Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve random source in SockJS support #33632

Closed
bclozel opened this issue Oct 1, 2024 · 0 comments
Closed

Improve random source in SockJS support #33632

bclozel opened this issue Oct 1, 2024 · 0 comments
Assignees
@bclozel
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
6.2.0-RC2

Comments

@bclozel
Copy link
Member

bclozel commented Oct 1, 2024

The SockJs protocol spec states the following:

As browsers don't have a good entropy source, the server must help with that. Info url must supply a good, unpredictable random number from the range <0; 2^32-1> to feed the browser.

Our SockJs server implementation uses java.util.Random to generate a source of entropy for clients. We could argue that this source of entropy is not strong/secure enough. Clients should not use this value directly to generate a session id, but could rather use it as a seed to a pseudo-random generator. Such random generators are equivalent to java.util.Random and are not "cryptographically safe" anyway.

In practice, the SockJs javascript client has never used this source of entropy and used the browser crypto API, which is safe. Our own SockJsClient is not using this source of entropy either.

While this has no concrete effect on known clients, we should still use a stronger source of entropy for clients and use instead java.security.SecureRandom.
@bclozel bclozel added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement labels Oct 1, 2024
@bclozel bclozel added this to the 6.2.0-RC2 milestone Oct 1, 2024
@bclozel bclozel self-assigned this Oct 1, 2024
@bclozel bclozel closed this as completed in 8cd2c40 Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bclozel bclozel

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
6.2.0-RC2
Development

No branches or pull requests
1 participant
@bclozel