61072: Respect what the doc says about using the platform default secure random.
git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1794065 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/java/org/apache/catalina/util/SessionIdGeneratorBase.java b/java/org/apache/catalina/util/SessionIdGeneratorBase.java
index 2c84c07..9b42ce2 100644
--- a/java/org/apache/catalina/util/SessionIdGeneratorBase.java
+++ b/java/org/apache/catalina/util/SessionIdGeneratorBase.java
@@ -198,6 +198,7 @@
}
}
+ boolean error = false;
if (result == null) {
// No secureRandomClass or creation failed. Use SecureRandom.
try {
@@ -210,15 +211,17 @@
result = SecureRandom.getInstance(secureRandomAlgorithm);
}
} catch (NoSuchAlgorithmException e) {
+ error = true;
log.error(sm.getString("sessionIdGeneratorBase.randomAlgorithm",
secureRandomAlgorithm), e);
} catch (NoSuchProviderException e) {
+ error = true;
log.error(sm.getString("sessionIdGeneratorBase.randomProvider",
secureRandomProvider), e);
}
}
- if (result == null) {
+ if (result == null && error) {
// Invalid provider / algorithm
try {
result = SecureRandom.getInstance("SHA1PRNG");
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 180d262..848ff60 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,6 +104,11 @@
<code>useBodyEncodingForURI</code> attribute of the
<code>Connector</code> is correctly taken into account. (markt)
</fix>
+ <fix>
+ <bug>61072</bug>: Respect the documentation statements that allow
+ using the platform default secure random for session id generation.
+ (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
