tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Petr Jiricka <petr.jiri...@netbeans.com>
Subject RE: Tomcat startup time
Date Thu, 17 Aug 2000 15:31:19 GMT
I agree with Alex's suggestion, although we probably don't want to change
the format of server.xml for 3.2, right ? So I think the following diff
could be applied to 3.3 (I hope I understood well how XmlMapper works !),
and for 3.2 we could probably do a lesser change, say just the changes in
SessionIdGenerator, the format of server.xml would remain unchanged for 3.2.

I didn't include the diff for the default server.xml, I agree with Alex
here.

Does this sound like a reasonable solution ?

Petr


P:\Jakarta_32jiricka\jakarta-tomcat\src\share\org\apache\tomcat>cvs diff -u
cvs server: Diffing .
cvs server: Diffing adapter
cvs server: Diffing context
cvs server: Diffing core
Index: core/ContextManager.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.jav
a,v
retrieving revision 1.100.2.2
diff -u -r1.100.2.2 ContextManager.java
--- core/ContextManager.java    2000/07/25 21:00:24     1.100.2.2
+++ core/ContextManager.java    2000/08/17 15:06:28
@@ -295,6 +295,21 @@
     public void setPermissions(Object permissions) {
        this.permissions = permissions;
     }
+
+    /** Get the name of the class to be used for generating random numbers
by the
+     * session id generator. By default this is
<code>java.security.SecureRandom</code>.
+     **/
+    public String getRandomClass() {
+        String randomClass =
System.getProperty("tomcat.sessionid.randomclass");
+        return randomClass == null ? "java.security.SecureRandom" :
randomClass;
+    }
+
+    /** Sets the name of the class used for generating random numbers by
the
+     *  session id generator.
+     */
+    public void setRandomClass(String randomClass) {
+        System.setProperty("tomcat.sessionid.randomclass", randomClass);
+    }


     // -------------------- Support functions --------------------
cvs server: Diffing facade
cvs server: Diffing loader
cvs server: Diffing logging
cvs server: Diffing net
cvs server: Diffing protocol
cvs server: Diffing protocol/jar
cvs server: Diffing protocol/war
cvs server: Diffing request
cvs server: Diffing resources
cvs server: Diffing service
cvs server: Diffing service/connector
cvs server: Diffing service/http
cvs server: Diffing session
cvs server: Diffing startup
Index: startup/Tomcat.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/startup/Tomcat.java,v
retrieving revision 1.31
diff -u -r1.31 Tomcat.java
--- startup/Tomcat.java 2000/06/23 01:21:57     1.31
+++ startup/Tomcat.java 2000/08/17 15:06:30
@@ -134,6 +134,16 @@
                   xh.addChild("addLogger",
                               "org.apache.tomcat.logging.Logger") );
     }
+
+    /** Setup habdling of random class tag. The random class is used by the
+     * session id generator.
+     */
+    void setRandomClassHelper( XmlMapper xh ) {
+       xh.addRule( "Server/random",
+                   xh.methodSetter("setRandomClass",1) );
+       xh.addRule( "Server/random",
+                   xh.methodParam(0, "class") );
+    }

     /**
      * Return the configuration file we are processing.  If the
@@ -183,6 +193,7 @@
        setHelper( xh );
        setConnectorHelper( xh );
        setLogHelper( xh );
+        setRandomClassHelper( xh );

        File f = getConfigFile(cm);
        try {
cvs server: Diffing task
cvs server: Diffing util
Index: util/SessionIdGenerator.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator
.java,v
retrieving revision 1.3
diff -u -r1.3 SessionIdGenerator.java
--- util/SessionIdGenerator.java        2000/06/17 00:24:45     1.3
+++ util/SessionIdGenerator.java        2000/08/17 15:06:31
@@ -89,7 +89,7 @@
      */
     static private int session_count = 0;
     static private long lastTimeVal = 0;
-    static private java.util.Random randomSource = new
java.security.SecureRandom();
+    static private java.util.Random randomSource;

     // MAX_RADIX is 36
     /*
@@ -118,6 +118,21 @@
     static synchronized public String getIdentifier (String jsIdent)
     {
         StringBuffer sessionId = new StringBuffer();
+
+        if (randomSource == null) {
+            String className =
System.getProperty("tomcat.sessionid.randomclass");
+            if (className != null) {
+                try {
+                    Class randomClass = Class.forName(className);
+                    randomSource =
(java.util.Random)randomClass.newInstance();
+                }
+                catch (Exception e) {
+                    e.printStackTrace();
+                }
+            }
+            if (randomSource == null)
+                randomSource = new java.security.SecureRandom();
+        }

         // random value ..
         long n = randomSource.nextLong();
cvs server: Diffing util/pattern
cvs server: Diffing util/xml





> -----Original Message-----
> From: Alex Chaffee [mailto:guru@edamame.stinky.com]
> Sent: Wednesday, August 16, 2000 2:37 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Tomcat startup time
> 
> 
> 
> 
> On Tue, Aug 15, 2000 at 02:12:56PM -0400, 
> yhs@mimic.onesourcecorp.com wrote:
> > 
> > 
> > On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:
> > 
> > > +1 !
> > > 
> > > It can be delayed until the first session is created. 
> > > Or it can be done in a separate thread ( and all session 
> creation will
> > > wait for this to complete). 
> 
> Assuming that most servlets/JSPs use sessions, I don't see what this
> buys us.  It'll still be N seconds before we can use the servlets,
> whether it happens in a background thread or not.
> 
> > > Of course, server.xml option is great too.
> > > 
> > > Costin
> > > 
> > 
> > doing it in server.xml as an option is IMHO far more convenient.
> 
> +1 to doing it in server.xml
> 
> -1 to doing it in any other configuration file (see next post)
> 
> > i'd
> > rather have a simple option RandomGenerator = Normal/Secure or
> > something similar.
> 
> How soon they forget! A month or two ago, when this change was being
> talked about, we had good suggestions on how to define the server.xml
> tags.  Specifically, I remember a very clever suggestion involving the
> fact that java.security.SecureRandom is a subclass of
> java.util.Random; the config file should allow the user simply to
> specify *which* subclass of Random is initialized, opening the door to
> custom RNG classes.
> 
> (However, I don't remember if the hiccup about how to pass parameters
> to the constructor was resolved.  I suppose we can just use the
> default constructor for SecureRandom, since that uses "the most secure
> implementation available" or some such.  Look at JavaDoc for
> SecureRandom for details.)
> 
> Proposal: Add the following to server.xml, plus the code to make it
> work :-)
> 
> <random class="java.security.SecureRandom"/>
> <!-- 
> 
> java.security.SecureRandom is more secure than java.util.Random, but
> takes a long time to initialize (on the order of several seconds,
> depending on CPU speed).  Use the following for a less secure, but
> slightly faster, RNG.  We recommend that in a production environment,
> you always use SecureRandom, since you won't be stopping and starting
> the server very often.
> 
> <random class="java.util.Random"/>
> -->
> 
> 
> > I'd rather have this as default set on secure since
> > i've seen the effects of having sessions cracked (and the 
> effects of the
> > security flaw in tomcat previously which used an insecure 
> method which had
> > an exploit posted).
> 
> +1
> 
> 
> -- 
> Alex Chaffee                       mailto:alex@jguru.com
> jGuru - Java News and FAQs         http://www.jguru.com/alex/
> Creator of Gamelan                 http://www.gamelan.com/
> Founder of Purple Technology       http://www.purpletech.com/
> Curator of Stinky Art Collective   http://www.stinky.com/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 

Mime
View raw message