Project

General

Profile

Bug #21669

Updated by Alexis Mousset over 1 year ago

And use random chars directly from SecureRandom, as done for other tokens. 

 The current only implementation of @StringUuidGenerator@ uses @java.util.UUID.randomUUID@, which in turn gets 122 bits (because a part of the uuid is not random) from @java.security.SecureRandom@, @java.security.SecureRansom@, which is suitable for the purpose. 

 But this is sub-optimal for two reasons: 

 * It does not communicate the intent. UUID are meant to be unique, not cryptographically secure. 
 * The @StringUuidGenerator@ trait does not carry any garantee about randomness, and one could easily switch implementation and produce predictable tokens.

Back