Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1686

Threadsafe CloseableHttpClient uses non-threadsafe NTLMScheme, causing errors

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Invalid
    • 4.5.1
    • None
    • HttpClient (classic)
    • None
    • Java/OSX

    Description

      The class org.apache.http.impl.client.CloseableHttpClient is marked as thread safe, but it may use org.apache.http.impl.auth.NTLMScheme during authentication (in this case, to Exchange's Exchange Web Services). NLTMScheme is not thread safe, and concurrent access can result in a crash when multiple threads access and modify the static NTLMEngineImpl Type1Message static private member, see stack trace below.

      I've verified a fix for this particular issue by removing the static Type1Message object and allocating a new one for each call to NTLMEngineImpl.getType1Message, but that's not necessarily sufficient to mark NTLMScheme as ThreadSafe.

      Stack trace:

      Java.lang.ArrayIndexOutOfBoundsException: 40

0 = {StackTraceElement@8714} "org.apache.http.impl.auth.NTLMEngineImpl$NTLMMessage.addByte(NTLMEngineImpl.java:911)"
1 = {StackTraceElement@8715} "org.apache.http.impl.auth.NTLMEngineImpl$NTLMMessage.addULong(NTLMEngineImpl.java:941)"
2 = {StackTraceElement@8716} "org.apache.http.impl.auth.NTLMEngineImpl$Type1Message.getResponse(NTLMEngineImpl.java:1048)"
3 = {StackTraceElement@8717} "org.apache.http.impl.auth.NTLMEngineImpl.getType1Message(NTLMEngineImpl.java:148)"
4 = {StackTraceElement@8718} "org.apache.http.impl.auth.NTLMEngineImpl.generateType1Msg(NTLMEngineImpl.java:1628)"
5 = {StackTraceElement@8719} "org.apache.http.impl.auth.NTLMScheme.authenticate(NTLMScheme.java:139)"
6 = {StackTraceElement@8720} "org.apache.http.impl.auth.AuthSchemeBase.authenticate(AuthSchemeBase.java:138)"
7 = {StackTraceElement@8721} "org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)"
8 = {StackTraceElement@8722} "org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)"
9 = {StackTraceElement@8723} "org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:262)"
10 = {StackTraceElement@8724} "org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)"
11 = {StackTraceElement@8725} "org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)"
12 = {StackTraceElement@8726} "org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)"
13 = {StackTraceElement@8727} "org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)"
14 = {StackTraceElement@8728} "org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)"
15 = {StackTraceElement@8729}

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. HTTPCLIENT-1715 NTLMEngineImpl.Type1Message not thread safe but declared as a constant

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              Jim C Jim Cassidy
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: