[jira] [Resolved] (LANG-1807) Make private static variables final in RandomUtils and fix the Javadoc for the insecure() methods in both RandomUtils and RandomStringUtils

Mon, 22 Dec 2025 07:57:06 -0800 


     [ 
https://issues.apache.org/jira/browse/LANG-1807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary D. Gregory resolved LANG-1807.
-----------------------------------
    Fix Version/s: 3.20.1
       Resolution: Fixed

Hello [~zhongxin]

Thank you for your report. 

Please see git master or snapshot builds in 
https://repository.apache.org/content/repositories/snapshots/

If the HEAD of git master works for you, please close this ticket.


> Make private static variables final in RandomUtils and fix the Javadoc for 
> the insecure() methods in both RandomUtils and RandomStringUtils
> -------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: LANG-1807
>                 URL: https://issues.apache.org/jira/browse/LANG-1807
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.20.0
>            Reporter: Zhongxin Yan
>            Priority: Major
>             Fix For: 3.20.1
>
>         Attachments: image-2025-12-22-23-24-49-830.png
>
>
> h2. 1. Make private static singleton variables final in RandomUtils
> The {{RandomUtils}} class maintains three core singleton instances exposed 
> via static fields, which are currently missing the {{final}} modifier:
> {code:java}
> // code placeholder
> private static RandomUtils INSECURE = new 
> RandomUtils(ThreadLocalRandom::current);
> private static RandomUtils SECURE = new RandomUtils(SecureRandom::new);
> private static RandomUtils SECURE_STRONG = new 
> RandomUtils(SECURE_STRONG_SUPPLIER); {code}
> The cause of the error is similar to that of LANG-1799
> h2. 2. Fix Javadoc for {{insecure()}} methods in RandomUtils and 
> RandomStringUtils
> !image-2025-12-22-23-24-49-830.png|width=451,height=147!
> The current Javadoc for {{RandomUtils.insecure()}} contains misleading 
> information:
> {code:java}
> // code placeholder
> "use {@link #secure()} to use an algorithms/providers specified in the {@code 
> securerandom.strongAlgorithms}" {code}
> This is incorrect because the securerandom.strongAlgorithms property is only 
> used by secureStrong(), which internally relies on 
> SecureRandom.getInstanceStrong(). The secure() method uses 
> SecureRandom.SecureRandom() (default algorithm) and has no connection to 
> securerandom.strongAlgorithms.
> [github PR|https://github.com/apache/commons-lang/pull/1539]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to