On Fri, 30 Sep 2016 11:34:10 -0500, Matt Sicker wrote:
I thought he meant that if your code works with either Random or
SecureRandom, you're doing it wrong. They both have very different
use
cases, and the fact that SecureRandom extends Random contributes to
the
confusion.
Indeed.
[I should have read the thread up to the top before duplicating your
answer.]
Regards,
Gilles
On 30 September 2016 at 08:02, Emmanuel Bourg <ebo...@apache.org>
wrote:
Le 28/09/2016 à 15:28, Gilles a écrit :
> Conversely, using "SecureRandom" in place of a deterministic
> RNG is only useful in toy applications since the main feature
> (of non-secure RNGs) one usually needs is reproducibility.
I guess the Tomcat developers will love hearing they are building a
toy
application :)
https://github.com/apache/tomcat80/blob/TOMCAT_8_0_37/
java/org/apache/catalina/util/SessionIdGeneratorBase.java#L170
> [1] Even the Java architects have indirectly acknowledged that,
> by having a new random-related class _NOT_ extend "Random"
> (allowing them to drop all the cruft brought by it).
Are you referring to java.security.SecureRandomSpi not extending
java.util.Random? This is merely a mechanism allowing to plug extra
implementations, the whole security package is designed around this
concept. But users only deal with SecureRandom, which extends
Random.
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
