You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by ta...@apache.org on 2021/01/13 19:51:53 UTC

[myfaces] branch 3.0.x updated: MYFACES-4373: prefer SecureRandom for token generation

This is an automated email from the ASF dual-hosted git repository.

tandraschko pushed a commit to branch 3.0.x
in repository https://gitbox.apache.org/repos/asf/myfaces.git


The following commit(s) were added to refs/heads/3.0.x by this push:
     new 5697ab8  MYFACES-4373: prefer SecureRandom for token generation
     new 3a6418b  Merge pull request #127 from wtlucy/secureRandom_3.0.x
5697ab8 is described below

commit 5697ab874b8f2e68e6e4073f2bdb278424e8626f
Author: Bill Lucy <wt...@gmail.com>
AuthorDate: Tue Jan 12 15:06:07 2021 -0500

    MYFACES-4373: prefer SecureRandom for token generation
---
 .../main/java/org/apache/myfaces/application/StateCache.java | 12 ++++++------
 .../application/viewstate/ServerSideStateCacheImpl.java      |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/impl/src/main/java/org/apache/myfaces/application/StateCache.java b/impl/src/main/java/org/apache/myfaces/application/StateCache.java
index ba1eca7..62da3c3 100644
--- a/impl/src/main/java/org/apache/myfaces/application/StateCache.java
+++ b/impl/src/main/java/org/apache/myfaces/application/StateCache.java
@@ -31,18 +31,18 @@ import org.apache.myfaces.buildtools.maven2.plugin.builder.annotation.JSFWebConf
  */
 public abstract class StateCache<K, V>
 {
-    
+    public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM = "secureRandom";
+    public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM = "random";
+
     /**
      * Defines how to generate the csrf session token.
      */
     @JSFWebConfigParam(since="2.2.0", expectedValues="secureRandom, random", 
-            defaultValue="none", group="state")
+            defaultValue="secureRandom", group="state")
     public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM
             = "org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN";
-    public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM_DEFAULT = "random";
-    
-    public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM = "secureRandom";
-    public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_RANDOM = "random";
+    public static final String RANDOM_KEY_IN_CSRF_SESSION_TOKEN_PARAM_DEFAULT = 
+            RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM;
 
     /**
      * Set the default length of the random key used for the csrf session token.
diff --git a/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java b/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
index 74b45cb..47fcaf7 100644
--- a/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
+++ b/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
@@ -133,11 +133,11 @@ class ServerSideStateCacheImpl extends StateCache<Object, Object>
      * Adds a random key to the generated view state session token.
      */
     @JSFWebConfigParam(since="2.1.9, 2.0.15", expectedValues="secureRandom, random", 
-            defaultValue="random", group="state")
+            defaultValue="secureRandom", group="state")
     public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM
             = "org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN";
     public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM_DEFAULT = 
-            RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_RANDOM;
+            RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM;
 
     /**
      * Set the default length of the random key added to the view state session token.