Details
-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
7.1.1.Final
-
None
Description
HTTP digest authentication requests seem to fail when the cnonce from the browser is repeated across multiple requests. (Firefox often does this.) For example:
1) Request resource protected by HTTP digest authentication
2) Receive response with header: WWW-Authenticate=Digest realm="helios", qop="auth", nonce="1352490667388:dbdb24005a909963fabb3fd5e18711a9", opaque="Yy4sDZbcknyS26MFy7VH2tfm"
3) Send auth request with header: authorization=Digest username="helios", realm="helios", nonce="1352490667388:dbdb24005a909963fabb3fd5e18711a9", uri="/rest-services/rs/architecture/ui/waveforms", response="b4900878b8ffdf49e8216d706420871e", opaque="Yy4sDZbcknyS26MFy7VH2tfm", qop=auth, nc=00000001, cnonce="082c875dcb2ca740"
4) Receive an HTTP 200
5) Close Firefox
6) Open Firefox and send request to same resource
7) Receive response with header: WWW-Authenticate=Digest realm="helios", qop="auth", nonce="1352490696962:b2318fc8d36fda0a46e9b8b4de62c597", opaque="Yy4sDZbcknyS26MFy7VH2tfm"
8) Send request with header: authorization=Digest username="helios", realm="helios", nonce="1352490696962:b2318fc8d36fda0a46e9b8b4de62c597", uri="/rest-services/rs/architecture/ui/waveforms", response="03c3ee574d29c7ce911b645b9a4e7f0c", opaque="Yy4sDZbcknyS26MFy7VH2tfm", qop=auth, nc=00000001, cnonce="082c875dcb2ca740"
9) Receive an HTTP 401 with header: WWW-Authenticate=Digest realm="helios", qop="auth", nonce="1352490703289:9ce53cff6e7ba74f12b8d440bd4ec04c", opaque="Yy4sDZbcknyS26MFy7VH2tfm"
10) Send request with header: authorization=Digest username="helios", realm="helios", nonce="1352490703289:9ce53cff6e7ba74f12b8d440bd4ec04c", uri="/rest-services/rs/architecture/ui/waveforms", response="43acf50b9a019c9c26464e5cd43b0942", opaque="Yy4sDZbcknyS26MFy7VH2tfm", qop=auth, nc=00000001, cnonce="1522e61005789929"
11) Receives HTTP 200
Notice that the cnonce in the first and second auth requests are the same. In the third the cnonce changes and the auth request is accepted. This pattern is repeatable over and over again (sometimes the cnonce does not change for many attempts, all of which fail, but as soon as the browser changes it, the request succeeds). In all cases, the response is computed correctly. This behavior does not appear consistent with RFC 2617 (it's acceptable to repeat the nc and cnonce values across different 401 challenges). Further investigation found that when the 401 is returned in the second case, the storeDigestCallback is never executed, suggesting the failure happens before the response digest is ever evaluated.
This is the security domain configuration in standalone.xml
<security-domain name="helios" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/helios-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/helios-roles.properties"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="RFC2617"/>
<module-option name="hashUserPassword" value="false"/>
<module-option name="hashStorePassword" value="true"/>
<module-option name="passwordIsA1Hash" value="true"/>
<module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
</login-module>
</authentication>
</security-domain>
