[ https://issues.apache.org/jira/browse/MYFACES-4373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17264391#comment-17264391 ]
Bill Lucy commented on MYFACES-4373: ------------------------------------ Thanks for the quick reviews [~tandraschko] and [~bommel] - I'll close this out and make that update now. > Use SecureRandom for Token Generation > ------------------------------------- > > Key: MYFACES-4373 > URL: https://issues.apache.org/jira/browse/MYFACES-4373 > Project: MyFaces Core > Issue Type: Bug > Reporter: Bill Lucy > Assignee: Bill Lucy > Priority: Major > > We should default to using _java.security.SecureRandom_ instead of > _java.util.Random_ for ViewState and CSRF token generation. The default > values for the following two props will be updated: > org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN to "secureRandom" > org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN to "secureRandom" -- This message was sent by Atlassian Jira (v8.3.4#803005)