Merge branch 'jetty-9.4.x'

2017-12-07 14:47:37 -05:00 · 2017-12-07 14:47:37 -05:00 · 76613c0999
parent f7601d6735 3abbcbde65
commit 76613c0999
3 changed files with 17 additions and 5 deletions
--- a/jetty-documentation/src/main/asciidoc/configuring/security/secure-passwords.adoc
+++ b/jetty-documentation/src/main/asciidoc/configuring/security/secure-passwords.adoc
@ -21,11 +21,16 @@ There are many places where you might want to use and store a password, for exam

 Passwords can be stored in clear text, obfuscated, checksummed or encrypted in order of increasing security.
 The choice of method to secure a password depends on where you are using the password.
-In some cases such as keystore passwords and digest authentication, the system must retrieve the original password, which requires the obfuscation method.
+In some cases, such as keystore passwords and `DIGEST` authentication, the system must retrieve the original password, which requires the obfuscation method.
 The drawback of the obfuscation algorithm is that it protects passwords from casual viewing only.

 When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure.

+____
+[NOTE]
+When using the `DIGEST` method in tandem with an MD5 hash, you must hash the entire `user:realm:password` string or you will encounter issues with authenticating.
+____
+
 The class `org.eclipse.jetty.util.security.Password` can be used to generate all varieties of passwords.

 Run it without arguments to see usage instructions:
@ -74,7 +79,7 @@ ____
 Don't forget to also copy the OBF:, MD5: or CRYPT: prefix on the generated password. It will not be usable by Jetty without it.
 ____

-You can also use obfuscated passwords in jetty xml files where a plain text password is usually needed.
+You can also use obfuscated passwords in Jetty xml files where a plain text password is usually needed.
 Here's an example setting the password for a JDBC Datasource with obfuscation:

 [source, xml, subs="{sub-order}"]
--- a/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/AbstractFlowControlStrategy.java
+++ b/jetty-http2/http2-common/src/main/java/org/eclipse/jetty/http2/AbstractFlowControlStrategy.java
@ -214,13 +214,20 @@ public abstract class AbstractFlowControlStrategy implements FlowControlStrategy
    @ManagedAttribute(value = "The time, in milliseconds, that the session flow control has stalled", readonly = true)
    public long getSessionStallTime()
    {
-        return TimeUnit.NANOSECONDS.toMillis(sessionStallTime.get());
+        long pastStallTime = sessionStallTime.get();
+        long currentStallTime = sessionStall.get();
+        if (currentStallTime != 0)
+            currentStallTime = System.nanoTime() - currentStallTime;
+        return TimeUnit.NANOSECONDS.toMillis(pastStallTime + currentStallTime);
    }

    @ManagedAttribute(value = "The time, in milliseconds, that the streams flow control has stalled", readonly = true)
    public long getStreamsStallTime()
    {
-        return TimeUnit.NANOSECONDS.toMillis(streamsStallTime.get());
+        long pastStallTime = streamsStallTime.get();
+        long now = System.nanoTime();
+        long currentStallTime = streamsStalls.values().stream().reduce(0L, (result, time) -> now - time);
+        return TimeUnit.NANOSECONDS.toMillis(pastStallTime + currentStallTime);
    }

    @ManagedOperation(value = "Resets the statistics", impact = "ACTION")
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/Jetty.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/Jetty.java
@ -90,7 +90,7 @@ public class Jetty
        }
        catch ( NumberFormatException e )
        {
-            LOG.debug( e );
+            LOG.ignore( e );
            return "unknown";
        }
    }