SEC-1615: Changed key generation for anonymous provider to only use SecureRandom on demand.

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -2,11 +2,6 @@ package org.springframework.security.config.http;
 
 import static org.springframework.security.config.http.SecurityFilters.*;
 
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.util.ArrayList;
-import java.util.List;
-
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeanMetadataElement;
@@ -33,13 +28,16 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedA
 import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
-import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
 
+import java.security.SecureRandom;
+import java.util.*;
+
 /**
  * Handles creation of authentication mechanism filters and related beans for <http> parsing.
  *
@@ -68,6 +66,8 @@ final class AuthenticationConfigBuilder {
 
     private static final String ATT_REF = "ref";
 
+    private static final String ATT_KEY = "key";
+
     private Element httpElt;
     private ParserContext pc;
 
@@ -99,8 +99,6 @@ final class AuthenticationConfigBuilder {
     private BeanDefinition etf;
     private BeanReference requestCache;
 
-    final SecureRandom random;
-
     public AuthenticationConfigBuilder(Element element, ParserContext pc, boolean allowSessionCreation,
             String portMapperName) {
         this.httpElt = element;
@@ -108,18 +106,9 @@ final class AuthenticationConfigBuilder {
         this.portMapperName = portMapperName;
         autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
         this.allowSessionCreation = allowSessionCreation;
-        try {
-            random = SecureRandom.getInstance("SHA1PRNG");
-        } catch (NoSuchAlgorithmException e) {
-            // Shouldn't happen...
-            throw new RuntimeException("Failed find SHA1PRNG algorithm!");
-        }
     }
 
     void createRememberMeFilter(BeanReference authenticationManager) {
-        final String ATT_KEY = "key";
-        final String DEF_KEY = "SpringSecured";
-
         // Parse remember me before logout as RememberMeServices is also a LogoutHandler implementation.
         Element rememberMeElt = DomUtils.getChildElementByTagName(httpElt, Elements.REMEMBER_ME);
 
@@ -127,10 +116,10 @@ final class AuthenticationConfigBuilder {
             String key = rememberMeElt.getAttribute(ATT_KEY);
 
             if (!StringUtils.hasText(key)) {
-                key = DEF_KEY;
+                key = createKey();
             }
 
-            rememberMeFilter = (RootBeanDefinition) new RememberMeBeanDefinitionParser(key).parse(rememberMeElt, pc);
+            rememberMeFilter = new RememberMeBeanDefinitionParser(key).parse(rememberMeElt, pc);
             rememberMeFilter.getPropertyValues().addPropertyValue("authenticationManager", authenticationManager);
             rememberMeServicesId = ((RuntimeBeanReference) rememberMeFilter.getPropertyValues().getPropertyValue("rememberMeServices").getValue()).getBeanName();
             createRememberMeProvider(key);
@@ -374,7 +363,7 @@ final class AuthenticationConfigBuilder {
         if (anonymousElt != null) {
             grantedAuthority = anonymousElt.getAttribute("granted-authority");
             username = anonymousElt.getAttribute("username");
-            key = anonymousElt.getAttribute("key");
+            key = anonymousElt.getAttribute(ATT_KEY);
             source = pc.extractSource(anonymousElt);
         }
 
@@ -388,7 +377,7 @@ final class AuthenticationConfigBuilder {
 
         if (!StringUtils.hasText(key)) {
             // Generate a random key for the Anonymous provider
-            key = Long.toString(random.nextLong());
+            key = createKey();
         }
 
         anonymousFilter = new RootBeanDefinition(AnonymousAuthenticationFilter.class);
@@ -408,6 +397,11 @@ final class AuthenticationConfigBuilder {
 
     }
 
+    private String createKey() {
+        SecureRandom random = new SecureRandom();
+        return Long.toString(random.nextLong());
+    }
+
     void createExceptionTranslationFilter() {
         BeanDefinitionBuilder etfBuilder = BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class);
         etfBuilder.addPropertyValue("accessDeniedHandler", createAccessDeniedHandler(httpElt, pc));