Browse Source
Add comments clarifying the use of UUID for security tokens
Change-Id: I3f48f9bb42b36d0a46926ec753f30df95491720btags/8.0.0.alpha9
Leif Åstrand
7 years ago
2 changed files with 12 additions and 0 deletions
+ 6
- 0
server/src/main/java/com/vaadin/server/VaadinSession.java
View File
| @@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable { | |||
| private int connectorIdSequence = 0; | |||
| /* | |||
| * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate | |||
| * for security capabilities. Type 4 UUIDs contain 122 bits of random data, | |||
| * and UUID.randomUUID() is defined to use a cryptographically secure random | |||
| * generator. | |||
| */ | |||
| private final String csrfToken = UUID.randomUUID().toString(); | |||
| /** | |||
+ 6
- 0
server/src/main/java/com/vaadin/ui/ConnectorTracker.java
View File
| @@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable { | |||
| } | |||
| String seckey = streamVariableToSeckey.get(variable); | |||
| if (seckey == null) { | |||
| /* | |||
| * Despite section 6 of RFC 4122, this particular use of UUID *is* | |||
| * adequate for security capabilities. Type 4 UUIDs contain 122 bits | |||
| * of random data, and UUID.randomUUID() is defined to use a | |||
| * cryptographically secure random generator. | |||
| */ | |||
| seckey = UUID.randomUUID().toString(); | |||
| streamVariableToSeckey.put(variable, seckey); | |||
| } | |||
Loading…