[
https://issues.apache.org/jira/browse/LANG-1750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary D. Gregory resolved LANG-1750.
-----------------------------------
Fix Version/s: 3.17.0
Resolution: Fixed
[~marco.hoek]
Thank you for your detailed report.
This is now fixed in git master and snapshot builds in
https://repository.apache.org/content/repositories/snapshots/
> Using RandomStringUtils.insecure() still leads to using the secure() random
> ---------------------------------------------------------------------------
>
> Key: LANG-1750
> URL: https://issues.apache.org/jira/browse/LANG-1750
> Project: Commons Lang
> Issue Type: Bug
> Components: lang.*
> Affects Versions: 3.16.0
> Reporter: Marco Hoek
> Assignee: Gary D. Gregory
> Priority: Major
> Fix For: 3.17.0
>
>
> In RandomStringUtils v3.16, the use of secure() vs insecure() is used to be
> able to choose which random generator to use. However, consider the following
> code path:
>
> a) RandomStringUtils.insecure().nextAlphanumeric(length)
> leads to the instance method 'nextAlphanumeric, which in turn calls:
> b) static method RandomStringUtils.random(count, true, true)
> which in turn calls
> c) static method RandomStringUtils.secure().next(count, letters, numbers)
>
> Conclusion: where I want to use the "insecure" option path, I end up having
> the call forwarded to the "secure" random provider anyway. Where I then run
> into the problem of having too low entropy and experiencing terrible
> performance.... (see LANG-1748)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
