Re: [tomcat] branch main updated: Initialize Random during server initialization

Christopher Schultz Thu, 06 Apr 2023 13:47:20 -0700

Rémy,

On 4/6/23 10:11, r...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.


remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
      new 0c0db9f9de Initialize Random during server initialization
0c0db9f9de is described below

commit 0c0db9f9dea9630a41ec289576fbdddc975d2291
Author: remm <r...@apache.org>
AuthorDate: Thu Apr 6 16:11:09 2023 +0200

     Initialize Random during server initialization

BZ66554, causing possible thread creation by the JVM using the context

     of the webapp.
---
  .../core/JreMemoryLeakPreventionListener.java      | 24 ++++++++++++++++++++++
  webapps/docs/changelog.xml                         |  5 +++++
  webapps/docs/config/listeners.xml                  | 10 +++++++++
  3 files changed, 39 insertions(+)

diff --git a/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java 
b/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java
index df675f6b11..babf34ad90 100644
--- a/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java
+++ b/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java
@@ -17,6 +17,7 @@
  package org.apache.catalina.core;

import java.net.URLConnection;

+import java.security.SecureRandom;
  import java.sql.DriverManager;
  import java.util.StringTokenizer;

@@ -106,6 +107,20 @@ public class JreMemoryLeakPreventionListener implements LifecycleListener {

          this.classesToInitialize = classesToInitialize;
      }

+ /**

+     * Initialize JVM seed generator. On some platforms, the JVM will create a 
thread for this task, which can get
+     * associated with a web application depending on the timing.
+     */
+    private boolean initSeedGenerator = false;
+
+    public boolean getInitSeedGenerator() {
+        return this.initSeedGenerator;
+    }
+
+    public void setInitSeedGenerator(boolean initSeedGenerator) {
+        this.initSeedGenerator = initSeedGenerator;
+    }
+

@Override

      public void lifecycleEvent(LifecycleEvent event) {
@@ -170,6 +185,15 @@ public class JreMemoryLeakPreventionListener implements 
LifecycleListener {
                      URLConnection.setDefaultUseCaches("JAR", false);
                  }

+ /*

+                 * Initialize the SeedGenerator of the JVM, as some platforms 
use
+                 * a thread which could end up being associated with a webapp 
rather
+                 * than the container.
+                 */
+                if (initSeedGenerator) {
+                    SecureRandom.getSeed(1);
+                }


What about the various kinds of SecureRandom that you can get these days:

SecureRandom.getInstance(String)
SecureRandom.getInstanceStrong()

I'll be there is still a way to get the webapp's ClassLoader pinned, butmaybe this takes care of the most common situations.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] branch main updated: Initialize Random during server initialization

Reply via email to