You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2013/05/28 16:16:20 UTC

[jira] [Commented] (SYNCOPE-374) SyncopeUser tokens do not use secure random strings

    [ https://issues.apache.org/jira/browse/SYNCOPE-374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13668328#comment-13668328 ] 

Hudson commented on SYNCOPE-374:
--------------------------------

Integrated in Syncope-trunk #224 (See [https://builds.apache.org/job/Syncope-trunk/224/])
    merge from 1_1_X to close [SYNCOPE-374] (Revision 1486919)

     Result = SUCCESS
massi : 
Files : 
* /syncope/trunk
* /syncope/trunk/core/src/main/java/org/apache/syncope/core/connid/ConnObjectUtil.java
* /syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/beans/user/SyncopeUser.java
* /syncope/trunk/core/src/main/java/org/apache/syncope/core/util/MappingUtil.java
* /syncope/trunk/core/src/main/java/org/apache/syncope/core/util/SecureRandomUtil.java

                
> SyncopeUser tokens do not use secure random strings
> ---------------------------------------------------
>
>                 Key: SYNCOPE-374
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-374
>             Project: Syncope
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.1.1
>            Reporter: Jesse van Bekkum
>            Assignee: Massimiliano Perrone
>            Priority: Minor
>             Fix For: 1.1.2, 1.2.0
>
>
> The SyncopeUser.generateToken() function generates a token using the RandomStringUtils class. This class uses the normal java random class, which uses the current time in milliseconds as seed.
> This means that the generated tokens can be predicted by an attacker. This forum post explains the issue: http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
> It also lists some solutions.
> It is more secure to use a cryptographically secure string, as explained here: 
> http://commons.apache.org/proper/commons-math/userguide/random.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira