Tomcat startup time

[Petr Jiricka <pe...@netbeans.com>]

Hello,

I noticed that the time to serve the first servlet or a JSP has increased
dramatically. I traced this down to the initialization of
java.security.SecureRandom, which is used for generating the session IDs. On
may machine the delay was about 5 seconds, which I consider quite
inconvenent for the development environment, when the user is likely to want
to restart the server often.

So I think it would be useful to allow disabling the use of SecureRandom and
use Random instead, possibly by an option in server.xml or by a system
property (or both).

What do you think ?

Petr

Re: Tomcat startup time

[James Cook <ji...@iname.com>]

Thanks for tracking that down. It takes much longer on my system and it *is*
inconvenient. Not sure if bloating the server.xml is the way to go, although I
don't have an alternative suggestion.

jim

----- Original Message -----
From: "Petr Jiricka" <pe...@netbeans.com>
To: <to...@jakarta.apache.org>
Sent: Tuesday, August 15, 2000 1:26 PM
Subject: Tomcat startup time


> Hello,
>
> I noticed that the time to serve the first servlet or a JSP has increased
> dramatically. I traced this down to the initialization of
> java.security.SecureRandom, which is used for generating the session IDs. On
> may machine the delay was about 5 seconds, which I consider quite
> inconvenent for the development environment, when the user is likely to want
> to restart the server often.
>
> So I think it would be useful to allow disabling the use of SecureRandom and
> use Random instead, possibly by an option in server.xml or by a system
> property (or both).
>
> What do you think ?
>
> Petr
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>

Re: Tomcat startup time

[Alex Chaffee <gu...@edamame.stinky.com>]

On Tue, Aug 15, 2000 at 02:12:56PM -0400, yhs@mimic.onesourcecorp.com wrote:
> 
> 
> On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:
> 
> > +1 !
> > 
> > It can be delayed until the first session is created. 
> > Or it can be done in a separate thread ( and all session creation will
> > wait for this to complete). 

Assuming that most servlets/JSPs use sessions, I don't see what this
buys us.  It'll still be N seconds before we can use the servlets,
whether it happens in a background thread or not.

> > Of course, server.xml option is great too.
> > 
> > Costin
> > 
> 
> doing it in server.xml as an option is IMHO far more convenient.

+1 to doing it in server.xml

-1 to doing it in any other configuration file (see next post)

> i'd
> rather have a simple option RandomGenerator = Normal/Secure or
> something similar.

How soon they forget! A month or two ago, when this change was being
talked about, we had good suggestions on how to define the server.xml
tags.  Specifically, I remember a very clever suggestion involving the
fact that java.security.SecureRandom is a subclass of
java.util.Random; the config file should allow the user simply to
specify *which* subclass of Random is initialized, opening the door to
custom RNG classes.

(However, I don't remember if the hiccup about how to pass parameters
to the constructor was resolved.  I suppose we can just use the
default constructor for SecureRandom, since that uses "the most secure
implementation available" or some such.  Look at JavaDoc for
SecureRandom for details.)

Proposal: Add the following to server.xml, plus the code to make it
work :-)

<random class="java.security.SecureRandom"/>
<!-- 

java.security.SecureRandom is more secure than java.util.Random, but
takes a long time to initialize (on the order of several seconds,
depending on CPU speed).  Use the following for a less secure, but
slightly faster, RNG.  We recommend that in a production environment,
you always use SecureRandom, since you won't be stopping and starting
the server very often.

<random class="java.util.Random"/>
-->


> I'd rather have this as default set on secure since
> i've seen the effects of having sessions cracked (and the effects of the
> security flaw in tomcat previously which used an insecure method which had
> an exploit posted).

+1


-- 
Alex Chaffee                       mailto:alex@jguru.com
jGuru - Java News and FAQs         http://www.jguru.com/alex/
Creator of Gamelan                 http://www.gamelan.com/
Founder of Purple Technology       http://www.purpletech.com/
Curator of Stinky Art Collective   http://www.stinky.com/

Re: Tomcat startup time

["yhs@mimic.onesourcecorp.com" <yh...@mimic.onesourcecorp.com>]

On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:

> > > It can be delayed until the first session is created. 
> > > Or it can be done in a separate thread ( and all session creation will
> > > wait for this to complete). 
> > > 
> > > Of course, server.xml option is great too.
> > > 
> > > Costin
> > > 
> > 
> > doing it in server.xml as an option is IMHO far more convenient. i'd
> > rather have a simple option RandomGenerator = Normal/Secure or
> > something similar. I'd rather have this as default set on secure since
> > i've seen the effects of having sessions cracked (and the effects of the
> > security flaw in tomcat previously which used an insecure method which had
> > an exploit posted).
> 
> The other 2 options allow to allways use secure, but remove the annoying
> startup delay.
> 
> Costin 
> 

yep..but you risk timing out the browser if its the first thing to create
a session in option 1...starting up some servlets can take a long
time..this will just make it longer. Halting session creation for a thread
which may take forever to complete just adds overhead (and may take
longer than 5 seconds depending on server load). As for the annoying
startup delay - it takes me 3.52 minutes (yup...thats minutes) to
startup tomcat 3.1 with load balancing enabled using mod_jserv and
Apache+SSL (30 JVMs) without SecureRandom. i probably wont notice another
5 seconds. :)
 Having an option in a configuration file IMHO is always a good thing. 
-Ys-
yhs@mimic.onesourcecorp.com

Re: Tomcat startup time

[cm...@yahoo.com]

> > It can be delayed until the first session is created. 
> > Or it can be done in a separate thread ( and all session creation will
> > wait for this to complete). 
> > 
> > Of course, server.xml option is great too.
> > 
> > Costin
> > 
> 
> doing it in server.xml as an option is IMHO far more convenient. i'd
> rather have a simple option RandomGenerator = Normal/Secure or
> something similar. I'd rather have this as default set on secure since
> i've seen the effects of having sessions cracked (and the effects of the
> security flaw in tomcat previously which used an insecure method which had
> an exploit posted).

The other 2 options allow to allways use secure, but remove the annoying
startup delay.

Costin 

Re: Tomcat startup time

["yhs@mimic.onesourcecorp.com" <yh...@mimic.onesourcecorp.com>]

On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:

> +1 !
> 
> It can be delayed until the first session is created. 
> Or it can be done in a separate thread ( and all session creation will
> wait for this to complete). 
> 
> Of course, server.xml option is great too.
> 
> Costin
> 

doing it in server.xml as an option is IMHO far more convenient. i'd
rather have a simple option RandomGenerator = Normal/Secure or
something similar. I'd rather have this as default set on secure since
i've seen the effects of having sessions cracked (and the effects of the
security flaw in tomcat previously which used an insecure method which had
an exploit posted).
-Ys-
yhs@mimic.onesourcecorp.com

Re: Tomcat startup time

[cm...@yahoo.com]

+1 !

It can be delayed until the first session is created. 
Or it can be done in a separate thread ( and all session creation will
wait for this to complete). 

Of course, server.xml option is great too.

Costin

On Tue, 15 Aug 2000, Petr Jiricka wrote:

> Hello,
> 
> I noticed that the time to serve the first servlet or a JSP has increased
> dramatically. I traced this down to the initialization of
> java.security.SecureRandom, which is used for generating the session IDs. On
> may machine the delay was about 5 seconds, which I consider quite
> inconvenent for the development environment, when the user is likely to want
> to restart the server often.
> 
> So I think it would be useful to allow disabling the use of SecureRandom and
> use Random instead, possibly by an option in server.xml or by a system
> property (or both).
> 
> What do you think ?
> 
> Petr
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>