tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 32137] New: - Random "401" responses for Digest - DigestAuthenticator thread un-safe use of MessageDigest
Date Wed, 10 Nov 2004 01:14:50 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=32137>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=32137

Random "401" responses for Digest - DigestAuthenticator thread un-safe use of MessageDigest

           Summary: Random "401" responses for Digest - DigestAuthenticator
                    thread un-safe use of MessageDigest
           Product: Tomcat 5
           Version: 5.0.29
          Platform: Macintosh
        OS/Version: MacOS X
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: csharp@mac.com


Static use of java.security.MessageDigest is not thread-safe. A symptom of this bug would
be "random" 
401 responses to Digest Authentication challenges. The static declaration:
protected static MessageDigest md5Helper;

The  use of this idiom in the DigestAuthenticator (and RealmBase) class means that all threads
are 
effectively using the same instance of the MessageDigest. Highly concurrent testing showed
this defect. 
In reviewing the java docs for MessageDigest, there is nothing that indicates that it is thread-safe.


There are two solutions, either create a wrapper class which synchronizes access, or create
new 
instances when needed. For performance reasons it would probably be a good idea to create
a wrapper 
class as creating new instances can be expensive.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message