HIVE-17152 : Improve security of random generator for HS2 cookies (Tao Li via Thejas Nair)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/bb4035b6 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/bb4035b6 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/bb4035b6 Branch: refs/heads/hive-14535 Commit: bb4035b68f3e98e158466848ec0fd501f89137b6 Parents: 849fa02 Author: Tao LI <t...@hortonworks.com> Authored: Thu Sep 7 10:53:58 2017 -0700 Committer: Thejas M Nair <the...@hortonworks.com> Committed: Thu Sep 7 10:53:58 2017 -0700 ---------------------------------------------------------------------- service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java | 4 ++-- .../org/apache/hive/service/cli/thrift/ThriftHttpServlet.java | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/bb4035b6/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java b/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java index f11c0e4a..8b5661a 100644 --- a/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java +++ b/service/src/java/org/apache/hive/service/auth/HttpAuthUtils.java @@ -21,11 +21,11 @@ package org.apache.hive.service.auth; import java.security.AccessControlContext; import java.security.AccessController; import java.security.PrivilegedExceptionAction; +import java.security.SecureRandom; import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; import java.util.Map; -import java.util.Random; import java.util.Set; import java.util.StringTokenizer; @@ -96,7 +96,7 @@ public final class HttpAuthUtils { sb.append(COOKIE_CLIENT_USER_NAME).append(COOKIE_KEY_VALUE_SEPARATOR).append(clientUserName). append(COOKIE_ATTR_SEPARATOR); sb.append(COOKIE_CLIENT_RAND_NUMBER).append(COOKIE_KEY_VALUE_SEPARATOR). - append((new Random(System.currentTimeMillis())).nextLong()); + append((new SecureRandom()).nextLong()); return sb.toString(); } http://git-wip-us.apache.org/repos/asf/hive/blob/bb4035b6/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java ---------------------------------------------------------------------- diff --git a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java index cda736c..f3bbf8a 100644 --- a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java +++ b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java @@ -22,11 +22,11 @@ import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.InetAddress; import java.security.PrivilegedExceptionAction; +import java.security.SecureRandom; import java.util.Arrays; import java.util.Collections; import java.util.List; import java.util.Map; -import java.util.Random; import java.util.Set; import java.util.concurrent.TimeUnit; @@ -84,7 +84,7 @@ public class ThriftHttpServlet extends TServlet { // Class members for cookie based authentication. private CookieSigner signer; public static final String AUTH_COOKIE = "hive.server2.auth"; - private static final Random RAN = new Random(); + private static final SecureRandom RAN = new SecureRandom(); private boolean isCookieAuthEnabled; private String cookieDomain; private String cookiePath;
