From 8cd2c40860037d52e93acc45159da290b2cd6989 Mon Sep 17 00:00:00 2001 From: Brian Clozel Date: Tue, 1 Oct 2024 21:29:19 +0200 Subject: [PATCH] Improve random source in SockJS server support Prior to this commit, the SockJs server support would use `java.util.Random` to send a random value to clients when they request the `/info` endpoint. Per protocol, clients can use this value as a source of entropy for generating a random session id. In practice, this is not used by clients. For example, the SockJS javascript client is using a cryptographically safe API to generate session ids. While this has no concrete effect on known clients, this commit improves the random source in the server support by switching to `java.security.SecureRandom`. Closes gh-33632 --- .../web/socket/sockjs/support/AbstractSockJsService.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java index 79ba9e078318..c58a1d02f9e6 100644 --- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java +++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -72,7 +73,7 @@ public abstract class AbstractSockJsService implements SockJsService, CorsConfig private static final long ONE_YEAR = TimeUnit.DAYS.toSeconds(365); - private static final Random random = new Random(); + private static final Random random = new SecureRandom(); protected final Log logger = LogFactory.getLog(getClass());