Le 28/09/2016 à 15:28, Gilles a écrit : > Conversely, using "SecureRandom" in place of a deterministic > RNG is only useful in toy applications since the main feature > (of non-secure RNGs) one usually needs is reproducibility.
I guess the Tomcat developers will love hearing they are building a toy application :) https://github.com/apache/tomcat80/blob/TOMCAT_8_0_37/java/org/apache/catalina/util/SessionIdGeneratorBase.java#L170 > [1] Even the Java architects have indirectly acknowledged that, > by having a new random-related class _NOT_ extend "Random" > (allowing them to drop all the cruft brought by it). Are you referring to java.security.SecureRandomSpi not extending java.util.Random? This is merely a mechanism allowing to plug extra implementations, the whole security package is designed around this concept. But users only deal with SecureRandom, which extends Random. Emmanuel Bourg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
