From 187bf6130df6abd8f4c0997f9dd728b2ac6a031d Mon Sep 17 00:00:00 2001 From: Leif Åstrand Date: Thu, 1 Dec 2016 10:44:34 +0200 Subject: Add comments clarifying the use of UUID for security tokens Change-Id: I3f48f9bb42b36d0a46926ec753f30df95491720b --- server/src/main/java/com/vaadin/server/VaadinSession.java | 6 ++++++ server/src/main/java/com/vaadin/ui/ConnectorTracker.java | 6 ++++++ 2 files changed, 12 insertions(+) (limited to 'server') diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java index 3e3202ee1b..84808e89da 100644 --- a/server/src/main/java/com/vaadin/server/VaadinSession.java +++ b/server/src/main/java/com/vaadin/server/VaadinSession.java @@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable { private int connectorIdSequence = 0; + /* + * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate + * for security capabilities. Type 4 UUIDs contain 122 bits of random data, + * and UUID.randomUUID() is defined to use a cryptographically secure random + * generator. + */ private final String csrfToken = UUID.randomUUID().toString(); /** diff --git a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java index 2ba6f5e895..ca901f6a6f 100644 --- a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java +++ b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java @@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable { } String seckey = streamVariableToSeckey.get(variable); if (seckey == null) { + /* + * Despite section 6 of RFC 4122, this particular use of UUID *is* + * adequate for security capabilities. Type 4 UUIDs contain 122 bits + * of random data, and UUID.randomUUID() is defined to use a + * cryptographically secure random generator. + */ seckey = UUID.randomUUID().toString(); streamVariableToSeckey.put(variable, seckey); } -- cgit v1.2.3