You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by bo...@apache.org on 2021/01/14 16:06:00 UTC
[myfaces] branch 2.3.x updated: MYFACES-4373: make sure
SecureRandom is used for invalid configs
This is an automated email from the ASF dual-hosted git repository.
bommel pushed a commit to branch 2.3.x
in repository https://gitbox.apache.org/repos/asf/myfaces.git
The following commit(s) were added to refs/heads/2.3.x by this push:
new cbdedd5 MYFACES-4373: make sure SecureRandom is used for invalid configs
new a74a7a2 Merge pull request #136 from wtlucy/secureRandom2_2.3.x
cbdedd5 is described below
commit cbdedd5ed1f53c90f31c058250dbc2c427c54cea
Author: Bill Lucy <wt...@gmail.com>
AuthorDate: Wed Jan 13 18:25:39 2021 -0500
MYFACES-4373: make sure SecureRandom is used for invalid configs
---
.../application/viewstate/ClientSideStateCacheImpl.java | 6 +++---
.../application/viewstate/ServerSideStateCacheImpl.java | 10 +++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java b/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
index 89b6369..9bfb925 100644
--- a/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
+++ b/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
@@ -58,13 +58,13 @@ class ClientSideStateCacheImpl extends StateCache<Object, Object>
String csrfRandomMode = WebConfigParamUtils.getStringInitParameter(facesContext.getExternalContext(),
RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM,
RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM_DEFAULT);
- if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM.equals(csrfRandomMode))
+ if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM.equals(csrfRandomMode))
{
- csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
+ csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
}
else
{
- csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
+ csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
}
stateTokenProcessor = new ClientSideStateTokenProcessor();
diff --git a/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java b/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
index 328e7d2..7ff474e 100644
--- a/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
+++ b/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
@@ -206,22 +206,22 @@ class ServerSideStateCacheImpl extends StateCache<Object, Object>
{
log.warning(RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM + " \""
+ randomMode + "\" is not supported (anymore)."
- + " Fallback to \"random\"");
+ + " Fallback to \"secureRandom\"");
}
sessionViewStorageFactory = new RandomSessionViewStorageFactory(
- new RandomKeyFactory(facesContext));
+ new SecureRandomKeyFactory(facesContext));
}
String csrfRandomMode = WebConfigParamUtils.getStringInitParameter(facesContext.getExternalContext(),
RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM,
RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM_DEFAULT);
- if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM.equals(csrfRandomMode))
+ if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM.equals(csrfRandomMode))
{
- csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
+ csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
}
else
{
- csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
+ csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
}
stateTokenProcessor = new ServiceSideStateTokenProcessor();