svn commit: r1186988 - /webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/UIDGenerator.java

[ve...@apache.org]

Author: veithen
Date: Thu Oct 20 18:38:24 2011
New Revision: 1186988

URL: http://svn.apache.org/viewvc?rev=1186988&view=rev
Log:
Added a note to the Javadoc of UIDGenerator#generateUID() explaining the implications of the fact that the method ensures uniqueness, but not randomness.

Modified:
    webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/UIDGenerator.java

Modified: webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/UIDGenerator.java
URL: http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/UIDGenerator.java?rev=1186988&r1=1186987&r2=1186988&view=diff
==============================================================================
--- webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/UIDGenerator.java (original)
+++ webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/UIDGenerator.java Thu Oct 20 18:38:24 2011
@@ -185,6 +185,14 @@ public final class UIDGenerator {
      * a 192 bit value, i.e. it is 48 characters long. The implementation guarantees a high level of
      * uniqueness, but makes no provisions to guarantee randomness. It is thread safe, but doesn't
      * use synchronization.
+     * <p>
+     * The fact that this method doesn't guarantee randomness implies that the generated IDs are
+     * predictable and must not be used in contexts where this would cause a security vulnerability.
+     * In particular, this method should <b>not</b> be used to generate the following kind of IDs:
+     * <ul>
+     * <li>Session IDs.
+     * <li>Message IDs used in WS-Addressing.
+     * </ul>
      * 
      * @return the generated unique ID
      */