diff options
-rw-r--r-- | server/src/main/java/com/vaadin/server/VaadinSession.java | 6 | ||||
-rw-r--r-- | server/src/main/java/com/vaadin/ui/ConnectorTracker.java | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java index 3e3202ee1b..84808e89da 100644 --- a/server/src/main/java/com/vaadin/server/VaadinSession.java +++ b/server/src/main/java/com/vaadin/server/VaadinSession.java @@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable { private int connectorIdSequence = 0; + /* + * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate + * for security capabilities. Type 4 UUIDs contain 122 bits of random data, + * and UUID.randomUUID() is defined to use a cryptographically secure random + * generator. + */ private final String csrfToken = UUID.randomUUID().toString(); /** diff --git a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java index 2ba6f5e895..ca901f6a6f 100644 --- a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java +++ b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java @@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable { } String seckey = streamVariableToSeckey.get(variable); if (seckey == null) { + /* + * Despite section 6 of RFC 4122, this particular use of UUID *is* + * adequate for security capabilities. Type 4 UUIDs contain 122 bits + * of random data, and UUID.randomUUID() is defined to use a + * cryptographically secure random generator. + */ seckey = UUID.randomUUID().toString(); streamVariableToSeckey.put(variable, seckey); } |