tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Avoid use of SecureRandom during server startup
Date Fri, 17 Jun 2016 11:12:39 GMT

On 6/16/16 5:52 AM, Rémy Maucherat wrote:
> 2016-06-16 11:25 GMT+02:00 Andy Wilkinson <>:
>> On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat <> wrote:
>>> -1, I am against fake improvements.
>> Do you consider the improvement for applications that do not use HTTP
>> sessions at all to also be fake?
> This does not sound very realistic or common to me.

50% of our applications deployments are cookie-less, and we deploy on
separate Tomcats running on separate JVMs. That means that we have 50%
of our Tomcat instances that will never create an instance of

If SecureRandom is only being used for HttpSession id generation, it's
not necessary to do it on startup.

> There are different products, with different behaviors, that gives
> users a choice. Tomcat's strategy avoids any risk to delay user
> requests, so is not effectively worse than the other strategy.

I disagree: Tomcat's behavior will cause time-to-first-byte after a
restart to be the same as e.g. Untertow for a request-with-a-session,
but the time-to-first-byte for Untertow will be significantly less for a
request that does not require a session.

> You're basically asking for all products to behave the same because
> it would be nicer for your own product. That's fine, but choice is
> good.

No, that's not what he's saying at all.

Lazy Random-init sounds like a good idea. It's not clear to me if there
are any particular problems with such a strategy given Tomcat's current

View raw message