diff options
author | Leif Åstrand <leif@vaadin.com> | 2016-12-01 10:44:34 +0200 |
---|---|---|
committer | Vaadin Code Review <review@vaadin.com> | 2016-12-02 06:30:19 +0000 |
commit | 187bf6130df6abd8f4c0997f9dd728b2ac6a031d (patch) | |
tree | 1e9b999dd63ca58e83a7898a720e097ba137232e /server | |
parent | 68f19ab2b0ac13393c887817f063e2b918b86d57 (diff) | |
download | vaadin-framework-187bf6130df6abd8f4c0997f9dd728b2ac6a031d.tar.gz vaadin-framework-187bf6130df6abd8f4c0997f9dd728b2ac6a031d.zip |
Add comments clarifying the use of UUID for security tokens
Change-Id: I3f48f9bb42b36d0a46926ec753f30df95491720b
Diffstat (limited to 'server')
-rw-r--r-- | server/src/main/java/com/vaadin/server/VaadinSession.java | 6 | ||||
-rw-r--r-- | server/src/main/java/com/vaadin/ui/ConnectorTracker.java | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java index 3e3202ee1b..84808e89da 100644 --- a/server/src/main/java/com/vaadin/server/VaadinSession.java +++ b/server/src/main/java/com/vaadin/server/VaadinSession.java @@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable { private int connectorIdSequence = 0; + /* + * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate + * for security capabilities. Type 4 UUIDs contain 122 bits of random data, + * and UUID.randomUUID() is defined to use a cryptographically secure random + * generator. + */ private final String csrfToken = UUID.randomUUID().toString(); /** diff --git a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java index 2ba6f5e895..ca901f6a6f 100644 --- a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java +++ b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java @@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable { } String seckey = streamVariableToSeckey.get(variable); if (seckey == null) { + /* + * Despite section 6 of RFC 4122, this particular use of UUID *is* + * adequate for security capabilities. Type 4 UUIDs contain 122 bits + * of random data, and UUID.randomUUID() is defined to use a + * cryptographically secure random generator. + */ seckey = UUID.randomUUID().toString(); streamVariableToSeckey.put(variable, seckey); } |