P3
The digest authentication implementation used in HttpURLConnection
is misusing the nonce-count field in Authorization headers.
It is supposed to represent the number of times the current server nonce
has been used (and reused) by the client. Instead, the implementation
uses it to represent the number of times the client nonce has been reused.
[Note, the nonce-count in the Authentication-Info header generated by the
server or proxy is supposed to be the number of times the client nonce
has been used by the server.]
The problem has only been noticed with the Squid cache, which is checking
(as it should) for re-use of nonce-count values (possibly indicating
a replay attack). It seems other servers are not checking for it.
The impact of the bug is that users will be re-prompted for credentials
because they appear to be incorrect. The authentication will normally
succeed the second time.
is misusing the nonce-count field in Authorization headers.
It is supposed to represent the number of times the current server nonce
has been used (and reused) by the client. Instead, the implementation
uses it to represent the number of times the client nonce has been reused.
[Note, the nonce-count in the Authentication-Info header generated by the
server or proxy is supposed to be the number of times the client nonce
has been used by the server.]
The problem has only been noticed with the Squid cache, which is checking
(as it should) for re-use of nonce-count values (possibly indicating
a replay attack). It seems other servers are not checking for it.
The impact of the bug is that users will be re-prompted for credentials
because they appear to be incorrect. The authentication will normally
succeed the second time.
- relates to
-
JDK-8326578 Clean up networking properties documentation
-
- Resolved
-