dev@glassfish.java.net

Re: SecureRandom

From: Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Fri, 11 Sep 2009 13:53:34 +0530

Hi,

   After discussions with J2SE experts, i have finally added the class :
org.glassfish.internal.api.SharedSecureRandom in the module
common/internal-api. I have replaced all of security code to use this.
Request others to do the same.

Bill Shannon wrote:
> I added code recently that uses SecureRandom. There's some cost to
> creating a new SecureRandom. (Scott says ~35 us on Niagara.)
>
> Here's all the places that create a SecureRandom:
>
> admin/cli/src/main/java/com/sun/enterprise/admin/cli/util/HttpConnectorAddress.java:
> sc.init(null, tms, new SecureRandom());
> admin/jmx-remote/client/src/main/java/com/sun/enterprise/admin/jmx/remote/https/HttpsUrlConnector.java:
> sslContext.init(kms, tms, new SecureRandom());
> common/common-util/src/main/java/com/sun/enterprise/util/uuid/UuidUtil.java:
> private static SecureRandom _seeder = new SecureRandom();
> common/container-common/src/main/java/com/sun/enterprise/container/common/LocalPassword.java:
> SecureRandom random = new SecureRandom();
> ejb/ejb-container/src/main/java/com/sun/ejb/base/sfsb/util/ScrambledKeyGenerator.java:
> private SecureRandom random = new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/auth/realm/file/FileRealm.java:
> SecureRandom rng=new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/auth/realm/ldap/CustomSocketFactory.java:
> sc.init(sslUtils.getKeyManagers(), sslUtils.getTrustManagers(), new
> SecureRandom());
> security/core/src/main/java/com/sun/enterprise/security/SecurityServicesUtil.java:
> public static final SecureRandom secureRandom = new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/util/SSHA.java:
> SecureRandom rng=new SecureRandom();
> security/core/src/main/java/com/sun/enterprise/security/util/SSHA.java:
> SecureRandom rng=new SecureRandom();
>
>
>
regards,
kumar

> It looks like SecurityServicesUtil is intentionally exposing a SecureRandom
> for others to use. Is that right? Should I be using it instead of creating
> my own?
>
> Which other uses of SecureRandom should be converted to use this one as well?
>
> (And should it really be a public field? Couldn't applications get access
> to it and destroy the randomness by calling setSeed?)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>
>
>