tandraschko commented on code in PR #911:
URL: https://github.com/apache/myfaces/pull/911#discussion_r2285388821
##########
impl/src/main/java/org/apache/myfaces/util/token/TokenGenerator.java:
##########
@@ -31,23 +34,46 @@ public class TokenGenerator
{
private final AtomicLong seed;
+ private static Logger log =
Logger.getLogger(TokenGenerator.class.getName());
+
+ // TODO -- make a web parameter or it would be nice
+ // to consolidate RANDOM_KEY_IN_CSRF_SESSION_TOKEN_SECURE_RANDOM_ALGORITM,
+ // and RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_SECURE_RANDOM_ALGORITHM
+ private String[] supportedAlgorithmsList =
{"SHA256DRBG","DRBG","SHA1PRNG"};
+
public TokenGenerator()
{
seed = new AtomicLong(generateSeed());
}
private long generateSeed()
{
- SecureRandom rng;
- try
+ SecureRandom rng = null;
Review Comment:
then we should rework this completely
we should look all allgorithm on startup (MyFacesConfig?) and only remember
the algorithm to use
TokenGenerator/SessionIdGenerator should not try and try over and over
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@myfaces.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
