Re: Avoid use of SecureRandom during server startup

Rémy, On 6/16/16 5:52 AM, Rémy Maucherat wrote: > 2016-06-16 11:25 GMT+02:00 Andy Wilkinson : > >> On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat wrote: >> >>> -1, I am against fake improvements. >>> >> >> Do you consider the improvement for applications that do not use HTTP >> sessions at all

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 1:03 PM, Mark Thomas wrote: So, while I can't guarantee the signature > isn't going to change, I can say I am reasonably sure it won't change. > Good enough for me. Thanks, Mark. Andy

Re: Avoid use of SecureRandom during server startup

On 16/06/2016 12:53, Andy Wilkinson wrote: > On Thu, Jun 16, 2016 at 12:42 PM, Mark Thomas wrote: > >> What if Boot created a custom ID generator by extending >> StandardSessionIdGenerator and overriding startInternal() so it sets the >> state but doesn't call getSessionId() ? >> >> That should o

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 12:42 PM, Mark Thomas wrote: > What if Boot created a custom ID generator by extending > StandardSessionIdGenerator and overriding startInternal() so it sets the > state but doesn't call getSessionId() ? > > That should only be a few lines of code for the custom generator

Re: Avoid use of SecureRandom during server startup

On 16/06/2016 11:11, Andy Wilkinson wrote: > I would be quite happy if Tomcat made it easy for an embedder to configure > it in such a way that the use of SecureRandom during startup could be > disabled. Spring Boot could enable this option by default thereby allowing > users, without them configu

Re: Avoid use of SecureRandom during server startup

2016-06-16 12:48 GMT+02:00 Emmanuel Bourg : > Le 16/06/2016 à 11:52, Rémy Maucherat a écrit : > > > Tomcat's > > strategy avoids any risk to delay user requests, so is not effectively > > worse than the other strategy. > > Maybe the SecureRandom instance could be initialized asynchronously and > d

Re: Avoid use of SecureRandom during server startup

Le 16/06/2016 à 11:52, Rémy Maucherat a écrit : > Tomcat's > strategy avoids any risk to delay user requests, so is not effectively > worse than the other strategy. Maybe the SecureRandom instance could be initialized asynchronously and delivered through a java.util.concurrent.Future? This way it

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 10:52 AM, Rémy Maucherat wrote: You're basically asking for all products to > behave the same because it would be nicer for your own product. I can assure you I'm not. I simply wanted to explore the possibility of Tomcat behaving the same way. I didn't want to prescribe

Re: Avoid use of SecureRandom during server startup

2016-06-16 11:25 GMT+02:00 Andy Wilkinson : > On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat wrote: > > > -1, I am against fake improvements. > > > > Do you consider the improvement for applications that do not use HTTP > sessions at all to also be fake? > > This does not sound very realistic o

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 10:23 AM, Romain Manni-Bucau wrote: > @Andy: you can use FastNonSecureRandom to disable it, should be enough for > applications not using the session > Thanks for the suggestion. That's certainly an option, but it requires some configuration that I'd like to be unnecessar

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat wrote: > -1, I am against fake improvements. > Do you consider the improvement for applications that do not use HTTP sessions at all to also be fake? Andy

Re: Avoid use of SecureRandom during server startup

@Andy: you can use FastNonSecureRandom to disable it, should be enough for applications not using the session Romain Manni-Bucau @rmannibucau | Blog | Old Wordpress Blog | Github

Re: Avoid use of SecureRandom during server startup

2016-06-16 11:15 GMT+02:00 Andy Wilkinson : > I work on Spring Boot which uses Tomcat (or Jetty or Undertow) as an > embedded servlet container. We've seen a number of complaints from users > that their application hangs during startup, most often on a newly booted > VPS. The root cause is a lack