Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-09 11:53:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2491: KeyBasedPersistenceTokenService defaults to 32 bytes

Browse Source
This commit is contained in:
Rob Winch 2014-11-20 14:40:07 -06:00
parent 0704f88e99
commit 4d738d8576
2 changed files with 3 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
core/src/main/java/org/springframework/security/core/token/KeyBasedPersistenceTokenService.java
View File

@ -53,7 +53,7 @@ import org.springframework.util.StringUtils;
* *
*/ */
public class KeyBasedPersistenceTokenService implements TokenService, InitializingBean { public class KeyBasedPersistenceTokenService implements TokenService, InitializingBean {
private int pseudoRandomNumberBytes = 256; private int pseudoRandomNumberBytes = 32;
private String serverSecret; private String serverSecret;
private Integer serverInteger; private Integer serverInteger;
private SecureRandom secureRandom; private SecureRandom secureRandom;
@ -134,21 +134,7 @@ public class KeyBasedPersistenceTokenService implements TokenService, Initializi
} }
/** /**
* This method actually sets the number of bytes despite the method name * @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0; defaults to 256)
* indicating it is the number of bits.
*
* @deprecated use {@link #setPseudoRandomNumberBytes(int)}
* @param pseudoRandomNumberBytes
* changes the number of bytes issued (must be >= 0; defaults to
* 256)
*/
public void setPseudoRandomNumberBits(int pseudoRandomNumberBytes) {
Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size");
this.pseudoRandomNumberBytes = pseudoRandomNumberBytes;
}
/**
* @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0; defaults to 256 for passivity reasons)
*/ */
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) { public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) {
Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size"); Assert.isTrue(pseudoRandomNumberBytes >= 0, "Must have a positive pseudo random number bit size");

2
core/src/test/java/org/springframework/security/core/token/KeyBasedPersistenceTokenServiceTests.java
View File

@ -56,7 +56,7 @@ public class KeyBasedPersistenceTokenServiceTests {
@Test @Test
public void testOperationWithEmptyRandomNumber() { public void testOperationWithEmptyRandomNumber() {
KeyBasedPersistenceTokenService service = getService(); KeyBasedPersistenceTokenService service = getService();
service.setPseudoRandomNumberBits(0); service.setPseudoRandomNumberBytes(0);
Token token = service.allocateToken("Hello:world:::"); Token token = service.allocateToken("Hello:world:::");
Token result = service.verifyToken(token.getKey()); Token result = service.verifyToken(token.getKey());
Assert.assertEquals(token, result); Assert.assertEquals(token, result);