summaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
authorLeif Åstrand <leif@vaadin.com>2016-12-01 10:44:34 +0200
committerVaadin Code Review <review@vaadin.com>2016-12-02 06:30:19 +0000
commit187bf6130df6abd8f4c0997f9dd728b2ac6a031d (patch)
tree1e9b999dd63ca58e83a7898a720e097ba137232e /server
parent68f19ab2b0ac13393c887817f063e2b918b86d57 (diff)
downloadvaadin-framework-187bf6130df6abd8f4c0997f9dd728b2ac6a031d.tar.gz
vaadin-framework-187bf6130df6abd8f4c0997f9dd728b2ac6a031d.zip
Add comments clarifying the use of UUID for security tokens
Change-Id: I3f48f9bb42b36d0a46926ec753f30df95491720b
Diffstat (limited to 'server')
-rw-r--r--server/src/main/java/com/vaadin/server/VaadinSession.java6
-rw-r--r--server/src/main/java/com/vaadin/ui/ConnectorTracker.java6
2 files changed, 12 insertions, 0 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java
index 3e3202ee1b..84808e89da 100644
--- a/server/src/main/java/com/vaadin/server/VaadinSession.java
+++ b/server/src/main/java/com/vaadin/server/VaadinSession.java
@@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
private int connectorIdSequence = 0;
+ /*
+ * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate
+ * for security capabilities. Type 4 UUIDs contain 122 bits of random data,
+ * and UUID.randomUUID() is defined to use a cryptographically secure random
+ * generator.
+ */
private final String csrfToken = UUID.randomUUID().toString();
/**
diff --git a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
index 2ba6f5e895..ca901f6a6f 100644
--- a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
+++ b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
@@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable {
}
String seckey = streamVariableToSeckey.get(variable);
if (seckey == null) {
+ /*
+ * Despite section 6 of RFC 4122, this particular use of UUID *is*
+ * adequate for security capabilities. Type 4 UUIDs contain 122 bits
+ * of random data, and UUID.randomUUID() is defined to use a
+ * cryptographically secure random generator.
+ */
seckey = UUID.randomUUID().toString();
streamVariableToSeckey.put(variable, seckey);
}