mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-09 11:53:30 +00:00
SEC-2491: KeyBasedPersistenceTokenService defaults to 32 bytes
This commit is contained in:
parent
0704f88e99
commit
4d738d8576
@ -53,7 +53,7 @@ import org.springframework.util.StringUtils;
|
|||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class KeyBasedPersistenceTokenService implements TokenService, InitializingBean {
|
public class KeyBasedPersistenceTokenService implements TokenService, InitializingBean {
|
||||||
private int pseudoRandomNumberBytes = 256;
|
private int pseudoRandomNumberBytes = 32;
|
||||||
private String serverSecret;
|
private String serverSecret;
|
||||||
private Integer serverInteger;
|
private Integer serverInteger;
|
||||||
private SecureRandom secureRandom;
|
private SecureRandom secureRandom;
|
||||||
@ -134,21 +134,7 @@ public class KeyBasedPersistenceTokenService implements TokenService, Initializi
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This method actually sets the number of bytes despite the method name
|
* @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0; defaults to 256)
|
||||||
* indicating it is the number of bits.
|
|
||||||
*
|
|
||||||
* @deprecated use {@link #setPseudoRandomNumberBytes(int)}
|
|
||||||
* @param pseudoRandomNumberBytes
|
|
||||||
* changes the number of bytes issued (must be >= 0; defaults to
|
|
||||||
* 256)
|
|
||||||
*/
|
|
||||||
public void setPseudoRandomNumberBits(int pseudoRandomNumberBytes) {
|
|
||||||
Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size");
|
|
||||||
this.pseudoRandomNumberBytes = pseudoRandomNumberBytes;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0; defaults to 256 for passivity reasons)
|
|
||||||
*/
|
*/
|
||||||
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) {
|
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) {
|
||||||
Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size");
|
Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size");
|
||||||
|
@ -56,7 +56,7 @@ public class KeyBasedPersistenceTokenServiceTests {
|
|||||||
@Test
|
@Test
|
||||||
public void testOperationWithEmptyRandomNumber() {
|
public void testOperationWithEmptyRandomNumber() {
|
||||||
KeyBasedPersistenceTokenService service = getService();
|
KeyBasedPersistenceTokenService service = getService();
|
||||||
service.setPseudoRandomNumberBits(0);
|
service.setPseudoRandomNumberBytes(0);
|
||||||
Token token = service.allocateToken("Hello:world:::");
|
Token token = service.allocateToken("Hello:world:::");
|
||||||
Token result = service.verifyToken(token.getKey());
|
Token result = service.verifyToken(token.getKey());
|
||||||
Assert.assertEquals(token, result);
|
Assert.assertEquals(token, result);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user