search

takcy / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

IncrementalNonceGenerator in clustered environment #102

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?

Run OpenID4Java server-side with rather high load.

What is the expected output? What do you see instead?

"Nonce already seen" on the client side.

What version of the product are you using? On what operating system?

openid4java 0.9.3 (I think we have tested 0.9.5 too)

Please provide any additional information below.

The IncrementalNonceGenerator generates nonces based on current timestamp
in seconds and together with a counter. When having a high load (i.e. many
calls/second) and two servers the same nonce could be generated (since the
counter is only unique to the JVM).

The client-side implementation checks for replay attacks with the same
nonce, which occurs in the case.

Original issue reported on code.google.com by robert.e...@gmail.com on 1 Dec 2009 at 11:35

GoogleCodeExporter commented 8 years ago 
Fixed in r681 by making the consumer nonce generator configurable.

Cluster deployments can pass into the ConsumerManager their own implementation 
of a NonceGenerator.

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 7:10