You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by bo...@apache.org on 2021/01/14 16:41:02 UTC
[myfaces] branch 2.3-next updated: MYFACES-4373: prefer
SecureRandom for token generation
This is an automated email from the ASF dual-hosted git repository.
bommel pushed a commit to branch 2.3-next
in repository https://gitbox.apache.org/repos/asf/myfaces.git
The following commit(s) were added to refs/heads/2.3-next by this push:
new 20226b1 MYFACES-4373: prefer SecureRandom for token generation
new 02fbcfb Merge pull request #140 from wtlucy/secureRandom_2.3-next
20226b1 is described below
commit 20226b163d4983e456fd75bb9f60d9ae4865327a
Author: Bill Lucy <wt...@gmail.com>
AuthorDate: Thu Jan 14 10:49:24 2021 -0500
MYFACES-4373: prefer SecureRandom for token generation
---
.../application/viewstate/StateCacheServerSide.java | 10 +++++-----
.../org/apache/myfaces/config/MyfacesConfig.java | 21 +++++++++++----------
2 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/impl/src/main/java/org/apache/myfaces/application/viewstate/StateCacheServerSide.java b/impl/src/main/java/org/apache/myfaces/application/viewstate/StateCacheServerSide.java
index eedbc81..8ff37a0 100644
--- a/impl/src/main/java/org/apache/myfaces/application/viewstate/StateCacheServerSide.java
+++ b/impl/src/main/java/org/apache/myfaces/application/viewstate/StateCacheServerSide.java
@@ -104,19 +104,19 @@ class StateCacheServerSide extends StateCache<Object, Object>
{
log.warning(MyfacesConfig.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN + " \""
+ randomMode + "\" is not supported (anymore)."
- + " Fallback to \"random\"");
+ + " Fallback to \"secureRandom\"");
}
- sessionViewStorageFactory = new SessionViewStorageFactoryImpl(new KeyFactoryRandom(facesContext));
+ sessionViewStorageFactory = new SessionViewStorageFactoryImpl(new KeyFactorySecureRandom(facesContext));
}
String csrfRandomMode = config.getRandomKeyInCsrfSessionToken();
- if (MyfacesConfig.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM.equals(csrfRandomMode))
+ if (MyfacesConfig.RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM.equals(csrfRandomMode))
{
- csrfSessionTokenFactory = new CsrfSessionTokenFactorySecureRandom(facesContext);
+ csrfSessionTokenFactory = new CsrfSessionTokenFactoryRandom(facesContext);
}
else
{
- csrfSessionTokenFactory = new CsrfSessionTokenFactoryRandom(facesContext);
+ csrfSessionTokenFactory = new CsrfSessionTokenFactorySecureRandom(facesContext);
}
stateTokenProcessor = new StateTokenProcessorServerSide();
diff --git a/impl/src/main/java/org/apache/myfaces/config/MyfacesConfig.java b/impl/src/main/java/org/apache/myfaces/config/MyfacesConfig.java
index bb012ee..173fec5 100755
--- a/impl/src/main/java/org/apache/myfaces/config/MyfacesConfig.java
+++ b/impl/src/main/java/org/apache/myfaces/config/MyfacesConfig.java
@@ -464,18 +464,18 @@ public class MyfacesConfig
public static final String CLIENT_VIEW_STATE_TIMEOUT =
"org.apache.myfaces.CLIENT_VIEW_STATE_TIMEOUT";
private static final Long CLIENT_VIEW_STATE_TIMEOUT_DEFAULT = 0L;
-
-
+
+ public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM = "secureRandom";
+ public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_RANDOM = "random";
+
/**
* Adds a random key to the generated view state session token.
*/
@JSFWebConfigParam(since="2.1.9, 2.0.15", expectedValues="secureRandom, random",
- defaultValue="random", group="state")
+ defaultValue="secureRandom", group="state")
public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN
= "org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN";
- private static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_DEFAULT = "random";
- public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM = "secureRandom";
- public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_RANDOM = "random";
+ private static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_DEFAULT = RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM;
/**
* Set the default length of the random key added to the view state session token.
@@ -510,16 +510,17 @@ public class MyfacesConfig
= "org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM";
private static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM_DEFAULT = "SHA1PRNG";
+ public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM = "secureRandom";
+ public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM = "random";
+
/**
* Defines how to generate the csrf session token.
*/
- @JSFWebConfigParam(since="2.2.0", expectedValues="secureRandom, random", defaultValue="none", group="state")
+ @JSFWebConfigParam(since="2.2.0", expectedValues="secureRandom, random", defaultValue="secureRandom", group="state")
public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN
= "org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN";
- private static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_DEFAULT = "random";
+ private static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_DEFAULT = RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM;
- public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM = "secureRandom";
- public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM = "random";
/**
* Indicates that the serialized state will be compressed before it is written to the session. By default true.