Jim Cassidy created HTTPCLIENT-1686:
---------------------------------------
Summary: Threadsafe CloseableHttpClient uses non-threadsafe
NTLMScheme, causing errors
Key: HTTPCLIENT-1686
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1686
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.5.1
Environment: Java/OSX
Reporter: Jim Cassidy
The class org.apache.http.impl.client.CloseableHttpClient is marked as thread
safe, but it may use org.apache.http.impl.auth.NTLMScheme during authentication
(in this case, to Exchange's Exchange Web Services). NLTMScheme is not thread
safe, and concurrent access can result in a crash when multiple threads access
and modify the static NTLMEngineImpl Type1Message static private member, see
stack trace below.
I've verified a fix for this particular issue by removing the static
Type1Message object and allocating a new one for each call to
NTLMEngineImpl.getType1Message, but that's not necessarily sufficient to mark
NTLMScheme as ThreadSafe.
Stack trace:
ava.lang.ArrayIndexOutOfBoundsException: 40
0 = {StackTraceElement@8714}
"org.apache.http.impl.auth.NTLMEngineImpl$NTLMMessage.addByte(NTLMEngineImpl.java:911)"
1 = {StackTraceElement@8715}
"org.apache.http.impl.auth.NTLMEngineImpl$NTLMMessage.addULong(NTLMEngineImpl.java:941)"
2 = {StackTraceElement@8716}
"org.apache.http.impl.auth.NTLMEngineImpl$Type1Message.getResponse(NTLMEngineImpl.java:1048)"
3 = {StackTraceElement@8717}
"org.apache.http.impl.auth.NTLMEngineImpl.getType1Message(NTLMEngineImpl.java:148)"
4 = {StackTraceElement@8718}
"org.apache.http.impl.auth.NTLMEngineImpl.generateType1Msg(NTLMEngineImpl.java:1628)"
5 = {StackTraceElement@8719}
"org.apache.http.impl.auth.NTLMScheme.authenticate(NTLMScheme.java:139)"
6 = {StackTraceElement@8720}
"org.apache.http.impl.auth.AuthSchemeBase.authenticate(AuthSchemeBase.java:138)"
7 = {StackTraceElement@8721}
"org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)"
8 = {StackTraceElement@8722}
"org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)"
9 = {StackTraceElement@8723}
"org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:262)"
10 = {StackTraceElement@8724}
"org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)"
11 = {StackTraceElement@8725}
"org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)"
12 = {StackTraceElement@8726}
"org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)"
13 = {StackTraceElement@8727}
"org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)"
14 = {StackTraceElement@8728}
"org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)"
15 = {StackTraceElement@8729}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
