Stop using UUIDs as system token
And use random chars directly from SecureRandom, as done for other tokens.
The current only implementation of
java.util.UUID.randomUUID, which in turn gets 122 bits (because a part of the uuid is not random) from
java.security.SecureRandom, which is suitable for the purpose.
But this is sub-optimal for two reasons:
- It does not communicate the intent. UUID are meant to be unique, not cryptographically secure.
StringUuidGeneratortrait does not carry any garantee about randomness, and one could easily switch implementation and produce predictable tokens.