Avoid use of SecureRandom during server startup

I work on Spring Boot which uses Tomcat (or Jetty or Undertow) as an embedded servlet container. We've seen a number of complaints from users that their application hangs during startup, most often on a newly booted VPS. The root cause is a lack of entropy which causes Tomcat's use of SecureRandom

Re: Avoid use of SecureRandom during server startup

2016-06-16 11:15 GMT+02:00 Andy Wilkinson : > I work on Spring Boot which uses Tomcat (or Jetty or Undertow) as an > embedded servlet container. We've seen a number of complaints from users > that their application hangs during startup, most often on a newly booted > VPS. The root cause is a lack

Re: Avoid use of SecureRandom during server startup

@Andy: you can use FastNonSecureRandom to disable it, should be enough for applications not using the session Romain Manni-Bucau @rmannibucau | Blog | Old Wordpress Blog | Github

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat wrote: > -1, I am against fake improvements. > Do you consider the improvement for applications that do not use HTTP sessions at all to also be fake? Andy

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 10:23 AM, Romain Manni-Bucau wrote: > @Andy: you can use FastNonSecureRandom to disable it, should be enough for > applications not using the session > Thanks for the suggestion. That's certainly an option, but it requires some configuration that I'd like to be unnecessar

Re: Avoid use of SecureRandom during server startup

2016-06-16 11:25 GMT+02:00 Andy Wilkinson : > On Thu, Jun 16, 2016 at 10:21 AM, Rémy Maucherat wrote: > > > -1, I am against fake improvements. > > > > Do you consider the improvement for applications that do not use HTTP > sessions at all to also be fake? > > This does not sound very realistic o

svn commit: r1748676 - /tomcat/trunk/java/org/apache/catalina/connector/Request.java

Author: markt Date: Thu Jun 16 10:02:29 2016 New Revision: 1748676 URL: http://svn.apache.org/viewvc?rev=1748676&view=rev Log: Remove unused code Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java URL:

svn commit: r1748677 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/catalina/connector/Request.java

Author: markt Date: Thu Jun 16 10:03:57 2016 New Revision: 1748677 URL: http://svn.apache.org/viewvc?rev=1748677&view=rev Log: Remove unused code Modified: tomcat/tc8.5.x/trunk/ (props changed) tomcat/tc8.5.x/trunk/java/org/apache/catalina/connector/Request.java Propchange: tomcat/tc8.

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 10:52 AM, Rémy Maucherat wrote: You're basically asking for all products to > behave the same because it would be nicer for your own product. I can assure you I'm not. I simply wanted to explore the possibility of Tomcat behaving the same way. I didn't want to prescribe

Re: Avoid use of SecureRandom during server startup

Le 16/06/2016 à 11:52, Rémy Maucherat a écrit : > Tomcat's > strategy avoids any risk to delay user requests, so is not effectively > worse than the other strategy. Maybe the SecureRandom instance could be initialized asynchronously and delivered through a java.util.concurrent.Future? This way it

[Bug 59655] The CookieNameValidator has issue that related to the consistency

https://bz.apache.org/bugzilla/show_bug.cgi?id=59655 --- Comment #2 from Kyohei Nakamura --- Created attachment 33955 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33955&action=edit patch against trunk Hi Mark, Thank you for the fix. I think this fix of changing the default to the RFC6

svn commit: r1748685 - in /tomcat/tc7.0.x/trunk: build.properties.default res/maven/mvn.properties.default webapps/docs/changelog.xml

Author: violetagg Date: Thu Jun 16 11:10:59 2016 New Revision: 1748685 URL: http://svn.apache.org/viewvc?rev=1748685&view=rev Log: Prep for next version Modified: tomcat/tc7.0.x/trunk/build.properties.default tomcat/tc7.0.x/trunk/res/maven/mvn.properties.default tomcat/tc7.0.x/trunk/w

Re: Avoid use of SecureRandom during server startup

2016-06-16 12:48 GMT+02:00 Emmanuel Bourg : > Le 16/06/2016 à 11:52, Rémy Maucherat a écrit : > > > Tomcat's > > strategy avoids any risk to delay user requests, so is not effectively > > worse than the other strategy. > > Maybe the SecureRandom instance could be initialized asynchronously and > d

Re: Avoid use of SecureRandom during server startup

On 16/06/2016 11:11, Andy Wilkinson wrote: > I would be quite happy if Tomcat made it easy for an embedder to configure > it in such a way that the use of SecureRandom during startup could be > disabled. Spring Boot could enable this option by default thereby allowing > users, without them configu

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 12:42 PM, Mark Thomas wrote: > What if Boot created a custom ID generator by extending > StandardSessionIdGenerator and overriding startInternal() so it sets the > state but doesn't call getSessionId() ? > > That should only be a few lines of code for the custom generator

Re: Avoid use of SecureRandom during server startup

On 16/06/2016 12:53, Andy Wilkinson wrote: > On Thu, Jun 16, 2016 at 12:42 PM, Mark Thomas wrote: > >> What if Boot created a custom ID generator by extending >> StandardSessionIdGenerator and overriding startInternal() so it sets the >> state but doesn't call getSessionId() ? >> >> That should o

Re: Avoid use of SecureRandom during server startup

On Thu, Jun 16, 2016 at 1:03 PM, Mark Thomas wrote: So, while I can't guarantee the signature > isn't going to change, I can say I am reasonably sure it won't change. > Good enough for me. Thanks, Mark. Andy

svn commit: r1748715 - in /tomcat/trunk: java/org/apache/catalina/filters/ java/org/apache/catalina/valves/ webapps/docs/

Author: markt Date: Thu Jun 16 12:48:16 2016 New Revision: 1748715 URL: http://svn.apache.org/viewvc?rev=1748715&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57705 Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch

svn commit: r1748716 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/catalina/filters/ java/org/apache/catalina/valves/ webapps/docs/

Author: markt Date: Thu Jun 16 12:52:37 2016 New Revision: 1748716 URL: http://svn.apache.org/viewvc?rev=1748716&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57705 Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch

svn commit: r1748718 - in /tomcat/tc8.0.x/trunk: ./ java/org/apache/catalina/filters/ java/org/apache/catalina/valves/ webapps/docs/

Author: markt Date: Thu Jun 16 12:55:35 2016 New Revision: 1748718 URL: http://svn.apache.org/viewvc?rev=1748718&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57705 Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch

[Bug 57705] RemoteAddrValve: no log message no explanation when valve rejects request

https://bz.apache.org/bugzilla/show_bug.cgi?id=57705 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|---

svn commit: r1748720 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/filters/ java/org/apache/catalina/valves/ webapps/docs/

Author: markt Date: Thu Jun 16 13:02:31 2016 New Revision: 1748720 URL: http://svn.apache.org/viewvc?rev=1748720&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=57705 Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch

Re: [VOTE] Release Apache Tomcat 7.0.70

2016-06-15 22:47 GMT+03:00 Violeta Georgieva : > > The proposed Apache Tomcat 7.0.70 release is now available for voting. > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-7/v7.0.70/ > The Maven staging repo is: > https://repository.apache.org/content/repositories/

r1731030 and 1731035 release timeline

Hi there, I’ve run into the WebappClassLoader jar scanning memory leak resolved by r1731030 and r1731035 in Tomcat 7 trunk. It appears those changes made it separately into both 8.0.36 and 8.5.3, but are missing from 7.0.69 and 7.0.70. Any idea on the timeline of when those would be released in

[GUMP@vmgump]: Project tomcat-native-trunk-make (in module tomcat-native-trunk) failed

To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-native-trunk-make has an issue affecting its community integration