volosied commented on PR #911:
URL: https://github.com/apache/myfaces/pull/911#issuecomment-3197190788
@melloware @tandraschko
Please take a look at the new update. These changes the config slightly.
Instead of specifying one algorithm, you can use specify multiple in order of
priority.
This affects
`RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM` and
`RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_ALGORITM`.
This allows use to set new defaults: {"SHA256DRBG","DRBG", "SHA1PRNG"};
We'll try each in order (order of security), and if no success, then we'll
resort to the default platform.
There are some performance trade-offs, but, with security, I think it's
better to err on the side of caution.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@myfaces.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
