.transport.http.HTTPConduit.authorizationRetransmit(HTTPConduit.java:1601)
>       at org.apache.cxf.transport.http.HTTPConduit.processRetransmit(HTTPConduit.java:1428)
>       at org.apache.cxf.transport.http.HTTPConduit.access$300(HTTPConduit.java:140)
>       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRetransmits(HTTPConduit.java:2011)
>       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2038)
>       at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1941)
> Access to non thread safe MessageDigest 'MD5_HELPER' should be synchronized.
> In fact, currently access to the digest is centralized in DigestInfo.generateAuth which
is synchronized, but as the method is not static and that a new DigestInfo is instanciated
at each call, 'synchronized' is useless :)
> Simply replacing this should correct the problem :
>     public static String createCnonce() throws UnsupportedEncodingException {
>     	synchronized(MD5_HELPER)
>     	{
> 	        String cnonce = Long.toString(System.currentTimeMillis());
> 	        return encode(MD5_HELPER.digest(cnonce.getBytes("US-ASCII")));
>     	}
>     }
> Regards,
> THIMONIER Julien

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message