Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 363944 - DigestAuthenticator uses java.security.MessageDigest in a non-thread safe way
Summary: DigestAuthenticator uses java.security.MessageDigest in a non-thread safe way
Status: RESOLVED FIXED
Alias: None
Product: Jetty
Classification: RT
Component: server (show other bugs)
Version: 7.5.0   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: 7.5.x   Edit
Assignee: Greg Wilkins CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-16 12:29 EST by Missing name CLA
Modified: 2011-11-27 20:07 EST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Missing name CLA 2011-11-16 12:29:06 EST 
Build Identifier: 

class java.security.MessageDigest is not thread safe and DigestAuthenticator will randomly fail (stack trace below) because of this, when there are multiple concurrent request using digest authentication.

This is related to this old Jetty 6 bug:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CCcQFjAC&url=http%3A%2F%2Fjira.codehaus.org%2Fbrowse%2FJETTY-714&ei=l-_DToLBPMrKsgaA5vD3Cw&usg=AFQjCNGIqYIdDyAgPVgPVUqfhuH0MtY97A

And also this 2004 Tomcat bug gives more explanation:
https://issues.apache.org/bugzilla/show_bug.cgi?id=32137

The fix would be to have a static java.security.MessageDigest instance and wrap its methods in synchronized functions.

[qtp6510044-356  ] WARNING  - 01:56:03.699 - JDK14LoggerAdapter          : Committed before 401 null
[qtp6510044-356  ] WARNING  - 01:56:03.699 - JDK14LoggerAdapter          : /stream/image/fa3392015fe478eb4a5dbf5fd3a5a458
java.lang.IllegalStateException: Committed
        at org.eclipse.jetty.server.Response.resetBuffer(SourceFile:1059)
        at org.eclipse.jetty.server.Response.sendError(SourceFile:276)
        at org.eclipse.jetty.server.Response.sendError(SourceFile:378)
        at org.eclipse.jetty.security.authentication.DigestAuthenticator.validateRequest(SourceFile:175)
        at org.eclipse.jetty.security.SecurityHandler.handle(SourceFile:442)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SourceFile:227)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(SourceFile:940)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(SourceFile:409)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SourceFile:186)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(SourceFile:874)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(SourceFile:117)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(SourceFile:149)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(SourceFile:110)
        at org.eclipse.jetty.server.Server.handleAsync(SourceFile:394)
        at org.eclipse.jetty.server.HttpConnection.handleRequest(SourceFile:446)
        at org.eclipse.jetty.server.HttpConnection$a.headerComplete(SourceFile:904)
        at org.eclipse.jetty.http.HttpParser.parseNext(SourceFile:565)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(SourceFile:217)
        at org.eclipse.jetty.server.BlockingHttpConnection.handle(SourceFile:50)
        at org.eclipse.jetty.server.bio.SocketConnector$ConnectorEndPoint.run(SourceFile:245)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(SourceFile:598)
        at org.eclipse.jetty.util.thread.c.run(SourceFile:533)
        at java.lang.Thread.run(Unknown Source)

Reproducible: Sometimes

Steps to Reproduce:
Make a lot of concurrent requests with digest authetication.
Comment 1 Greg Wilkins CLA 2011-11-27 20:07:55 EST 
Digest auth was refactored in 7.5.2 and now uses method local digest instance, so I do not think this is an problem any more.