I thought he meant that if your code works with either Random or SecureRandom, you're doing it wrong. They both have very different use cases, and the fact that SecureRandom extends Random contributes to the confusion.
On 30 September 2016 at 08:02, Emmanuel Bourg <ebo...@apache.org> wrote: > Le 28/09/2016 à 15:28, Gilles a écrit : > > > Conversely, using "SecureRandom" in place of a deterministic > > RNG is only useful in toy applications since the main feature > > (of non-secure RNGs) one usually needs is reproducibility. > > I guess the Tomcat developers will love hearing they are building a toy > application :) > > https://github.com/apache/tomcat80/blob/TOMCAT_8_0_37/ > java/org/apache/catalina/util/SessionIdGeneratorBase.java#L170 > > > > [1] Even the Java architects have indirectly acknowledged that, > > by having a new random-related class _NOT_ extend "Random" > > (allowing them to drop all the cruft brought by it). > > Are you referring to java.security.SecureRandomSpi not extending > java.util.Random? This is merely a mechanism allowing to plug extra > implementations, the whole security package is designed around this > concept. But users only deal with SecureRandom, which extends Random. > > Emmanuel Bourg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- Matt Sicker <boa...@gmail.com>
