[tomcat] branch 10.1.x updated: Initialize Random during server initialization

Thu, 06 Apr 2023 07:14:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 4f408d5ae2 Initialize Random during server initialization
4f408d5ae2 is described below

commit 4f408d5ae270a286b31f89e63affb2caec1f1e36
Author: remm <r...@apache.org>
AuthorDate: Thu Apr 6 16:11:09 2023 +0200

    Initialize Random during server initialization
    
    BZ66554, causing possible thread creation by the JVM using the context
    of the webapp.
---
 .../core/JreMemoryLeakPreventionListener.java      | 24 ++++++++++++++++++++++
 webapps/docs/changelog.xml                         |  5 +++++
 webapps/docs/config/listeners.xml                  | 10 +++++++++
 3 files changed, 39 insertions(+)

diff --git a/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java 
b/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java
index df675f6b11..babf34ad90 100644
--- a/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java
+++ b/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java
@@ -17,6 +17,7 @@
 package org.apache.catalina.core;
 
 import java.net.URLConnection;
+import java.security.SecureRandom;
 import java.sql.DriverManager;
 import java.util.StringTokenizer;
 
@@ -106,6 +107,20 @@ public class JreMemoryLeakPreventionListener implements 
LifecycleListener {
         this.classesToInitialize = classesToInitialize;
     }
 
+    /**
+     * Initialize JVM seed generator. On some platforms, the JVM will create a 
thread for this task, which can get
+     * associated with a web application depending on the timing.
+     */
+    private boolean initSeedGenerator = false;
+
+    public boolean getInitSeedGenerator() {
+        return this.initSeedGenerator;
+    }
+
+    public void setInitSeedGenerator(boolean initSeedGenerator) {
+        this.initSeedGenerator = initSeedGenerator;
+    }
+
 
     @Override
     public void lifecycleEvent(LifecycleEvent event) {
@@ -170,6 +185,15 @@ public class JreMemoryLeakPreventionListener implements 
LifecycleListener {
                     URLConnection.setDefaultUseCaches("JAR", false);
                 }
 
+                /*
+                 * Initialize the SeedGenerator of the JVM, as some platforms 
use
+                 * a thread which could end up being associated with a webapp 
rather
+                 * than the container.
+                 */
+                if (initSeedGenerator) {
+                    SecureRandom.getSeed(1);
+                }
+
                 if (classesToInitialize != null) {
                     StringTokenizer strTok = new 
StringTokenizer(classesToInitialize, ", \r\n\t");
                     while (strTok.hasMoreTokens()) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b94235e597..a656e9c9f7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -170,6 +170,11 @@
         <bug>66543</bug>: Give 
<code>StandardContext#fireRequestDestroyEvent</code>
          its own log message. (fschumacher)
       </fix>
+      <fix>
+        <bug>66554</bug>: Initialize Random during server initialization to
+        avoid possible JVM thread creation in the webapp context on some
+        platforms. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">
diff --git a/webapps/docs/config/listeners.xml 
b/webapps/docs/config/listeners.xml
index 5fcb8028f9..1495915373 100644
--- a/webapps/docs/config/listeners.xml
+++ b/webapps/docs/config/listeners.xml
@@ -229,6 +229,16 @@
         side-effects. The default is <code>true</code>.</p>
       </attribute>
 
+      <attribute name="initSeedGenerator" required="false">
+        <p>The first use of <code>SeedGenerator</code>, an internal class of
+        the default security spi implementation, might create a thread on some
+        platforms. Depending on the timing of the first use of a secure random
+        this thread might become associated with a webapp classloader, causing
+        a memory leak. Setting this to <code>true</code> will initialize the
+        seed. The default is <code>false</code> to avoid consuming random if
+        not needed.</p>
+      </attribute>
+
       <attribute name="urlCacheProtection" required="false">
         <p>Enables protection so that reading resources from JAR files using
         <code>java.net.URLConnection</code>s does not result in the JAR file


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to