On Thu, Apr 6, 2023 at 10:47 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > Rémy, > > On 4/6/23 10:11, r...@apache.org wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > remm pushed a commit to branch main > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > > > The following commit(s) were added to refs/heads/main by this push: > > new 0c0db9f9de Initialize Random during server initialization > > 0c0db9f9de is described below > > > > commit 0c0db9f9dea9630a41ec289576fbdddc975d2291 > > Author: remm <r...@apache.org> > > AuthorDate: Thu Apr 6 16:11:09 2023 +0200 > > > > Initialize Random during server initialization > > > > BZ66554, causing possible thread creation by the JVM using the context > > of the webapp. > > --- > > .../core/JreMemoryLeakPreventionListener.java | 24 > > ++++++++++++++++++++++ > > webapps/docs/changelog.xml | 5 +++++ > > webapps/docs/config/listeners.xml | 10 +++++++++ > > 3 files changed, 39 insertions(+) > > > > diff --git > > a/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java > > b/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java > > index df675f6b11..babf34ad90 100644 > > --- a/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java > > +++ b/java/org/apache/catalina/core/JreMemoryLeakPreventionListener.java > > @@ -17,6 +17,7 @@ > > package org.apache.catalina.core; > > > > import java.net.URLConnection; > > +import java.security.SecureRandom; > > import java.sql.DriverManager; > > import java.util.StringTokenizer; > > > > @@ -106,6 +107,20 @@ public class JreMemoryLeakPreventionListener > > implements LifecycleListener { > > this.classesToInitialize = classesToInitialize; > > } > > > > + /** > > + * Initialize JVM seed generator. On some platforms, the JVM will > > create a thread for this task, which can get > > + * associated with a web application depending on the timing. > > + */ > > + private boolean initSeedGenerator = false; > > + > > + public boolean getInitSeedGenerator() { > > + return this.initSeedGenerator; > > + } > > + > > + public void setInitSeedGenerator(boolean initSeedGenerator) { > > + this.initSeedGenerator = initSeedGenerator; > > + } > > + > > > > @Override > > public void lifecycleEvent(LifecycleEvent event) { > > @@ -170,6 +185,15 @@ public class JreMemoryLeakPreventionListener > > implements LifecycleListener { > > URLConnection.setDefaultUseCaches("JAR", false); > > } > > > > + /* > > + * Initialize the SeedGenerator of the JVM, as some > > platforms use > > + * a thread which could end up being associated with a > > webapp rather > > + * than the container. > > + */ > > + if (initSeedGenerator) { > > + SecureRandom.getSeed(1); > > + } > > What about the various kinds of SecureRandom that you can get these days: > > SecureRandom.getInstance(String) > SecureRandom.getInstanceStrong() > > I'll be there is still a way to get the webapp's ClassLoader pinned, but > maybe this takes care of the most common situations.
The idea is to use some seed generated by sun.security.provider.SeedGenerator. On some platforms this class creates a thread on demand. Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
