Search code examples
javamavengwt

java SecureRandom incompatibility with gwt compiler

we are having a java 8 maven module.this module uses a plugin

> <groupId>org.codehous.mojo</groupId>
>         <artifactId>gwt-maven-plugin</artifactId>
>         <version>2.5.1</version>

recently we scanned this module for fortify vulnerability, based on the recommendation - I removed java.util.Random and inserted java.security.SecureRandom. eclipse is OK with this change, there is no compile time error. import is properly found. I can see the source code of SecureRandom class. but problem is when I do mvn run install, gwt plugin is marking this as compilation failure. reason is no source code is availabe for java.security.SecureRandom I tried few approaches like skipping the compilation of that particular java file where SecureRandom is imported. but it is not working and also I am not convinced about the solution.

also i found below question, as suggested in here i tried adding this import in gwt xml. but SecurityRandom class is not specified on GWT_JRE_EMULATION

how to import java.security.* in my gwt application

because of the corporate restrictions, not able to present any screenshot but I have explained the scenario with best of my ability. happy to provide more information if required.Any help/guidance is appreciated !

Solution

  • It is important to remember that GWT will produce output that runs in the browser - while java.util.Random might give you a vulnerability in your scanner, what is the nature of the vulnerability, and is it at all affected by the fact that the code will run in the browser? Unless you are doing cryptography in the browser, I'm unsure how this would matter - it might be that you can safely ignore this warning.

    The java.util.Random type specifies the algorithm to use when generating random numbers, and so the GWT emulation for this class can follow that exactly. On the other hand, java.security.SecureRandom is a little more vague, and indicates that behavior will be implementation specific. In theory we could add a SecureRandom implementation that uses the Crypto.getRandomValues API, but I'm not sure if there are other caveats here - for example, to be a full implementation, java.security.Security.getProviders() would also need to be emulated, and probably other APIs as well, which might result in some answers that would confuse code expecting the real JVM's set of random number providers.

    The answer you linked has a comment that points to https://github.com/mooreds/gwt-crypto, which does indeed contain an implementation of SecureRandom - did that not work for you?