ppalaga commented on code in PR #218:
URL:
https://github.com/apache/santuario-xml-security-java/pull/218#discussion_r1348953379
##########
src/main/java/org/apache/xml/security/stax/ext/XMLSecurityConstants.java:
##########
@@ -73,17 +74,34 @@ protected XMLSecurityConstants() {
}
/**
- * Generate bytes of the given length using the supplied algorithm in
RANDOM_ALGORITHM_KEY or,
- * if not specified, use SecureRandom instance from default constructor.
The SecureRandom
+ * Generate bytes of the given length using the algorithm supplied in
{@value #RANDOM_ALGORITHM_KEY} or,
+ * if not specified, use a {@code SecureRandom} instance from default
constructor. The {@code SecureRandom}
* instance that backs this method is cached for efficiency.
*
- * @return a byte array of the given length
+ * @return a new byte array of the given length
* @throws XMLSecurityException
*/
public static byte[] generateBytes(int length) throws XMLSecurityException
{
+
+ SecureRandom rnd = SECURE_RANDOM;
+ if (rnd == null) {
+ synchronized (SECURE_RANDOM_LOCK) {
+ rnd = SECURE_RANDOM;
+ if (rnd == null) {
+ try {
+ String prngAlgorithm =
System.getProperty("org.apache.xml.security.securerandom.algorithm");
+ SECURE_RANDOM = rnd = prngAlgorithm != null ?
SecureRandom.getInstance(prngAlgorithm)
+ : new SecureRandom();
+ } catch (NoSuchAlgorithmException e) {
+ throw new RuntimeException(e);
Review Comment:
> I'm not so keen on the synchronized block
The synchronized block should block and be entered only around the time when
the method is executed for the first time. Do you happen to have some benchmark
set up at hand that would allow to compare the new implementation against the
original?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
