SEC-2491: KeyBasedPersistenceTokenService defaults to 32 bytes

2014-11-20 14:40:07 -06:00 · 2014-11-20 14:40:07 -06:00 · 4d738d8576
parent 0704f88e99
commit 4d738d8576
2 changed files with 3 additions and 17 deletions
--- a/core/src/main/java/org/springframework/security/core/token/KeyBasedPersistenceTokenService.java
+++ b/core/src/main/java/org/springframework/security/core/token/KeyBasedPersistenceTokenService.java
@ -53,7 +53,7 @@ import org.springframework.util.StringUtils;
 *
 */
 public class KeyBasedPersistenceTokenService implements TokenService, InitializingBean {
-    private int pseudoRandomNumberBytes = 256;
+    private int pseudoRandomNumberBytes = 32;
    private String serverSecret;
    private Integer serverInteger;
    private SecureRandom secureRandom;
@ -134,21 +134,7 @@ public class KeyBasedPersistenceTokenService implements TokenService, Initializi
    }

    /**
-     * This method actually sets the number of bytes despite the method name
-     * indicating it is the number of bits.
-     *
-     * @deprecated use {@link #setPseudoRandomNumberBytes(int)}
-     * @param pseudoRandomNumberBytes
-     *            changes the number of bytes issued (must be >= 0; defaults to
-     *            256)
-     */
-    public void setPseudoRandomNumberBits(int pseudoRandomNumberBytes) {
-        Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size");
-        this.pseudoRandomNumberBytes = pseudoRandomNumberBytes;
-    }
-
-    /**
-     * @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0; defaults to 256 for passivity reasons)
+     * @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0; defaults to 256)
     */
    public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) {
        Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size");
--- a/core/src/test/java/org/springframework/security/core/token/KeyBasedPersistenceTokenServiceTests.java
+++ b/core/src/test/java/org/springframework/security/core/token/KeyBasedPersistenceTokenServiceTests.java
@ -56,7 +56,7 @@ public class KeyBasedPersistenceTokenServiceTests {
    @Test
    public void testOperationWithEmptyRandomNumber() {
        KeyBasedPersistenceTokenService service = getService();
-        service.setPseudoRandomNumberBits(0);
+        service.setPseudoRandomNumberBytes(0);
        Token token = service.allocateToken("Hello:world:::");
        Token result = service.verifyToken(token.getKey());
        Assert.assertEquals(token, result);