[ https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494074#comment-16494074 ]
Stefaan Dutry commented on WW-4939: ----------------------------------- [~lukaszlenart] When generating a UUID, is there a reason to not useĀ {{java.util.UUID.randomUUID() ?}} > Use securely generated constants > -------------------------------- > > Key: WW-4939 > URL: https://issues.apache.org/jira/browse/WW-4939 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Lukasz Lenart > Priority: Critical > Fix For: 2.6 > > > Right now all the constants are well know and can be used in exploits, ie. > {{public static final String ACTION_MAPPING = "struts.actionMapping";}} > Instead of using string literals we should generate random strings at runtime > to avoid using literals directly in exploits. Users can still use the > constants in their code but not in dynamic expressions. > {code:java} > public static final String AUTH_TOKEN = generateUUID(); > public static String generateUUID() { > return new BigInteger(165, RANDOM).toString(36).toUpperCase(); > } > {code} > This will probably break backward compatibility but using string literals > instead of the constants by the users is a bad practice anyway. -- This message was sent by Atlassian JIRA (v7.6.3#76005)