[
https://issues.apache.org/jira/browse/SYNCOPE-374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13668328#comment-13668328
]
Hudson commented on SYNCOPE-374:
--------------------------------
Integrated in Syncope-trunk #224 (See
[https://builds.apache.org/job/Syncope-trunk/224/])
merge from 1_1_X to close [SYNCOPE-374] (Revision 1486919)
Result = SUCCESS
massi :
Files :
* /syncope/trunk
*
/syncope/trunk/core/src/main/java/org/apache/syncope/core/connid/ConnObjectUtil.java
*
/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/beans/user/SyncopeUser.java
*
/syncope/trunk/core/src/main/java/org/apache/syncope/core/util/MappingUtil.java
*
/syncope/trunk/core/src/main/java/org/apache/syncope/core/util/SecureRandomUtil.java
> SyncopeUser tokens do not use secure random strings
> ---------------------------------------------------
>
> Key: SYNCOPE-374
> URL: https://issues.apache.org/jira/browse/SYNCOPE-374
> Project: Syncope
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.1.1
> Reporter: Jesse van Bekkum
> Assignee: Massimiliano Perrone
> Priority: Minor
> Fix For: 1.1.2, 1.2.0
>
>
> The SyncopeUser.generateToken() function generates a token using the
> RandomStringUtils class. This class uses the normal java random class, which
> uses the current time in milliseconds as seed.
> This means that the generated tokens can be predicted by an attacker. This
> forum post explains the issue:
> http://stackoverflow.com/questions/1741160/how-can-i-create-a-password
> It also lists some solutions.
> It is more secure to use a cryptographically secure string, as explained
> here:
> http://commons.apache.org/proper/commons-math/userguide/random.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
