syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matteo Alessandroni <matteo.alessandr...@tirasa.net>
Subject Re: [PROPOSAL] Replace SecureRandom with ThreadLocalRandom
Date Tue, 30 Jan 2018 08:22:59 GMT
Hi,

+1 for me.

Best regards,
Matteo


On 24/01/2018 17:54, Francesco Chicchiriccò wrote:
> Hi all (and Colm in particular, as this should be in your chords),
> we are currently basing all operations requiring random generation 
> (mainly tokens used during double opt-in and password reset, and 
> password values for specific cases) on SecureRandom [1].
>
> SecureRandom has, however, some performance issues which were solved, 
> starting with Java 7, by ThreadLocalRandom [2]; with Java 8 an 
> improvement was made [3] to retain security by setting the system 
> property 'java.util.secureRandomSeed' to true.
>
> Shall we:
>
> 1. suggest to set
>
> -Djava.security.egd=file:/dev/./urandom
>
> for Tomcat and other Java EE containers on Linux, and
>
> 2. suggest to set
>
> -Djava.util.secureRandomSeed=true
>
> for Tomcat and other Java EE containers, and
>
> 3. replace SecureRandom with ThreadLocalRandom in [1]
>
> ?
>
> Regards.
>
> [1] 
> https://github.com/apache/syncope/blob/2_0_X/common/lib/src/main/java/org/apache/syncope/common/lib/SecureTextRandomProvider.java#L29
> [2] 
> https://docs.oracle.com/javase/7/docs/api/java/util/concurrent/ThreadLocalRandom.html
> [3] 
> https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ThreadLocalRandom.html
>

-- 

Dott. Matteo Alessandroni

Software Engineer @ Tirasa S.r.l.

Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173

http://www.tirasa.net

Tirasa S.r.l. <http://www.tirasa.net>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message