You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2013/05/28 15:41:19 UTC
[jira] [Updated] (SYNCOPE-374) SyncopeUser tokens do not use secure
random strings
[ https://issues.apache.org/jira/browse/SYNCOPE-374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò updated SYNCOPE-374:
-------------------------------------------
Fix Version/s: 1.2.0
1.1.2
> SyncopeUser tokens do not use secure random strings
> ---------------------------------------------------
>
> Key: SYNCOPE-374
> URL: https://issues.apache.org/jira/browse/SYNCOPE-374
> Project: Syncope
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.1.1
> Reporter: Jesse van Bekkum
> Assignee: Massimiliano Perrone
> Priority: Minor
> Fix For: 1.1.2, 1.2.0
>
>
> The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.
> This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
> It also lists some solutions.
> It is more secure to use a cryptographically secure string, as explained here:
> http://commons.apache.org/proper/commons-math/userguide/random.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira