[jira] Created: (CXF-3073) org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe

Tue, 19 Oct 2010 09:00:55 -0700 

org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe
-------------------------------------------------------------------

                 Key: CXF-3073
                 URL: https://issues.apache.org/jira/browse/CXF-3073
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 2.2.11, 2.3.0, 2.2.10, 2.0.13, 2.1.10, 2.2.9, 2.2.8, 
2.2.7, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.1, 2.2
            Reporter: Julien Thimonier
            Priority: Minor


It seems that DigestAuthSupplier is not Thread safe and that multiple access 
can rarely trigger this kind of exceptions :

java.lang.ArrayIndexOutOfBoundsException
      at java.lang.System.arraycopy(Native Method)
      at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:102)
      at sun.security.provider.MD5.implDigest(MD5.java:100)
      at sun.security.provider.DigestBase.engineDigest(DigestBase.java:161)
      at sun.security.provider.DigestBase.engineDigest(DigestBase.java:140)
      at 
java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java:531)
      at java.security.MessageDigest.digest(MessageDigest.java:309)
      at java.security.MessageDigest.digest(MessageDigest.java:355)
      at 
org.apache.cxf.transport.http.DigestAuthSupplier.createCnonce(DigestAuthSupplier.java:248)
      at 
org.apache.cxf.transport.http.DigestAuthSupplier$DigestInfo.generateAuth(DigestAuthSupplier.java:178)
      at 
org.apache.cxf.transport.http.DigestAuthSupplier.getAuthorizationForRealm(DigestAuthSupplier.java:118)
      at 
org.apache.cxf.transport.http.HTTPConduit.authorizationRetransmit(HTTPConduit.java:1601)
      at 
org.apache.cxf.transport.http.HTTPConduit.processRetransmit(HTTPConduit.java:1428)
      at 
org.apache.cxf.transport.http.HTTPConduit.access$300(HTTPConduit.java:140)
      at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRetransmits(HTTPConduit.java:2011)
      at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2038)
      at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1941)

Access to non thread safe MessageDigest 'MD5_HELPER' should be synchronized.
In fact, currently access to the digest is centralized in 
DigestInfo.generateAuth which is synchronized, but as the method is not static 
and that a new DigestInfo is instanciated at each call, 'synchronized' is 
useless :)

Simply replacing this should correct the problem :
    public static String createCnonce() throws UnsupportedEncodingException {
        synchronized(MD5_HELPER)
        {
                String cnonce = Long.toString(System.currentTimeMillis());
                return encode(MD5_HELPER.digest(cnonce.getBytes("US-ASCII")));
        }
    }

Regards,
THIMONIER Julien



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to