Improve random source in SockJS server support

Prior to this commit, the SockJs server support would use `java.util.Random` to send a random value to clients when they request the `/info` endpoint. Per protocol, clients can use this value as a source of entropy for generating a random session id. In practice, this is not used by clients. For example, the SockJS javascript client is using a cryptographically safe API to generate session ids. While this has no concrete effect on known clients, this commit improves the random source in the server support by switching to `java.security.SecureRandom`. Closes gh-33632
1 year ago · 8cd2c40860
1 changed files with 3 additions and 2 deletions
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/support/AbstractSockJsService.java
@ -1,5 +1,5 @@
				@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ package org.springframework.web.socket.sockjs.support;
				@@ -18,6 +18,7 @@ package org.springframework.web.socket.sockjs.support;

 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@ -72,7 +73,7 @@ public abstract class AbstractSockJsService implements SockJsService, CorsConfig
				@@ -72,7 +73,7 @@ public abstract class AbstractSockJsService implements SockJsService, CorsConfig
 	private static final long ONE_YEAR = TimeUnit.DAYS.toSeconds(365);


-	private static final Random random = new Random();
+	private static final Random random = new SecureRandom();

 	protected final Log logger = LogFactory.getLog(getClass());