On 08/02/2018 11:38, Francesco Chicchiriccò wrote:
On 08/02/2018 11:37, Colm O hEigeartaigh wrote:
On Thu, Feb 8, 2018 at 10:29 AM, Francesco Chicchiriccò
"Instances of |java.util.Random| are threadsafe. However, the
use of the same |java.util.Random| instance across threads may
contention and consequent poor performance. Consider instead using
ThreadLocalRandom in multithreaded designs."
Looking around the Internet, I've seen suggestions to either user
ThreadLocalRandom or to wrap SecureRandom in Threadlocal to
I'm just wondering if it could actually lead to worse performance if we
have multiple wrapped SecureRandom instances blocking on /dev/random
(without setting it to /dev/urandom)?
That's why I would also add to the guide such setting.
Also, we'll need to add to the reference guide the hint to set
for Tomcat and other Java EE containers on Linux
Yes I think that's OK.
On Mon, Feb 5, 2018 at 12:25 PM, Colm O hEigeartaigh <
No, my query got passed on to someone else, still waiting to hear
On Mon, Feb 5, 2018 at 7:44 AM, Francesco Chicchiriccò <
thanks for the feedback go to so far.
I know from IRC that Colm has been exploring the security
with some of his contacts: any results so far?
On 30/01/2018 08:24, Francesco Chicchiriccò wrote:
any feedback on this?
If no one sees issues with that I'll proceed as indicated.
On 24/01/2018 17:54, Francesco Chicchiriccò wrote:
Hi all (and Colm in particular, as this should be in your
we are currently basing all operations requiring random
(mainly tokens used during double opt-in and password reset, and
values for specific cases) on SecureRandom .
SecureRandom has, however, some performance issues which were
starting with Java 7, by ThreadLocalRandom ; with Java 8 an
was made  to retain security by setting the system property
'java.util.secureRandomSeed' to true.
1. suggest to set
for Tomcat and other Java EE containers on Linux, and
2. suggest to set
for Tomcat and other Java EE containers, and
3. replace SecureRandom with ThreadLocalRandom in 
Tirasa - Open Source Excellence
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail