Bug #21669
Updated by Alexis Mousset about 2 years ago
And use random chars directly from SecureRandom, as done for other tokens. SecureRandom. The current only implementation of @StringUuidGenerator@ uses @java.util.UUID.randomUUID@, which in turn gets 122 bits (because a part of the uuid is not random) from @java.securitySecureRansom@, which is suitable for the purpose. But this is sub-optimal for two reasons: * It does not communicate the intent. UUID are meant to be unique, not cryptographically secure. * The @StringUuidGenerator@ trait does not carry any garantee about randomness, and one could easily switch implementation and produce predictable tokens.