tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Chaffee <g...@edamame.stinky.com>
Subject Re: Tomcat startup time
Date Wed, 16 Aug 2000 12:37:15 GMT


On Tue, Aug 15, 2000 at 02:12:56PM -0400, yhs@mimic.onesourcecorp.com wrote:
> 
> 
> On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:
> 
> > +1 !
> > 
> > It can be delayed until the first session is created. 
> > Or it can be done in a separate thread ( and all session creation will
> > wait for this to complete). 

Assuming that most servlets/JSPs use sessions, I don't see what this
buys us.  It'll still be N seconds before we can use the servlets,
whether it happens in a background thread or not.

> > Of course, server.xml option is great too.
> > 
> > Costin
> > 
> 
> doing it in server.xml as an option is IMHO far more convenient.

+1 to doing it in server.xml

-1 to doing it in any other configuration file (see next post)

> i'd
> rather have a simple option RandomGenerator = Normal/Secure or
> something similar.

How soon they forget! A month or two ago, when this change was being
talked about, we had good suggestions on how to define the server.xml
tags.  Specifically, I remember a very clever suggestion involving the
fact that java.security.SecureRandom is a subclass of
java.util.Random; the config file should allow the user simply to
specify *which* subclass of Random is initialized, opening the door to
custom RNG classes.

(However, I don't remember if the hiccup about how to pass parameters
to the constructor was resolved.  I suppose we can just use the
default constructor for SecureRandom, since that uses "the most secure
implementation available" or some such.  Look at JavaDoc for
SecureRandom for details.)

Proposal: Add the following to server.xml, plus the code to make it
work :-)

<random class="java.security.SecureRandom"/>
<!-- 

java.security.SecureRandom is more secure than java.util.Random, but
takes a long time to initialize (on the order of several seconds,
depending on CPU speed).  Use the following for a less secure, but
slightly faster, RNG.  We recommend that in a production environment,
you always use SecureRandom, since you won't be stopping and starting
the server very often.

<random class="java.util.Random"/>
-->


> I'd rather have this as default set on secure since
> i've seen the effects of having sessions cracked (and the effects of the
> security flaw in tomcat previously which used an insecure method which had
> an exploit posted).

+1


-- 
Alex Chaffee                       mailto:alex@jguru.com
jGuru - Java News and FAQs         http://www.jguru.com/alex/
Creator of Gamelan                 http://www.gamelan.com/
Founder of Purple Technology       http://www.purpletech.com/
Curator of Stinky Art Collective   http://www.stinky.com/

Mime
View raw message