tomcat - Removing specific algorithms from Java security providers

Question

I have a tomcat 7.x servlet container which deploys multiple war files from its webapps directory. I would like to make sure that none of these applications deployed in my tomcat use MD5 algorithms. I can do that from java by:

Provider[] providers = Security.getProviders();
for(Provider p : providers) {
  p.remove("MessageDigest.MD5");
}

However, this requires all web applications deployed in my tomcat to do the same. Is there anyway for me to do this just once, globally for this tomcat instance?

One possibility is to add it in a servlet init method, the configure the servlet to load on start up from global deployment descriptor.

I tried doing this, but in my tomcat instance, regardless of where I do this, the following lines never throw an exception:

MessageDigest hash = MessageDigest.getInstance("MD5");
hash.digest("ABCDEFGH".getBytes());

I was expecting it to throw NoSuchAlgorithmException since I removed MessageDigest.MD5. What could be the reason?

Answer 1

According to the Providers javadoc:

The service type Provider is reserved for use by the security framework. Services of this type cannot be added, removed, or modified by applications.

So you can remove a Provider, but you cannot remove a single service from a Provider.