DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=32137>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=32137 Random "401" responses for Digest - DigestAuthenticator thread un-safe use of MessageDigest Summary: Random "401" responses for Digest - DigestAuthenticator thread un-safe use of MessageDigest Product: Tomcat 5 Version: 5.0.29 Platform: Macintosh OS/Version: MacOS X Status: NEW Severity: Major Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Static use of java.security.MessageDigest is not thread-safe. A symptom of this bug would be "random" 401 responses to Digest Authentication challenges. The static declaration: protected static MessageDigest md5Helper; The use of this idiom in the DigestAuthenticator (and RealmBase) class means that all threads are effectively using the same instance of the MessageDigest. Highly concurrent testing showed this defect. In reviewing the java docs for MessageDigest, there is nothing that indicates that it is thread-safe. There are two solutions, either create a wrapper class which synchronizes access, or create new instances when needed. For performance reasons it would probably be a good idea to create a wrapper class as creating new instances can be expensive. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
