Spring Security Question about PersistentRememberMeServices series generation algorithm

Summary

Series relates to username, it should be unique.AFAIK,SecureRandom do not guarantee unique.How did Spring Security solve it?

Actual Behavior

    protected String generateSeriesData() {
        byte[] newSeries = new byte[seriesLength];
        random.nextBytes(newSeries);
        return new String(Base64.getEncoder().encode(newSeries));
    }

Comment From: fhanik

Thank you for the report @dengqingguo

I believe this class may have been written before java.util.UUID was introduced. While a collision is unlikely, switching to UUID seems like a reasonable enhancement.

Comment From: awephy

Got it.Thanks for your reply. @fhanik

Comment From: caronvincent

I would like to implement this enhancement. To be clear on how the method should behave, please tell me if this is correct: - UUIDs should be generated with UUID.randomUUID(), - The Base64 encoder should encode seriesLength bytes, - Those bytes should come from a set of UUIDs (i.e if seriesLength is 18, the 16 first bytes would be from a first UUID and the remaining 2 bytes would be a second UUID's two most significant bytes).

Additionally, the method generateTokenData has effectively the same code as generateSeriesData, maybe its content should be changed as well?

Comment From: jzheaux

I guess I'm not clear on why this is necessary. Isn't java.net.UUID based off of SecureRandom? AFAIK, java.net.UUID takes a SecureRandom sequence of bytes and mutates it into the RFC 4122 standard.

java.net.UUID can be no more unique than its source so I don't see how changing to UUID is an improvement, especially since the existing implementation of PersistentTokenBasedRememberMeServices allows the application to configure the series value to have an arbitrary length.

Is there something I've misunderstood?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.