[
https://issues.apache.org/jira/browse/CXF-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp resolved CXF-3073.
------------------------------
Resolution: Fixed
Fix Version/s: 2.3.1
2.2.12
Assignee: Daniel Kulp
> org/apache/cxf/transport/http/DigestAuthSupplier is not thread safe
> -------------------------------------------------------------------
>
> Key: CXF-3073
> URL: https://issues.apache.org/jira/browse/CXF-3073
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7,
> 2.2.8, 2.2.9, 2.1.10, 2.0.13, 2.2.10, 2.3.0, 2.2.11
> Reporter: Julien Thimonier
> Assignee: Daniel Kulp
> Priority: Minor
> Fix For: 2.2.12, 2.3.1
>
>
> It seems that DigestAuthSupplier is not Thread safe and that multiple access
> can rarely trigger this kind of exceptions :
> java.lang.ArrayIndexOutOfBoundsException
> at java.lang.System.arraycopy(Native Method)
> at sun.security.provider.DigestBase.engineUpdate(DigestBase.java:102)
> at sun.security.provider.MD5.implDigest(MD5.java:100)
> at sun.security.provider.DigestBase.engineDigest(DigestBase.java:161)
> at sun.security.provider.DigestBase.engineDigest(DigestBase.java:140)
> at
> java.security.MessageDigest$Delegate.engineDigest(MessageDigest.java:531)
> at java.security.MessageDigest.digest(MessageDigest.java:309)
> at java.security.MessageDigest.digest(MessageDigest.java:355)
> at
> org.apache.cxf.transport.http.DigestAuthSupplier.createCnonce(DigestAuthSupplier.java:248)
> at
> org.apache.cxf.transport.http.DigestAuthSupplier$DigestInfo.generateAuth(DigestAuthSupplier.java:178)
> at
> org.apache.cxf.transport.http.DigestAuthSupplier.getAuthorizationForRealm(DigestAuthSupplier.java:118)
> at
> org.apache.cxf.transport.http.HTTPConduit.authorizationRetransmit(HTTPConduit.java:1601)
> at
> org.apache.cxf.transport.http.HTTPConduit.processRetransmit(HTTPConduit.java:1428)
> at
> org.apache.cxf.transport.http.HTTPConduit.access$300(HTTPConduit.java:140)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRetransmits(HTTPConduit.java:2011)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2038)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1941)
> Access to non thread safe MessageDigest 'MD5_HELPER' should be synchronized.
> In fact, currently access to the digest is centralized in
> DigestInfo.generateAuth which is synchronized, but as the method is not
> static and that a new DigestInfo is instanciated at each call, 'synchronized'
> is useless :)
> Simply replacing this should correct the problem :
> public static String createCnonce() throws UnsupportedEncodingException {
> synchronized(MD5_HELPER)
> {
> String cnonce = Long.toString(System.currentTimeMillis());
> return encode(MD5_HELPER.digest(cnonce.getBytes("US-ASCII")));
> }
> }
> Regards,
> THIMONIER Julien
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
