Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 363944

Summary: DigestAuthenticator uses java.security.MessageDigest in a non-thread safe way
Product: [RT] Jetty Reporter: Missing name <bubbleguuum>
Component: serverAssignee: Greg Wilkins <gregw>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: bubbleguuum, jetty-inbox
Version: 7.5.0   
Target Milestone: 7.5.x   
Hardware: All   
OS: All   
Whiteboard:

Description Missing name CLA 2011-11-16 12:29:06 EST
Build Identifier: 

class java.security.MessageDigest is not thread safe and DigestAuthenticator will randomly fail (stack trace below) because of this, when there are multiple concurrent request using digest authentication.

This is related to this old Jetty 6 bug:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CCcQFjAC&url=http%3A%2F%2Fjira.codehaus.org%2Fbrowse%2FJETTY-714&ei=l-_DToLBPMrKsgaA5vD3Cw&usg=AFQjCNGIqYIdDyAgPVgPVUqfhuH0MtY97A

And also this 2004 Tomcat bug gives more explanation:
https://issues.apache.org/bugzilla/show_bug.cgi?id=32137

The fix would be to have a static java.security.MessageDigest instance and wrap its methods in synchronized functions.

[qtp6510044-356  ] WARNING  - 01:56:03.699 - JDK14LoggerAdapter          : Committed before 401 null
[qtp6510044-356  ] WARNING  - 01:56:03.699 - JDK14LoggerAdapter          : /stream/image/fa3392015fe478eb4a5dbf5fd3a5a458
java.lang.IllegalStateException: Committed
        at org.eclipse.jetty.server.Response.resetBuffer(SourceFile:1059)
        at org.eclipse.jetty.server.Response.sendError(SourceFile:276)
        at org.eclipse.jetty.server.Response.sendError(SourceFile:378)
        at org.eclipse.jetty.security.authentication.DigestAuthenticator.validateRequest(SourceFile:175)
        at org.eclipse.jetty.security.SecurityHandler.handle(SourceFile:442)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SourceFile:227)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(SourceFile:940)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(SourceFile:409)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SourceFile:186)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(SourceFile:874)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(SourceFile:117)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(SourceFile:149)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(SourceFile:110)
        at org.eclipse.jetty.server.Server.handleAsync(SourceFile:394)
        at org.eclipse.jetty.server.HttpConnection.handleRequest(SourceFile:446)
        at org.eclipse.jetty.server.HttpConnection$a.headerComplete(SourceFile:904)
        at org.eclipse.jetty.http.HttpParser.parseNext(SourceFile:565)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(SourceFile:217)
        at org.eclipse.jetty.server.BlockingHttpConnection.handle(SourceFile:50)
        at org.eclipse.jetty.server.bio.SocketConnector$ConnectorEndPoint.run(SourceFile:245)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(SourceFile:598)
        at org.eclipse.jetty.util.thread.c.run(SourceFile:533)
        at java.lang.Thread.run(Unknown Source)

Reproducible: Sometimes

Steps to Reproduce:
Make a lot of concurrent requests with digest authetication.
Comment 1 Greg Wilkins CLA 2011-11-27 20:07:55 EST
Digest auth was refactored in 7.5.2 and now uses method local digest instance, so I do not think this is an problem any more.