Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
3.8k views
in Technique[技术] by (71.8m points)

tomcat - Removing specific algorithms from Java security providers

I have a tomcat 7.x servlet container which deploys multiple war files from its webapps directory. I would like to make sure that none of these applications deployed in my tomcat use MD5 algorithms. I can do that from java by:

Provider[] providers = Security.getProviders();
for(Provider p : providers) {
  p.remove("MessageDigest.MD5");
}

However, this requires all web applications deployed in my tomcat to do the same. Is there anyway for me to do this just once, globally for this tomcat instance?

One possibility is to add it in a servlet init method, the configure the servlet to load on start up from global deployment descriptor.

I tried doing this, but in my tomcat instance, regardless of where I do this, the following lines never throw an exception:

MessageDigest hash = MessageDigest.getInstance("MD5");
hash.digest("ABCDEFGH".getBytes());

I was expecting it to throw NoSuchAlgorithmException since I removed MessageDigest.MD5. What could be the reason?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

According to the Providers javadoc:

The service type Provider is reserved for use by the security framework. Services of this type cannot be added, removed, or modified by applications.

So you can remove a Provider, but you cannot remove a single service from a Provider.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...