Author: markt
Date: Sun Dec 12 18:47:10 2010
New Revision: 1044879
URL: http://svn.apache.org/viewvc?rev=1044879&view=rev
Log:
Use the newly refactored session id generator when generating sso session IDs
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/webapps/docs/config/valve.xml
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1044879&r1=1044878&r2=1044879&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Sun Dec 12 18:47:10 2010
@@ -20,13 +20,10 @@ package org.apache.catalina.authenticato
import java.io.IOException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;
-import java.util.Random;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
@@ -45,6 +42,7 @@ import org.apache.catalina.connector.Res
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.util.DateTool;
+import org.apache.catalina.util.SessionIdGenerator;
import org.apache.catalina.valves.ValveBase;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -137,20 +135,6 @@ public abstract class AuthenticatorBase
/**
- * Return the MessageDigest implementation to be used when
- * creating session identifiers.
- */
- protected MessageDigest digest = null;
-
-
- /**
- * A String initialization parameter used to increase the entropy of
- * the initialization of our random number generator.
- */
- protected String entropy = null;
-
-
- /**
* Descriptive information about this implementation.
*/
protected static final String info =
@@ -169,17 +153,36 @@ public abstract class AuthenticatorBase
protected boolean securePagesWithPragma = true;
/**
- * A random number generator to use when generating session identifiers.
+ * The Java class name of the secure random number generator class to be
+ * used when generating SSO session identifiers. The random number
generator
+ * class must be self-seeding and have a zero-argument constructor. If not
+ * specified, an instance of {...@link java.secure.SecureRandom} will be
+ * generated.
*/
- protected Random random = null;
+ protected String secureRandomClass = null;
+ /**
+ * The name of the algorithm to use to create instances of
+ * {...@link java.secure.SecureRandom} which are used to generate SSO
session
+ * IDs. If no algorithm is specified, SHA1PRNG is used. To use the platform
+ * default (which may be SHA1PRNG), specify the empty string. If an invalid
+ * algorithm and/or provider is specified the SecureRandom instances will
be
+ * created using the defaults. If that fails, the SecureRandom instances
+ * will be created using platform defaults.
+ */
+ protected String secureRandomAlgorithm = "SHA1PRNG";
/**
- * The Java class name of the random number generator class to be used
- * when generating session identifiers.
+ * The name of the provider to use to create instances of
+ * {...@link java.secure.SecureRandom} which are used to generate session
SSO
+ * IDs. If no algorithm is specified the of SHA1PRNG default is used. If an
+ * invalid algorithm and/or provider is specified the SecureRandom
instances
+ * will be created using the defaults. If that fails, the SecureRandom
+ * instances will be created using platform defaults.
*/
- protected String randomClass = "java.security.SecureRandom";
+ protected String secureRandomProvider = null;
+ protected SessionIdGenerator sessionIdGenerator = null;
/**
* The string manager for this package.
@@ -280,33 +283,6 @@ public abstract class AuthenticatorBase
/**
- * Return the entropy increaser value, or compute a semi-useful value
- * if this String has not yet been set.
- */
- public String getEntropy() {
-
- // Calculate a semi-useful value if this has not been set
- if (this.entropy == null)
- setEntropy(this.toString());
-
- return (this.entropy);
-
- }
-
-
- /**
- * Set the entropy increaser value.
- *
- * @param entropy The new entropy increaser value
- */
- public void setEntropy(String entropy) {
-
- this.entropy = entropy;
-
- }
-
-
- /**
* Return descriptive information about this Valve implementation.
*/
@Override
@@ -318,27 +294,6 @@ public abstract class AuthenticatorBase
/**
- * Return the random number generator class name.
- */
- public String getRandomClass() {
-
- return (this.randomClass);
-
- }
-
-
- /**
- * Set the random number generator class name.
- *
- * @param randomClass The new random number generator class name
- */
- public void setRandomClass(String randomClass) {
-
- this.randomClass = randomClass;
-
- }
-
- /**
* Return the flag that states if we add headers to disable caching by
* proxies.
*/
@@ -400,6 +355,66 @@ public abstract class AuthenticatorBase
this.changeSessionIdOnAuthentication = changeSessionIdOnAuthentication;
}
+ /**
+ * Return the secure random number generator class name.
+ */
+ public String getSecureRandomClass() {
+
+ return (this.secureRandomClass);
+
+ }
+
+
+ /**
+ * Set the secure random number generator class name.
+ *
+ * @param secureRandomClass The new secure random number generator class
+ * name
+ */
+ public void setSecureRandomClass(String secureRandomClass) {
+ this.secureRandomClass = secureRandomClass;
+ }
+
+
+ /**
+ * Return the secure random number generator algorithm name.
+ */
+ public String getSecureRandomAlgorithm() {
+ return secureRandomAlgorithm;
+ }
+
+
+ /**
+ * Set the secure random number generator algorithm name.
+ *
+ * @param secureRandomAlgorithm The new secure random number generator
+ * algorithm name
+ */
+ public void setSecureRandomAlgorithm(String secureRandomAlgorithm) {
+ this.secureRandomAlgorithm = secureRandomAlgorithm;
+ }
+
+
+ /**
+ * Return the secure random number generator provider name.
+ */
+ public String getSecureRandomProvider() {
+ return secureRandomProvider;
+ }
+
+
+ /**
+ * Set the secure random number generator provider name.
+ *
+ * @param secureRandomProvider The new secure random number generator
+ * provider name
+ */
+ public void setSecureRandomProvider(String secureRandomProvider) {
+ this.secureRandomProvider = secureRandomProvider;
+ }
+
+
+
// --------------------------------------------------------- Public Methods
@@ -603,88 +618,6 @@ public abstract class AuthenticatorBase
/**
- * Generate and return a new session identifier for the cookie that
- * identifies an SSO principal.
- */
- protected synchronized String generateSessionId() {
-
- // Generate a byte array containing a session identifier
- byte bytes[] = new byte[SESSION_ID_BYTES];
- getRandom().nextBytes(bytes);
- bytes = getDigest().digest(bytes);
-
- // Render the result as a String of hexadecimal digits
- StringBuilder result = new StringBuilder();
- for (int i = 0; i < bytes.length; i++) {
- byte b1 = (byte) ((bytes[i] & 0xf0) >> 4);
- byte b2 = (byte) (bytes[i] & 0x0f);
- if (b1 < 10)
- result.append((char) ('0' + b1));
- else
- result.append((char) ('A' + (b1 - 10)));
- if (b2 < 10)
- result.append((char) ('0' + b2));
- else
- result.append((char) ('A' + (b2 - 10)));
- }
- return (result.toString());
-
- }
-
-
- /**
- * Return the MessageDigest object to be used for calculating
- * session identifiers. If none has been created yet, initialize
- * one the first time this method is called.
- */
- protected synchronized MessageDigest getDigest() {
-
- if (this.digest == null) {
- try {
- this.digest = MessageDigest.getInstance(algorithm);
- } catch (NoSuchAlgorithmException e) {
- try {
- this.digest = MessageDigest.getInstance(DEFAULT_ALGORITHM);
- } catch (NoSuchAlgorithmException f) {
- this.digest = null;
- }
- }
- }
-
- return (this.digest);
-
- }
-
-
- /**
- * Return the random number generator instance we should use for
- * generating session identifiers. If there is no such generator
- * currently defined, construct and seed a new one.
- */
- protected synchronized Random getRandom() {
-
- if (this.random == null) {
- try {
- Class<?> clazz = Class.forName(randomClass);
- this.random = (Random) clazz.newInstance();
- long seed = System.currentTimeMillis();
- char entropy[] = getEntropy().toCharArray();
- for (int i = 0; i < entropy.length; i++) {
- long update = ((byte) entropy[i]) << ((i % 8) * 8);
- seed ^= update;
- }
- this.random.setSeed(seed);
- } catch (Exception e) {
- this.random = new java.util.Random();
- }
- }
-
- return (this.random);
-
- }
-
-
- /**
* Attempts reauthentication to the <code>Realm</code> using
* the credentials included in argument <code>entry</code>.
*
@@ -780,7 +713,7 @@ public abstract class AuthenticatorBase
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (ssoId == null) {
// Construct a cookie to be returned to the client
- ssoId = generateSessionId();
+ ssoId = sessionIdGenerator.generateSessionId();
Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
cookie.setMaxAge(-1);
cookie.setPath("/");
@@ -886,6 +819,11 @@ public abstract class AuthenticatorBase
log.debug("No SingleSignOn Valve is present");
}
+ sessionIdGenerator = new SessionIdGenerator();
+
sessionIdGenerator.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
+ sessionIdGenerator.setSecureRandomClass(getSecureRandomClass());
+ sessionIdGenerator.setSecureRandomProvider(getSecureRandomProvider());
+
super.startInternal();
}
Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1044879&r1=1044878&r2=1044879&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Sun Dec 12 18:47:10 2010
@@ -438,6 +438,33 @@
If not set, the default value of <code>true</code> will be used.</p>
</attribute>
+ <attribute name="secureRandomClass" required="false">
+ <p>Name of the Java class that extends
+ <code>java.security.SecureRandom</code> to use to generate SSO session
+ IDs. If not specified, the default value is
+ <code>java.security.SecureRandom</code>.</p>
+ </attribute>
+
+ <attribute name="secureRandomProvider" required="false">
+ <p>Name of the provider to use to create the
+ <code>java.security.SecureRandom</code> instances that generate SSO
+ session IDs. If an invalid algorithm and/or provider is specified, the
+ platform default provider and the default algorithm will be used. If
not
+ specified, the platform default provider will be used.</p>
+ </attribute>
+
+ <attribute name="secureRandomAlgorithm" required="false">
+ <p>Name of the algorithm to use to create the
+ <code>java.security.SecureRandom</code> instances that generate session
+ IDs. If an invalid algorithm and/or provider is specified, the platform
+ default provider and the default algorithm will be used. If not
+ specified, the default algorithm of SHA1PRNG will be used. If the
+ default algorithm is not supported, the platform default will be used.
+ To specify that the platform default should be used, do not set the
+ secureRandomProvider attribute and set this attribute to the empty
+ string.</p>
+ </attribute>
+
</attributes>
</subsection>
@@ -497,6 +524,33 @@
If not set, the default value of <code>true</code> will be used.</p>
</attribute>
+ <attribute name="secureRandomClass" required="false">
+ <p>Name of the Java class that extends
+ <code>java.security.SecureRandom</code> to use to generate SSO session
+ IDs. If not specified, the default value is
+ <code>java.security.SecureRandom</code>.</p>
+ </attribute>
+
+ <attribute name="secureRandomProvider" required="false">
+ <p>Name of the provider to use to create the
+ <code>java.security.SecureRandom</code> instances that generate SSO
+ session IDs. If an invalid algorithm and/or provider is specified, the
+ platform default provider and the default algorithm will be used. If
not
+ specified, the platform default provider will be used.</p>
+ </attribute>
+
+ <attribute name="secureRandomAlgorithm" required="false">
+ <p>Name of the algorithm to use to create the
+ <code>java.security.SecureRandom</code> instances that generate session
+ IDs. If an invalid algorithm and/or provider is specified, the platform
+ default provider and the default algorithm will be used. If not
+ specified, the default algorithm of SHA1PRNG will be used. If the
+ default algorithm is not supported, the platform default will be used.
+ To specify that the platform default should be used, do not set the
+ secureRandomProvider attribute and set this attribute to the empty
+ string.</p>
+ </attribute>
+
</attributes>
</subsection>
@@ -575,6 +629,33 @@
If not set, the default value of <code>true</code> will be used.</p>
</attribute>
+ <attribute name="secureRandomClass" required="false">
+ <p>Name of the Java class that extends
+ <code>java.security.SecureRandom</code> to use to generate SSO session
+ IDs. If not specified, the default value is
+ <code>java.security.SecureRandom</code>.</p>
+ </attribute>
+
+ <attribute name="secureRandomProvider" required="false">
+ <p>Name of the provider to use to create the
+ <code>java.security.SecureRandom</code> instances that generate SSO
+ session IDs. If an invalid algorithm and/or provider is specified, the
+ platform default provider and the default algorithm will be used. If
not
+ specified, the platform default provider will be used.</p>
+ </attribute>
+
+ <attribute name="secureRandomAlgorithm" required="false">
+ <p>Name of the algorithm to use to create the
+ <code>java.security.SecureRandom</code> instances that generate session
+ IDs. If an invalid algorithm and/or provider is specified, the platform
+ default provider and the default algorithm will be used. If not
+ specified, the default algorithm of SHA1PRNG will be used. If the
+ default algorithm is not supported, the platform default will be used.
+ To specify that the platform default should be used, do not set the
+ secureRandomProvider attribute and set this attribute to the empty
+ string.</p>
+ </attribute>
+
</attributes>
</subsection>
@@ -634,6 +715,33 @@
If not set, the default value of <code>true</code> will be used.</p>
</attribute>
+ <attribute name="secureRandomClass" required="false">
+ <p>Name of the Java class that extends
+ <code>java.security.SecureRandom</code> to use to generate SSO session
+ IDs. If not specified, the default value is
+ <code>java.security.SecureRandom</code>.</p>
+ </attribute>
+
+ <attribute name="secureRandomProvider" required="false">
+ <p>Name of the provider to use to create the
+ <code>java.security.SecureRandom</code> instances that generate SSO
+ session IDs. If an invalid algorithm and/or provider is specified, the
+ platform default provider and the default algorithm will be used. If
not
+ specified, the platform default provider will be used.</p>
+ </attribute>
+
+ <attribute name="secureRandomAlgorithm" required="false">
+ <p>Name of the algorithm to use to create the
+ <code>java.security.SecureRandom</code> instances that generate session
+ IDs. If an invalid algorithm and/or provider is specified, the platform
+ default provider and the default algorithm will be used. If not
+ specified, the default algorithm of SHA1PRNG will be used. If the
+ default algorithm is not supported, the platform default will be used.
+ To specify that the platform default should be used, do not set the
+ secureRandomProvider attribute and set this attribute to the empty
+ string.</p>
+ </attribute>
+
</attributes>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
