[SYNCOPE-374] SyncopeUser tokens do not use secure random strings - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.1.1
Fix Version/s: 1.1.2, 1.2.0-M1
Component/s: core
Labels:
None

Description

The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.

This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
It also lists some solutions.

It is more secure to use a cryptographically secure string, as explained here:
http://commons.apache.org/proper/commons-math/userguide/random.html

Attachments

Activity

People

Assignee:: Massimiliano Perrone

Reporter:: Jesse van Bekkum

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/May/13 12:25

Updated:: 11/Jun/13 10:48

Resolved:: 28/May/13 13:45