You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Jesse van Bekkum (JIRA)" <ji...@apache.org> on 2013/05/28 14:25:19 UTC
[jira] [Created] (SYNCOPE-374) SyncopeUser tokens do not use secure
random strings
Jesse van Bekkum created SYNCOPE-374:
----------------------------------------
Summary: SyncopeUser tokens do not use secure random strings
Key: SYNCOPE-374
URL: https://issues.apache.org/jira/browse/SYNCOPE-374
Project: Syncope
Issue Type: Improvement
Components: core
Affects Versions: 1.1.1
Reporter: Jesse van Bekkum
Priority: Minor
The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.
This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
It also lists some solutions.
It is more secure to use a cryptographically secure string, as explained here:
http://commons.apache.org/proper/commons-math/userguide/random.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira