Add comments clarifying the use of UUID for security tokens

Change-Id: I3f48f9bb42b36d0a46926ec753f30df95491720b

diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java
index 3e3202ee1bec26bbee5f68a86abcc6d6f508a336..84808e89da18e49b8bc4ff897087f9b760b4c534 100644 (file)
--- a/server/src/main/java/com/vaadin/server/VaadinSession.java
+++ b/server/src/main/java/com/vaadin/server/VaadinSession.java
@@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
 
     private int connectorIdSequence = 0;
 
+    /*
+     * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate
+     * for security capabilities. Type 4 UUIDs contain 122 bits of random data,
+     * and UUID.randomUUID() is defined to use a cryptographically secure random
+     * generator.
+     */
     private final String csrfToken = UUID.randomUUID().toString();
 
     /**

diff --git a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
index 2ba6f5e89591866421537dc82ef2431300827f98..ca901f6a6f353c879c1a8a559c5363135141e091 100644 (file)
--- a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
+++ b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
@@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable {
         }
         String seckey = streamVariableToSeckey.get(variable);
         if (seckey == null) {
+            /*
+             * Despite section 6 of RFC 4122, this particular use of UUID *is*
+             * adequate for security capabilities. Type 4 UUIDs contain 122 bits
+             * of random data, and UUID.randomUUID() is defined to use a
+             * cryptographically secure random generator.
+             */
             seckey = UUID.randomUUID().toString();
             streamVariableToSeckey.put(variable, seckey);
         }