From 97205be3222d1d0a476464aadb97ea721456c2c8 Mon Sep 17 00:00:00 2001 From: markt Date: Sat, 27 Nov 2010 17:05:27 +0000 Subject: [PATCH] Make SecureRandom the fall-back and use SecureRandom throughout rather than Random git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1039707 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/session/ManagerBase.java | 22 +++++++++++----------- webapps/docs/config/manager.xml | 10 ++++++---- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java index a44643131..15992de63 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java @@ -41,7 +41,6 @@ import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Queue; -import java.util.Random; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentLinkedQueue; import java.util.concurrent.atomic.AtomicLong; @@ -128,7 +127,8 @@ public abstract class ManagerBase extends LifecycleMBeanBase * designed this way since random number generator use a sync to make them * thread-safe and the sync makes using a a single object slow(er). */ - protected Queue randoms = new ConcurrentLinkedQueue(); + protected Queue randoms = + new ConcurrentLinkedQueue(); /** * Random number generator used to see @{link {@link #randoms}. @@ -136,9 +136,9 @@ public abstract class ManagerBase extends LifecycleMBeanBase protected SecureRandom randomSeed = null; /** - * The Java class name of the random number generator class to be used - * when generating session identifiers. The random number generator(s) will - * always be seeded from a SecureRandom instance. + * The Java class name of the secure random number generator class to be + * used when generating session identifiers. The random number generator(s) + * will always be seeded from a SecureRandom instance. */ protected String randomClass = "java.security.SecureRandom"; @@ -505,23 +505,23 @@ public abstract class ManagerBase extends LifecycleMBeanBase * Create a new random number generator instance we should use for * generating session identifiers. */ - protected Random createRandom() { + protected SecureRandom createRandom() { if (randomSeed == null) { createRandomSeed(); } - Random result = null; + SecureRandom result = null; long t1 = System.currentTimeMillis(); try { // Construct and seed a new random number generator Class clazz = Class.forName(randomClass); - result = (Random) clazz.newInstance(); + result = (SecureRandom) clazz.newInstance(); } catch (Exception e) { - // Fall back to the simple case + // Fall back to the default case log.error(sm.getString("managerBase.random", randomClass), e); - result = new java.util.Random(); + result = new java.security.SecureRandom(); } byte[] seedBytes = randomSeed.generateSeed(64); ByteArrayInputStream bais = new ByteArrayInputStream(seedBytes); @@ -966,7 +966,7 @@ public abstract class ManagerBase extends LifecycleMBeanBase } closeRandomInputStreams(); } - Random random = randoms.poll(); + SecureRandom random = randoms.poll(); if (random == null) { random = createRandom(); } diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml index 5928465d0..292a5a211 100644 --- a/webapps/docs/config/manager.xml +++ b/webapps/docs/config/manager.xml @@ -134,8 +134,9 @@ -

Java class name of the java.util.Random - implementation class to use. If not specified, the default value is +

Name of the Java class that extends + java.security.SecureRandom to use to generate session IDs. + If not specified, the default value is java.security.SecureRandom.

 @@ -222,8 +223,9 @@ -

Java class name of the java.util.Random - implementation class to use. If not specified, the default value is +

Name of the Java class that extends + java.security.SecureRandom to use to generate session IDs. + If not specified, the default value is java.security.SecureRandom.

 -- 2.11.0