tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Avoid use of SecureRandom during server startup
Date Fri, 17 Jun 2016 11:12:39 GMT
Rémy,

On 6/16/16 5:52 AM, Rémy Maucherat wrote:
> 2016-06-16 11:25 GMT+02:00 Andy Wilkinson <awilkinson@pivotal.io>:
> 
>> On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat <remm@apache.org> wrote:
>>
>>> -1, I am against fake improvements.
>>>
>>
>> Do you consider the improvement for applications that do not use HTTP
>> sessions at all to also be fake?
>>
> This does not sound very realistic or common to me.

50% of our applications deployments are cookie-less, and we deploy on
separate Tomcats running on separate JVMs. That means that we have 50%
of our Tomcat instances that will never create an instance of
javax.servlet.http.HttpSession.

If SecureRandom is only being used for HttpSession id generation, it's
not necessary to do it on startup.

> There are different products, with different behaviors, that gives
> users a choice. Tomcat's strategy avoids any risk to delay user
> requests, so is not effectively worse than the other strategy.

I disagree: Tomcat's behavior will cause time-to-first-byte after a
restart to be the same as e.g. Untertow for a request-with-a-session,
but the time-to-first-byte for Untertow will be significantly less for a
request that does not require a session.

> You're basically asking for all products to behave the same because
> it would be nicer for your own product. That's fine, but choice is
> good.

No, that's not what he's saying at all.

Lazy Random-init sounds like a good idea. It's not clear to me if there
are any particular problems with such a strategy given Tomcat's current
implementation.


Mime
View raw message