svn commit: r1404920 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/DigestAuthenticator.java test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java webapps/docs/config/valve.xml

Fri, 02 Nov 2012 04:10:34 -0700 

Author: markt
Date: Fri Nov  2 11:09:38 2012
New Revision: 1404920

URL: http://svn.apache.org/viewvc?rev=1404920&view=rev
Log:
Make the nonceCountWindowSize configurable else the performance test fails.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
    
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java
    tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1404918

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=1404920&r1=1404919&r2=1404920&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
 (original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
 Fri Nov  2 11:09:38 2012
@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -119,6 +119,12 @@ public class DigestAuthenticator extends
 
 
     /**
+     * The window size to use to track seen nonce count values for a given
+     * nonce. If not specified, the default of 100 is used.
+     */
+    protected int nonceCountWindowSize = 100;
+
+    /**
      * Private key.
      */
     protected String key = null;
@@ -156,6 +162,16 @@ public class DigestAuthenticator extends
     }
 
 
+    public int getNonceCountWindowSize() {
+        return nonceCountWindowSize;
+    }
+
+
+    public void setNonceCountWindowSize(int nonceCountWindowSize) {
+        this.nonceCountWindowSize = nonceCountWindowSize;
+    }
+
+
     public int getNonceCacheSize() {
         return nonceCacheSize;
     }
@@ -275,7 +291,7 @@ public class DigestAuthenticator extends
                 if (digestInfo.validate(request, config)) {
                     principal = digestInfo.authenticate(context.getRealm());
                 }
-            
+
                 if (principal != null && !digestInfo.isNonceStale()) {
                     register(request, response, principal,
                             HttpServletRequest.DIGEST_AUTH,
@@ -381,7 +397,7 @@ public class DigestAuthenticator extends
 
         long currentTime = System.currentTimeMillis();
 
-        
+
         String ipTimeKey =
             request.getRemoteAddr() + ":" + currentTime + ":" + getKey();
 
@@ -389,7 +405,7 @@ public class DigestAuthenticator extends
                 ipTimeKey.getBytes(B2CConverter.ISO_8859_1));
         String nonce = currentTime + ":" + MD5Encoder.encode(buffer);
 
-        NonceInfo info = new NonceInfo(currentTime, 100);
+        NonceInfo info = new NonceInfo(currentTime, getNonceCountWindowSize());
         synchronized (nonces) {
             nonces.put(nonce, info);
         }
@@ -453,21 +469,21 @@ public class DigestAuthenticator extends
 
 
     // ------------------------------------------------------- Lifecycle 
Methods
-    
+
     @Override
     protected synchronized void startInternal() throws LifecycleException {
         super.startInternal();
-        
+
         // Generate a random secret key
         if (getKey() == null) {
             setKey(sessionIdGenerator.generateSessionId());
         }
-        
+
         // Generate the opaque string the same way
         if (getOpaque() == null) {
             setOpaque(sessionIdGenerator.generateSessionId());
         }
-        
+
         nonces = new LinkedHashMap<String, DigestAuthenticator.NonceInfo>() {
 
             private static final long serialVersionUID = 1L;
@@ -495,7 +511,7 @@ public class DigestAuthenticator extends
             }
         };
     }
- 
+
     private static class DigestInfo {
 
         private final String opaque;
@@ -628,7 +644,7 @@ public class DigestAuthenticator extends
             if (!lcRealm.equals(realmName)) {
                 return false;
             }
-            
+
             // Validate the opaque string
             if (!opaque.equals(opaqueReceived)) {
                 return false;
@@ -735,7 +751,7 @@ public class DigestAuthenticator extends
             seen = new boolean[seenWindowSize];
             offset = seenWindowSize / 2;
         }
-        
+
         public synchronized boolean nonceCountValid(long nonceCount) {
             if ((count - offset) >= nonceCount ||
                     (nonceCount > count - offset + seen.length)) {
@@ -751,7 +767,7 @@ public class DigestAuthenticator extends
                 return true;
             }
         }
-        
+
         public long getTimestamp() {
             return timestamp;
         }

Modified: 
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java?rev=1404920&r1=1404919&r2=1404920&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java
 (original)
+++ 
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java
 Fri Nov  2 11:09:38 2012
@@ -118,6 +118,7 @@ public class TesterDigestAuthenticatorPe
 
         // Make the Context and Realm visible to the Authenticator
         authenticator.setContainer(context);
+        authenticator.setNonceCountWindowSize(8 * 1024);
 
         authenticator.start();
     }
@@ -125,7 +126,6 @@ public class TesterDigestAuthenticatorPe
 
     private class TesterRunnable implements Runnable {
 
-
         private String nonce;
         private int requestCount;
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml?rev=1404920&r1=1404919&r2=1404920&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml Fri Nov  2 11:09:38 2012
@@ -870,6 +870,15 @@
         of that cache. If not specified, the default value of 1000 is used.</p>
       </attribute>
 
+      <attribute name="nonceCountWindowSize" required="false">
+        <p>Client requests may be processed out of order which in turn means
+        that the nonce count values may be processed out of order. To prevent
+        authentication failures when nonce counts are presented out of order
+        the authenticator tracks a window of nonce count values. This attribute
+        controls how big that window is. If not specified, the default value of
+        100 is used.</p>
+      </attribute>
+
       <attribute name="nonceValidity" required="false">
         <p>The time, in milliseconds, that a server generated nonce will be
         considered valid for use in authentication. If not specified, the



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to