7

I used to configure -Djava.security.egd=file:/dev/./urandom in my Dockerfile for Spring Boot applications.

In https://spring.io/guides/gs/spring-boot-docker/ (or GitHub https://github.com/dsyer/gs-spring-boot-docker) a comment was added that this is not required any more for newer versions:

To reduce Tomcat startup time we added a system property pointing to "/dev/urandom" as a source of entropy. This is not necessary with more recent versions of Spring Boot, if you use the "standard" version of Tomcat (or any other web server).

I am looking for any references for this change in Tomcat or Spring Boot repos, and which Spring Boot versions are affected.

Paul Verest
  • 60,022
  • 51
  • 208
  • 332
Jochen Christ
  • 697
  • 6
  • 13

1 Answers1

7

This problem should have been resolved by the JDK Enhancement Proposal : JEP 123, Configurable Secure Random-Number Generation.

According to the JDK 8 Security Enhancements official Oracle document, the /dev/./urandom workaround is no more necessary from JDK 8.

SHA1PRNG and NativePRNG were fixed to properly respect the SecureRandom seed source properties in the java.security file. (The obscure workaround using file:///dev/urandom and file:/dev/./urandom is no longer required.)

Ortomala Lokni
  • 56,620
  • 24
  • 188
  • 240