[
https://issues.apache.org/jira/browse/SYNCOPE-374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Massimiliano Perrone resolved SYNCOPE-374.
------------------------------------------
Resolution: Fixed
Committed revision 1486919.
> SyncopeUser tokens do not use secure random strings
> ---------------------------------------------------
>
> Key: SYNCOPE-374
> URL: https://issues.apache.org/jira/browse/SYNCOPE-374
> Project: Syncope
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.1.1
> Reporter: Jesse van Bekkum
> Assignee: Massimiliano Perrone
> Priority: Minor
> Fix For: 1.1.2, 1.2.0
>
>
> The SyncopeUser.generateToken() function generates a token using the
> RandomStringUtils class. This class uses the normal java random class, which
> uses the current time in milliseconds as seed.
> This means that the generated tokens can be predicted by an attacker. This
> forum post explains the issue:
> http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
> It also lists some solutions.
> It is more secure to use a cryptographically secure string, as explained
> here:
> http://commons.apache.org/proper/commons-math/userguide/random.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
