Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4823429

Digest authentication misuse of nonce-count field

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 5.0
    • 1.4.1
    • core-libs
    • None
    • tiger
    • unknown
    • generic

      The digest authentication implementation used in HttpURLConnection
      is misusing the nonce-count field in Authorization headers.
      It is supposed to represent the number of times the current server nonce
      has been used (and reused) by the client. Instead, the implementation
      uses it to represent the number of times the client nonce has been reused.

      [Note, the nonce-count in the Authentication-Info header generated by the
       server or proxy is supposed to be the number of times the client nonce
       has been used by the server.]

      The problem has only been noticed with the Squid cache, which is checking
      (as it should) for re-use of nonce-count values (possibly indicating
      a replay attack). It seems other servers are not checking for it.

      The impact of the bug is that users will be re-prompted for credentials
      because they appear to be incorrect. The authentication will normally
      succeed the second time.

            michaelm Michael McMahon
            michaelm Michael McMahon
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: