JBoss DigestAuthenticator is prone to generating duplicate nonces

Solution Verified - Updated -

Issue

  • The nonce is generated with the value of request.getRemoteAddr() and the current system time at creation. In our case, request.getRemoteAddr() is always the same for all clients. Thus, under heavy concurrent load with nonces being generated at the same time, duplicate nonces are generated and given to multiple clients. Nonce counts then get out of order resulting in rejected requests.

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 5.2.0 and earlier
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content