You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2017/05/05 08:35:44 UTC

svn commit: r1793980 - in /tomcat/trunk: java/org/apache/catalina/util/SessionIdGeneratorBase.java webapps/docs/changelog.xml

Author: remm
Date: Fri May  5 08:35:44 2017
New Revision: 1793980

URL: http://svn.apache.org/viewvc?rev=1793980&view=rev
Log:
61072: Respect what the doc says about using the platform default secure random.

Modified:
    tomcat/trunk/java/org/apache/catalina/util/SessionIdGeneratorBase.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/util/SessionIdGeneratorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/util/SessionIdGeneratorBase.java?rev=1793980&r1=1793979&r2=1793980&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/util/SessionIdGeneratorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/util/SessionIdGeneratorBase.java Fri May  5 08:35:44 2017
@@ -227,6 +227,7 @@ public abstract class SessionIdGenerator
             }
         }
 
+        boolean error = false;
         if (result == null) {
             // No secureRandomClass or creation failed. Use SecureRandom.
             try {
@@ -239,15 +240,17 @@ public abstract class SessionIdGenerator
                     result = SecureRandom.getInstance(secureRandomAlgorithm);
                 }
             } catch (NoSuchAlgorithmException e) {
+                error = true;
                 log.error(sm.getString("sessionIdGeneratorBase.randomAlgorithm",
                         secureRandomAlgorithm), e);
             } catch (NoSuchProviderException e) {
+                error = true;
                 log.error(sm.getString("sessionIdGeneratorBase.randomProvider",
                         secureRandomProvider), e);
             }
         }
 
-        if (result == null) {
+        if (result == null && error) {
             // Invalid provider / algorithm
             try {
                 result = SecureRandom.getInstance("SHA1PRNG");

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1793980&r1=1793979&r2=1793980&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri May  5 08:35:44 2017
@@ -45,6 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.0.M22 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61072</bug>: Respect the documentation statements that allow
+        using the platform default secure random for session id generation.
+        (remm)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 9.0.0.M21 (markt)" rtext="release in progress">
   <subsection name="General">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org