ppalaga commented on code in PR #218:
URL:
https://github.com/apache/santuario-xml-security-java/pull/218#discussion_r1348936695
##########
src/main/java/org/apache/xml/security/stax/ext/XMLSecurityConstants.java:
##########
@@ -73,17 +74,34 @@ protected XMLSecurityConstants() {
}
/**
- * Generate bytes of the given length using the supplied algorithm in
RANDOM_ALGORITHM_KEY or,
- * if not specified, use SecureRandom instance from default constructor.
The SecureRandom
+ * Generate bytes of the given length using the algorithm supplied in
{@value #RANDOM_ALGORITHM_KEY} or,
+ * if not specified, use a {@code SecureRandom} instance from default
constructor. The {@code SecureRandom}
* instance that backs this method is cached for efficiency.
*
- * @return a byte array of the given length
+ * @return a new byte array of the given length
* @throws XMLSecurityException
*/
public static byte[] generateBytes(int length) throws XMLSecurityException
{
+
+ SecureRandom rnd = SECURE_RANDOM;
+ if (rnd == null) {
+ synchronized (SECURE_RANDOM_LOCK) {
+ rnd = SECURE_RANDOM;
+ if (rnd == null) {
+ try {
+ String prngAlgorithm =
System.getProperty("org.apache.xml.security.securerandom.algorithm");
+ SECURE_RANDOM = rnd = prngAlgorithm != null ?
SecureRandom.getInstance(prngAlgorithm)
+ : new SecureRandom();
+ } catch (NoSuchAlgorithmException e) {
+ throw new RuntimeException(e);
Review Comment:
> use the "Lazy Initialization Holder Class Idiom" (i.e.
https://dzone.com/articles/another-singleton-implementation), would this work
with Quarkus?
Quarkus configures GraalVM native image tool in such a way that all
application classes are requested to be initialized at build time (unless
configured otherwise for some specific classes). That unfortunately holds also
for the inner holder class: its static SecureRandom field would get initialized
at build time, unless we configure it to be initialized at runtime (which opens
another can of worms - all dependent classes would have to get
runtime-initialized too) That would actually mean that our original problem was
not solved.
I am open to suggestions, if you by any chance see some flavor of the
pattern where the SecureRandom is not a part of any class initializer.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
