I agree with Alex's suggestion, although we probably don't want to change
the format of server.xml for 3.2, right ? So I think the following diff
could be applied to 3.3 (I hope I understood well how XmlMapper works !),
and for 3.2 we could probably do a lesser change, say just the changes in
SessionIdGenerator, the format of server.xml would remain unchanged for 3.2.
I didn't include the diff for the default server.xml, I agree with Alex
here.
Does this sound like a reasonable solution ?
Petr
P:\Jakarta_32jiricka\jakarta-tomcat\src\share\org\apache\tomcat>cvs diff -u
cvs server: Diffing .
cvs server: Diffing adapter
cvs server: Diffing context
cvs server: Diffing core
Index: core/ContextManager.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.jav
a,v
retrieving revision 1.100.2.2
diff -u -r1.100.2.2 ContextManager.java
--- core/ContextManager.java 2000/07/25 21:00:24 1.100.2.2
+++ core/ContextManager.java 2000/08/17 15:06:28
@@ -295,6 +295,21 @@
public void setPermissions(Object permissions) {
this.permissions = permissions;
}
+
+ /** Get the name of the class to be used for generating random numbers
by the
+ * session id generator. By default this is
<code>java.security.SecureRandom</code>.
+ **/
+ public String getRandomClass() {
+ String randomClass =
System.getProperty("tomcat.sessionid.randomclass");
+ return randomClass == null ? "java.security.SecureRandom" :
randomClass;
+ }
+
+ /** Sets the name of the class used for generating random numbers by
the
+ * session id generator.
+ */
+ public void setRandomClass(String randomClass) {
+ System.setProperty("tomcat.sessionid.randomclass", randomClass);
+ }
// -------------------- Support functions --------------------
cvs server: Diffing facade
cvs server: Diffing loader
cvs server: Diffing logging
cvs server: Diffing net
cvs server: Diffing protocol
cvs server: Diffing protocol/jar
cvs server: Diffing protocol/war
cvs server: Diffing request
cvs server: Diffing resources
cvs server: Diffing service
cvs server: Diffing service/connector
cvs server: Diffing service/http
cvs server: Diffing session
cvs server: Diffing startup
Index: startup/Tomcat.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/startup/Tomcat.java,v
retrieving revision 1.31
diff -u -r1.31 Tomcat.java
--- startup/Tomcat.java 2000/06/23 01:21:57 1.31
+++ startup/Tomcat.java 2000/08/17 15:06:30
@@ -134,6 +134,16 @@
xh.addChild("addLogger",
"org.apache.tomcat.logging.Logger") );
}
+
+ /** Setup habdling of random class tag. The random class is used by the
+ * session id generator.
+ */
+ void setRandomClassHelper( XmlMapper xh ) {
+ xh.addRule( "Server/random",
+ xh.methodSetter("setRandomClass",1) );
+ xh.addRule( "Server/random",
+ xh.methodParam(0, "class") );
+ }
/**
* Return the configuration file we are processing. If the
@@ -183,6 +193,7 @@
setHelper( xh );
setConnectorHelper( xh );
setLogHelper( xh );
+ setRandomClassHelper( xh );
File f = getConfigFile(cm);
try {
cvs server: Diffing task
cvs server: Diffing util
Index: util/SessionIdGenerator.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator
.java,v
retrieving revision 1.3
diff -u -r1.3 SessionIdGenerator.java
--- util/SessionIdGenerator.java 2000/06/17 00:24:45 1.3
+++ util/SessionIdGenerator.java 2000/08/17 15:06:31
@@ -89,7 +89,7 @@
*/
static private int session_count = 0;
static private long lastTimeVal = 0;
- static private java.util.Random randomSource = new
java.security.SecureRandom();
+ static private java.util.Random randomSource;
// MAX_RADIX is 36
/*
@@ -118,6 +118,21 @@
static synchronized public String getIdentifier (String jsIdent)
{
StringBuffer sessionId = new StringBuffer();
+
+ if (randomSource == null) {
+ String className =
System.getProperty("tomcat.sessionid.randomclass");
+ if (className != null) {
+ try {
+ Class randomClass = Class.forName(className);
+ randomSource =
(java.util.Random)randomClass.newInstance();
+ }
+ catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ if (randomSource == null)
+ randomSource = new java.security.SecureRandom();
+ }
// random value ..
long n = randomSource.nextLong();
cvs server: Diffing util/pattern
cvs server: Diffing util/xml
> -----Original Message-----
> From: Alex Chaffee [mailto:guru@edamame.stinky.com]
> Sent: Wednesday, August 16, 2000 2:37 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Tomcat startup time
>
>
>
>
> On Tue, Aug 15, 2000 at 02:12:56PM -0400,
> yhs@mimic.onesourcecorp.com wrote:
> >
> >
> > On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:
> >
> > > +1 !
> > >
> > > It can be delayed until the first session is created.
> > > Or it can be done in a separate thread ( and all session
> creation will
> > > wait for this to complete).
>
> Assuming that most servlets/JSPs use sessions, I don't see what this
> buys us. It'll still be N seconds before we can use the servlets,
> whether it happens in a background thread or not.
>
> > > Of course, server.xml option is great too.
> > >
> > > Costin
> > >
> >
> > doing it in server.xml as an option is IMHO far more convenient.
>
> +1 to doing it in server.xml
>
> -1 to doing it in any other configuration file (see next post)
>
> > i'd
> > rather have a simple option RandomGenerator = Normal/Secure or
> > something similar.
>
> How soon they forget! A month or two ago, when this change was being
> talked about, we had good suggestions on how to define the server.xml
> tags. Specifically, I remember a very clever suggestion involving the
> fact that java.security.SecureRandom is a subclass of
> java.util.Random; the config file should allow the user simply to
> specify *which* subclass of Random is initialized, opening the door to
> custom RNG classes.
>
> (However, I don't remember if the hiccup about how to pass parameters
> to the constructor was resolved. I suppose we can just use the
> default constructor for SecureRandom, since that uses "the most secure
> implementation available" or some such. Look at JavaDoc for
> SecureRandom for details.)
>
> Proposal: Add the following to server.xml, plus the code to make it
> work :-)
>
> <random class="java.security.SecureRandom"/>
> <!--
>
> java.security.SecureRandom is more secure than java.util.Random, but
> takes a long time to initialize (on the order of several seconds,
> depending on CPU speed). Use the following for a less secure, but
> slightly faster, RNG. We recommend that in a production environment,
> you always use SecureRandom, since you won't be stopping and starting
> the server very often.
>
> <random class="java.util.Random"/>
> -->
>
>
> > I'd rather have this as default set on secure since
> > i've seen the effects of having sessions cracked (and the
> effects of the
> > security flaw in tomcat previously which used an insecure
> method which had
> > an exploit posted).
>
> +1
>
>
> --
> Alex Chaffee mailto:alex@jguru.com
> jGuru - Java News and FAQs http://www.jguru.com/alex/
> Creator of Gamelan http://www.gamelan.com/
> Founder of Purple Technology http://www.purpletech.com/
> Curator of Stinky Art Collective http://www.stinky.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
|