[UNDERTOW-2007] Digest mechanism needs sticky sessions

undertow-io · Dec 17, 2021 · 499ec14 · 499ec14
1 parent b24d455
commit 499ec14
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java
@@ -42,6 +42,7 @@
 import io.undertow.util.HeaderMap;
 import io.undertow.util.Headers;
 import io.undertow.util.HexConverter;
+import io.undertow.util.Sessions;
 import io.undertow.util.StatusCodes;
 
 import java.nio.charset.StandardCharsets;
@@ -445,6 +446,13 @@ private byte[] createRFC2617RequestDigest(final byte[] ha1, final byte[] ha2, fi
 
     @Override
     public ChallengeResult sendChallenge(final HttpServerExchange exchange, final SecurityContext securityContext) {
+        // Ensure a session is created to have stickiness through loadbalancers
+        try {
+            Sessions.getOrCreateSession(exchange);
+        } catch (IllegalStateException e) {
+            UndertowLogger.SECURITY_LOGGER.debugf("Session error. Digest auth may fail from broken stickiness", e);
+        }
+
         DigestContext context = exchange.getAttachment(DigestContext.ATTACHMENT_KEY);
         boolean stale = context == null ? false : context.isStale();