tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1044879 - in /tomcat/trunk: java/org/apache/catalina/authenticator/AuthenticatorBase.java webapps/docs/config/valve.xml
Date Sun, 12 Dec 2010 18:47:11 GMT
Author: markt
Date: Sun Dec 12 18:47:10 2010
New Revision: 1044879

URL: http://svn.apache.org/viewvc?rev=1044879&view=rev
Log:
Use the newly refactored session id generator when generating sso session IDs

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/trunk/webapps/docs/config/valve.xml

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1044879&r1=1044878&r2=1044879&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Sun Dec 12
18:47:10 2010
@@ -20,13 +20,10 @@ package org.apache.catalina.authenticato
 
 
 import java.io.IOException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
-import java.util.Random;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
@@ -45,6 +42,7 @@ import org.apache.catalina.connector.Res
 import org.apache.catalina.deploy.LoginConfig;
 import org.apache.catalina.deploy.SecurityConstraint;
 import org.apache.catalina.util.DateTool;
+import org.apache.catalina.util.SessionIdGenerator;
 import org.apache.catalina.valves.ValveBase;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -137,20 +135,6 @@ public abstract class AuthenticatorBase 
 
 
     /**
-     * Return the MessageDigest implementation to be used when
-     * creating session identifiers.
-     */
-    protected MessageDigest digest = null;
-
-
-    /**
-     * A String initialization parameter used to increase the entropy of
-     * the initialization of our random number generator.
-     */
-    protected String entropy = null;
-
-
-    /**
      * Descriptive information about this implementation.
      */
     protected static final String info =
@@ -169,17 +153,36 @@ public abstract class AuthenticatorBase 
     protected boolean securePagesWithPragma = true;
     
     /**
-     * A random number generator to use when generating session identifiers.
+     * The Java class name of the secure random number generator class to be
+     * used when generating SSO session identifiers. The random number generator
+     * class must be self-seeding and have a zero-argument constructor. If not
+     * specified, an instance of {@link java.secure.SecureRandom} will be
+     * generated.
      */
-    protected Random random = null;
+    protected String secureRandomClass = null;
 
+    /**
+     * The name of the algorithm to use to create instances of
+     * {@link java.secure.SecureRandom} which are used to generate SSO session
+     * IDs. If no algorithm is specified, SHA1PRNG is used. To use the platform
+     * default (which may be SHA1PRNG), specify the empty string. If an invalid
+     * algorithm and/or provider is specified the SecureRandom instances will be
+     * created using the defaults. If that fails, the SecureRandom instances
+     * will be created using platform defaults.
+     */
+    protected String secureRandomAlgorithm = "SHA1PRNG";
 
     /**
-     * The Java class name of the random number generator class to be used
-     * when generating session identifiers.
+     * The name of the provider to use to create instances of
+     * {@link java.secure.SecureRandom} which are used to generate session SSO
+     * IDs. If no algorithm is specified the of SHA1PRNG default is used. If an
+     * invalid algorithm and/or provider is specified the SecureRandom instances
+     * will be created using the defaults. If that fails, the SecureRandom
+     * instances will be created using platform defaults.
      */
-    protected String randomClass = "java.security.SecureRandom";
+    protected String secureRandomProvider = null;
 
+    protected SessionIdGenerator sessionIdGenerator = null;
 
     /**
      * The string manager for this package.
@@ -280,33 +283,6 @@ public abstract class AuthenticatorBase 
 
 
     /**
-     * Return the entropy increaser value, or compute a semi-useful value
-     * if this String has not yet been set.
-     */
-    public String getEntropy() {
-
-        // Calculate a semi-useful value if this has not been set
-        if (this.entropy == null)
-            setEntropy(this.toString());
-
-        return (this.entropy);
-
-    }
-
-
-    /**
-     * Set the entropy increaser value.
-     *
-     * @param entropy The new entropy increaser value
-     */
-    public void setEntropy(String entropy) {
-
-        this.entropy = entropy;
-
-    }
-
-
-    /**
      * Return descriptive information about this Valve implementation.
      */
     @Override
@@ -318,27 +294,6 @@ public abstract class AuthenticatorBase 
 
 
     /**
-     * Return the random number generator class name.
-     */
-    public String getRandomClass() {
-
-        return (this.randomClass);
-
-    }
-
-
-    /**
-     * Set the random number generator class name.
-     *
-     * @param randomClass The new random number generator class name
-     */
-    public void setRandomClass(String randomClass) {
-
-        this.randomClass = randomClass;
-
-    }
-
-    /**
      * Return the flag that states if we add headers to disable caching by
      * proxies.
      */
@@ -400,6 +355,66 @@ public abstract class AuthenticatorBase 
         this.changeSessionIdOnAuthentication = changeSessionIdOnAuthentication;
     }
 
+    /**
+     * Return the secure random number generator class name.
+     */
+    public String getSecureRandomClass() {
+
+        return (this.secureRandomClass);
+
+    }
+
+
+    /**
+     * Set the secure random number generator class name.
+     *
+     * @param secureRandomClass The new secure random number generator class
+     *                          name
+     */
+    public void setSecureRandomClass(String secureRandomClass) {
+        this.secureRandomClass = secureRandomClass;
+    }
+
+
+    /**
+     * Return the secure random number generator algorithm name.
+     */
+    public String getSecureRandomAlgorithm() {
+        return secureRandomAlgorithm;
+    }
+
+
+    /**
+     * Set the secure random number generator algorithm name.
+     *
+     * @param secureRandomAlgorithm The new secure random number generator
+     *                              algorithm name
+     */
+    public void setSecureRandomAlgorithm(String secureRandomAlgorithm) {
+        this.secureRandomAlgorithm = secureRandomAlgorithm;
+    }
+
+
+    /**
+     * Return the secure random number generator provider name.
+     */
+    public String getSecureRandomProvider() {
+        return secureRandomProvider;
+    }
+
+
+    /**
+     * Set the secure random number generator provider name.
+     *
+     * @param secureRandomProvider The new secure random number generator
+     *                             provider name
+     */
+    public void setSecureRandomProvider(String secureRandomProvider) {
+        this.secureRandomProvider = secureRandomProvider;
+    }
+
+
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -603,88 +618,6 @@ public abstract class AuthenticatorBase 
 
 
     /**
-     * Generate and return a new session identifier for the cookie that
-     * identifies an SSO principal.
-     */
-    protected synchronized String generateSessionId() {
-
-        // Generate a byte array containing a session identifier
-        byte bytes[] = new byte[SESSION_ID_BYTES];
-        getRandom().nextBytes(bytes);
-        bytes = getDigest().digest(bytes);
-
-        // Render the result as a String of hexadecimal digits
-        StringBuilder result = new StringBuilder();
-        for (int i = 0; i < bytes.length; i++) {
-            byte b1 = (byte) ((bytes[i] & 0xf0) >> 4);
-            byte b2 = (byte) (bytes[i] & 0x0f);
-            if (b1 < 10)
-                result.append((char) ('0' + b1));
-            else
-                result.append((char) ('A' + (b1 - 10)));
-            if (b2 < 10)
-                result.append((char) ('0' + b2));
-            else
-                result.append((char) ('A' + (b2 - 10)));
-        }
-        return (result.toString());
-
-    }
-
-
-    /**
-     * Return the MessageDigest object to be used for calculating
-     * session identifiers.  If none has been created yet, initialize
-     * one the first time this method is called.
-     */
-    protected synchronized MessageDigest getDigest() {
-
-        if (this.digest == null) {
-            try {
-                this.digest = MessageDigest.getInstance(algorithm);
-            } catch (NoSuchAlgorithmException e) {
-                try {
-                    this.digest = MessageDigest.getInstance(DEFAULT_ALGORITHM);
-                } catch (NoSuchAlgorithmException f) {
-                    this.digest = null;
-                }
-            }
-        }
-
-        return (this.digest);
-
-    }
-
-
-    /**
-     * Return the random number generator instance we should use for
-     * generating session identifiers.  If there is no such generator
-     * currently defined, construct and seed a new one.
-     */
-    protected synchronized Random getRandom() {
-
-        if (this.random == null) {
-            try {
-                Class<?> clazz = Class.forName(randomClass);
-                this.random = (Random) clazz.newInstance();
-                long seed = System.currentTimeMillis();
-                char entropy[] = getEntropy().toCharArray();
-                for (int i = 0; i < entropy.length; i++) {
-                    long update = ((byte) entropy[i]) << ((i % 8) * 8);
-                    seed ^= update;
-                }
-                this.random.setSeed(seed);
-            } catch (Exception e) {
-                this.random = new java.util.Random();
-            }
-        }
-
-        return (this.random);
-
-    }
-
-
-    /**
      * Attempts reauthentication to the <code>Realm</code> using
      * the credentials included in argument <code>entry</code>.
      *
@@ -780,7 +713,7 @@ public abstract class AuthenticatorBase 
         String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
         if (ssoId == null) {
             // Construct a cookie to be returned to the client
-            ssoId = generateSessionId();
+            ssoId = sessionIdGenerator.generateSessionId();
             Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
             cookie.setMaxAge(-1);
             cookie.setPath("/");
@@ -886,6 +819,11 @@ public abstract class AuthenticatorBase 
                 log.debug("No SingleSignOn Valve is present");
         }
 
+        sessionIdGenerator = new SessionIdGenerator();
+        sessionIdGenerator.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
+        sessionIdGenerator.setSecureRandomClass(getSecureRandomClass());
+        sessionIdGenerator.setSecureRandomProvider(getSecureRandomProvider());
+
         super.startInternal();
     }
 

Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1044879&r1=1044878&r2=1044879&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Sun Dec 12 18:47:10 2010
@@ -438,6 +438,33 @@
         If not set, the default value of <code>true</code> will be used.</p>
       </attribute>
 
+      <attribute name="secureRandomClass" required="false">
+        <p>Name of the Java class that extends
+        <code>java.security.SecureRandom</code> to use to generate SSO session
+        IDs. If not specified, the default value is
+        <code>java.security.SecureRandom</code>.</p>
+      </attribute>
+
+      <attribute name="secureRandomProvider" required="false">
+        <p>Name of the provider to use to create the
+        <code>java.security.SecureRandom</code> instances that generate SSO
+        session IDs. If an invalid algorithm and/or provider is specified, the
+        platform default provider and the default algorithm will be used. If not
+        specified, the platform default provider will be used.</p>
+      </attribute>
+
+      <attribute name="secureRandomAlgorithm" required="false">
+        <p>Name of the algorithm to use to create the
+        <code>java.security.SecureRandom</code> instances that generate session
+        IDs. If an invalid algorithm and/or provider is specified, the platform
+        default provider and the default algorithm will be used. If not
+        specified, the default algorithm of SHA1PRNG will be used. If the
+        default algorithm is not supported, the platform default will be used.
+        To specify that the platform default should be used, do not set the
+        secureRandomProvider attribute and set this attribute to the empty
+        string.</p>
+      </attribute>
+
     </attributes>
 
   </subsection>
@@ -497,6 +524,33 @@
         If not set, the default value of <code>true</code> will be used.</p>
       </attribute>
 
+      <attribute name="secureRandomClass" required="false">
+        <p>Name of the Java class that extends
+        <code>java.security.SecureRandom</code> to use to generate SSO session
+        IDs. If not specified, the default value is
+        <code>java.security.SecureRandom</code>.</p>
+      </attribute>
+
+      <attribute name="secureRandomProvider" required="false">
+        <p>Name of the provider to use to create the
+        <code>java.security.SecureRandom</code> instances that generate SSO
+        session IDs. If an invalid algorithm and/or provider is specified, the
+        platform default provider and the default algorithm will be used. If not
+        specified, the platform default provider will be used.</p>
+      </attribute>
+
+      <attribute name="secureRandomAlgorithm" required="false">
+        <p>Name of the algorithm to use to create the
+        <code>java.security.SecureRandom</code> instances that generate session
+        IDs. If an invalid algorithm and/or provider is specified, the platform
+        default provider and the default algorithm will be used. If not
+        specified, the default algorithm of SHA1PRNG will be used. If the
+        default algorithm is not supported, the platform default will be used.
+        To specify that the platform default should be used, do not set the
+        secureRandomProvider attribute and set this attribute to the empty
+        string.</p>
+      </attribute>
+
     </attributes>
 
   </subsection>
@@ -575,6 +629,33 @@
         If not set, the default value of <code>true</code> will be used.</p>
       </attribute>
 
+      <attribute name="secureRandomClass" required="false">
+        <p>Name of the Java class that extends
+        <code>java.security.SecureRandom</code> to use to generate SSO session
+        IDs. If not specified, the default value is
+        <code>java.security.SecureRandom</code>.</p>
+      </attribute>
+
+      <attribute name="secureRandomProvider" required="false">
+        <p>Name of the provider to use to create the
+        <code>java.security.SecureRandom</code> instances that generate SSO
+        session IDs. If an invalid algorithm and/or provider is specified, the
+        platform default provider and the default algorithm will be used. If not
+        specified, the platform default provider will be used.</p>
+      </attribute>
+
+      <attribute name="secureRandomAlgorithm" required="false">
+        <p>Name of the algorithm to use to create the
+        <code>java.security.SecureRandom</code> instances that generate session
+        IDs. If an invalid algorithm and/or provider is specified, the platform
+        default provider and the default algorithm will be used. If not
+        specified, the default algorithm of SHA1PRNG will be used. If the
+        default algorithm is not supported, the platform default will be used.
+        To specify that the platform default should be used, do not set the
+        secureRandomProvider attribute and set this attribute to the empty
+        string.</p>
+      </attribute>
+
     </attributes>
 
   </subsection>
@@ -634,6 +715,33 @@
         If not set, the default value of <code>true</code> will be used.</p>
       </attribute>
 
+      <attribute name="secureRandomClass" required="false">
+        <p>Name of the Java class that extends
+        <code>java.security.SecureRandom</code> to use to generate SSO session
+        IDs. If not specified, the default value is
+        <code>java.security.SecureRandom</code>.</p>
+      </attribute>
+
+      <attribute name="secureRandomProvider" required="false">
+        <p>Name of the provider to use to create the
+        <code>java.security.SecureRandom</code> instances that generate SSO
+        session IDs. If an invalid algorithm and/or provider is specified, the
+        platform default provider and the default algorithm will be used. If not
+        specified, the platform default provider will be used.</p>
+      </attribute>
+
+      <attribute name="secureRandomAlgorithm" required="false">
+        <p>Name of the algorithm to use to create the
+        <code>java.security.SecureRandom</code> instances that generate session
+        IDs. If an invalid algorithm and/or provider is specified, the platform
+        default provider and the default algorithm will be used. If not
+        specified, the default algorithm of SHA1PRNG will be used. If the
+        default algorithm is not supported, the platform default will be used.
+        To specify that the platform default should be used, do not set the
+        secureRandomProvider attribute and set this attribute to the empty
+        string.</p>
+      </attribute>
+
     </attributes>
 
   </subsection>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message