You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by bo...@apache.org on 2021/01/14 16:04:34 UTC

[myfaces] branch 2.2.x updated: MYFACES-4373: make sure SecureRandom is used for invalid configs

This is an automated email from the ASF dual-hosted git repository.

bommel pushed a commit to branch 2.2.x
in repository https://gitbox.apache.org/repos/asf/myfaces.git


The following commit(s) were added to refs/heads/2.2.x by this push:
     new 8fdb5c4  MYFACES-4373: make sure SecureRandom is used for invalid configs
     new 885ee0e  Merge pull request #137 from wtlucy/secureRandom2_2.2.x
8fdb5c4 is described below

commit 8fdb5c4bc6e4fbe9cb8df101a683a665e7db9fea
Author: Bill Lucy <wt...@gmail.com>
AuthorDate: Thu Jan 14 09:48:27 2021 -0500

    MYFACES-4373: make sure SecureRandom is used for invalid configs
---
 .../viewstate/ClientSideStateCacheImpl.java            |  6 +++---
 .../viewstate/ServerSideStateCacheImpl.java            | 18 +++++++++---------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java b/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
index 857b859..a598d90 100644
--- a/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
+++ b/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
@@ -55,13 +55,13 @@ class ClientSideStateCacheImpl extends StateCache<Object, Object>
         String csrfRandomMode = WebConfigParamUtils.getStringInitParameter(facesContext.getExternalContext(),
                 RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM, 
                 RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM_DEFAULT);
-        if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM.equals(csrfRandomMode))
+        if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM.equals(csrfRandomMode))
         {
-            csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
+            csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
         }
         else
         {
-            csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
+            csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
         }
     }
 
diff --git a/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java b/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
index d810d55..eabc01e 100644
--- a/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
+++ b/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
@@ -199,31 +199,31 @@ class ServerSideStateCacheImpl extends StateCache<Object, Object>
         String randomMode = WebConfigParamUtils.getStringInitParameter(facesContext.getExternalContext(),
                 RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM, 
                 RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM_DEFAULT);
-        if (RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM.equals(randomMode))
+        if (RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_RANDOM.equals(randomMode))
         {
             sessionViewStorageFactory = new RandomSessionViewStorageFactory(
-                    new SecureRandomKeyFactory(facesContext));
+                    new RandomKeyFactory(facesContext));
         }
-        else if (RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_RANDOM.equals(randomMode))
+        else if (RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_NONE.equals(randomMode))
         {
-            sessionViewStorageFactory = new RandomSessionViewStorageFactory(
-                    new RandomKeyFactory(facesContext));
+            sessionViewStorageFactory = new CounterSessionViewStorageFactory(new CounterKeyFactory());
         }
         else
         {
-            sessionViewStorageFactory = new CounterSessionViewStorageFactory(new CounterKeyFactory());
+            sessionViewStorageFactory = new RandomSessionViewStorageFactory(
+                    new SecureRandomKeyFactory(facesContext));
         }
         
         String csrfRandomMode = WebConfigParamUtils.getStringInitParameter(facesContext.getExternalContext(),
                 RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM, 
                 RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM_DEFAULT);
-        if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM.equals(csrfRandomMode))
+        if (RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM.equals(csrfRandomMode))
         {
-            csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
+            csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
         }
         else
         {
-            csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
+            csrfSessionTokenFactory = new SecureRandomCsrfSessionTokenFactory(facesContext);
         }
     }