BalusC
commented
4 months ago Nope. It's now an UUID. Which is "too much" actually because it only needs to be session scoped. But that's OK for now and much easier to do. It's internally already using SecureRandom and friends, so we can ditch the whole TokenGenerator.
Original PR for https://github.com/eclipse-ee4j/mojarra/issues/5375 was against master instead of 4.0 https://github.com/eclipse-ee4j/mojarra/pull/5376. I cherrypicked it for 4.0 https://github.com/eclipse-ee4j/mojarra/pull/5395 but there was a license concern (and I accidentally upmerged with 4.1 instead of 4.0) so I declined it.
Here's a improved and license safe impl. I will update 4.0/5.0 accordingly once PR is approved.