tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Chaffee <>
Subject Re: Tomcat startup time
Date Wed, 16 Aug 2000 12:37:15 GMT

On Tue, Aug 15, 2000 at 02:12:56PM -0400, wrote:
> On Tue, 15 Aug 2000 wrote:
> > +1 !
> > 
> > It can be delayed until the first session is created. 
> > Or it can be done in a separate thread ( and all session creation will
> > wait for this to complete). 

Assuming that most servlets/JSPs use sessions, I don't see what this
buys us.  It'll still be N seconds before we can use the servlets,
whether it happens in a background thread or not.

> > Of course, server.xml option is great too.
> > 
> > Costin
> > 
> doing it in server.xml as an option is IMHO far more convenient.

+1 to doing it in server.xml

-1 to doing it in any other configuration file (see next post)

> i'd
> rather have a simple option RandomGenerator = Normal/Secure or
> something similar.

How soon they forget! A month or two ago, when this change was being
talked about, we had good suggestions on how to define the server.xml
tags.  Specifically, I remember a very clever suggestion involving the
fact that is a subclass of
java.util.Random; the config file should allow the user simply to
specify *which* subclass of Random is initialized, opening the door to
custom RNG classes.

(However, I don't remember if the hiccup about how to pass parameters
to the constructor was resolved.  I suppose we can just use the
default constructor for SecureRandom, since that uses "the most secure
implementation available" or some such.  Look at JavaDoc for
SecureRandom for details.)

Proposal: Add the following to server.xml, plus the code to make it
work :-)

<random class=""/>
<!-- is more secure than java.util.Random, but
takes a long time to initialize (on the order of several seconds,
depending on CPU speed).  Use the following for a less secure, but
slightly faster, RNG.  We recommend that in a production environment,
you always use SecureRandom, since you won't be stopping and starting
the server very often.

<random class="java.util.Random"/>

> I'd rather have this as default set on secure since
> i've seen the effects of having sessions cracked (and the effects of the
> security flaw in tomcat previously which used an insecure method which had
> an exploit posted).


Alex Chaffee             
jGuru - Java News and FAQs
Creator of Gamelan       
Founder of Purple Technology
Curator of Stinky Art Collective

View raw message