This is an automated email from the ASF dual-hosted git repository. papegaaij pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push: new ac966ee WICKET-6730: replaced SecureRandom.getStrongInstance() by SHA1PRNG due to performance ac966ee is described below commit ac966ee03438a9f144c281e101b51b88b9101a24 Author: Emond Papegaaij <emond.papega...@topicus.nl> AuthorDate: Wed Jan 22 21:51:25 2020 +0100 WICKET-6730: replaced SecureRandom.getStrongInstance() by SHA1PRNG due to performance --- .../apache/wicket/core/random/DefaultSecureRandomSupplier.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java index cb00235..b8168b3 100644 --- a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java +++ b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java @@ -22,7 +22,11 @@ import java.security.SecureRandom; import org.apache.wicket.WicketRuntimeException; /** - * A very simple {@link ISecureRandomSupplier} that holds a strong {@code SecureRandom}. + * A very simple {@link ISecureRandomSupplier} that holds a {@code SecureRandom} using + * {@code SHA1PRNG}. This {@code SecureRandom} is strong enough for generation of nonces with a + * short lifespan, but might not be strong enough for generating long-lived keys. When your + * application has stronger requirements on the random implementation, you should replace this class + * by your own implementation. * * @author papegaaij */ @@ -34,7 +38,7 @@ public class DefaultSecureRandomSupplier implements ISecureRandomSupplier { try { - random = SecureRandom.getInstanceStrong(); + random = SecureRandom.getInstance("SHA1PRNG"); } catch (NoSuchAlgorithmException e) {