Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-4373

Use SecureRandom for Token Generation

    XMLWordPrintableJSON

Details

    Description

      We should default to using java.security.SecureRandom instead of java.util.Random for ViewState and CSRF token generation.  The default values for the following two props will be updated:

      org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN to "secureRandom"

      org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN to "secureRandom"

      And if available

      org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN to "secureRandom"

      Attachments

        Activity

          People

            wtlucy Bill Lucy
            wtlucy Bill Lucy
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: