Jesse van Bekkum created SYNCOPE-374:
----------------------------------------
Summary: SyncopeUser tokens do not use secure random strings
Key: SYNCOPE-374
URL: https://issues.apache.org/jira/browse/SYNCOPE-374
Project: Syncope
Issue Type: Improvement
Components: core
Affects Versions: 1.1.1
Reporter: Jesse van Bekkum
Priority: Minor
The SyncopeUser.generateToken() function generates a token using the
RandomStringUtils class. This class uses the normal java random class, which
uses the current time in milliseconds as seed.
This means that the generated tokens can be predicted by an attacker. This
forum post explains the issue:
http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
It also lists some solutions.
It is more secure to use a cryptographically secure string, as explained here:
http://commons.apache.org/proper/commons-math/userguide/random.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
