You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by pa...@apache.org on 2020/01/22 20:52:11 UTC

[wicket] branch master updated: WICKET-6730: replaced SecureRandom.getStrongInstance() by SHA1PRNG due to performance

This is an automated email from the ASF dual-hosted git repository.

papegaaij pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git


The following commit(s) were added to refs/heads/master by this push:
     new ac966ee  WICKET-6730: replaced SecureRandom.getStrongInstance() by SHA1PRNG due to performance
ac966ee is described below

commit ac966ee03438a9f144c281e101b51b88b9101a24
Author: Emond Papegaaij <em...@topicus.nl>
AuthorDate: Wed Jan 22 21:51:25 2020 +0100

    WICKET-6730: replaced SecureRandom.getStrongInstance() by SHA1PRNG due to performance
---
 .../apache/wicket/core/random/DefaultSecureRandomSupplier.java    | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java
index cb00235..b8168b3 100644
--- a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java
+++ b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java
@@ -22,7 +22,11 @@ import java.security.SecureRandom;
 import org.apache.wicket.WicketRuntimeException;
 
 /**
- * A very simple {@link ISecureRandomSupplier} that holds a strong {@code SecureRandom}.
+ * A very simple {@link ISecureRandomSupplier} that holds a {@code SecureRandom} using
+ * {@code SHA1PRNG}. This {@code SecureRandom} is strong enough for generation of nonces with a
+ * short lifespan, but might not be strong enough for generating long-lived keys. When your
+ * application has stronger requirements on the random implementation, you should replace this class
+ * by your own implementation.
  * 
  * @author papegaaij
  */
@@ -34,7 +38,7 @@ public class DefaultSecureRandomSupplier implements ISecureRandomSupplier
 	{
 		try
 		{
-			random = SecureRandom.getInstanceStrong();
+			random = SecureRandom.getInstance("SHA1PRNG");
 		}
 		catch (NoSuchAlgorithmException e)
 		{