Bill Shannon wrote:
> I added code recently that uses SecureRandom. There's some cost to
> creating a new SecureRandom. (Scott says ~35 us on Niagara.)
>
> Here's all the places that create a SecureRandom:
>
> admin/cli/src/main/java/com/sun/enterprise/admin/cli/util/HttpConnectorAddress.java:
> sc.init(null, tms, new SecureRandom());
> admin/jmx-remote/client/src/main/java/com/sun/enterprise/admin/jmx/remote/https/HttpsUrlConnector.java:
> sslContext.init(kms, tms, new SecureRandom());
> common/common-util/src/main/java/com/sun/enterprise/util/uuid/UuidUtil.java:
> private static SecureRandom _seeder = new SecureRandom();
> common/container-common/src/main/java/com/sun/enterprise/container/common/LocalPassword.java:
> SecureRandom random = new SecureRandom();
> ejb/ejb-container/src/main/java/com/sun/ejb/base/sfsb/util/ScrambledKeyGenerator.java:
> private SecureRandom random = new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/auth/realm/file/FileRealm.java:
> SecureRandom rng=new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/CustomSocketFactory.java:
> sc.init(sslUtils.getKeyManagers(), sslUtils.getTrustManagers(), new
> SecureRandom());
> security/core/src/main/java/com/sun/enterprise/security/SecurityServicesUtil.java:
> public static final SecureRandom secureRandom = new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/util/SSHA.java:
> SecureRandom rng=new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/util/SSHA.java:
> SecureRandom rng=new SecureRandom();
>
>
> It looks like SecurityServicesUtil is intentionally exposing a SecureRandom
> for others to use. Is that right? Should I be using it instead of creating
> my own?
>
>
> Which other uses of SecureRandom should be converted to use this one as well?
>
>
That would require other modules to depend on security/core which may
not be desirable. So it is best if there was a SecureRandom somewhere in
common/internal-api module which everyone else could use.
> (And should it really be a public field? Couldn't applications get access
> to it and destroy the randomness by calling setSeed?)
>
>
The element was declared such
public static final SecureRandom secureRandom = new SecureRandom();
In GlassFish V2. In V3 i tried to remove the "public static" since
SecurityServicesUtil is a HK2 Service, however there was one usage of
this secureRandom in a place where i thought i cannot get the instance
of SecurityServicesUtil, so i left it as is.
I shall take a look at it again and see if it can be removed.
regards,
kumar
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
>
>