update dependencies, migrate RandomStringUtils

core/src/main/java/de/bstly/we/businesslogic/Setup.java

@@ -61,7 +61,7 @@ public class Setup implements SmartInitializingSingleton {
 		// create admin account if not found
 		if (!setup || !systemPropertyManager.has("setup")) {
 			if (!StringUtils.hasText(adminPassword)) {
-				adminPassword = RandomStringUtils.random(24, true, true);
+				adminPassword = RandomStringUtils.secure().next(24, true, true);
 				logger.error("password for 'admin': " + adminPassword);
 			}
 			User admin = userManager.create("admin", adminPassword, UserStatus.SLEEP);

core/src/main/java/de/bstly/we/businesslogic/UserManager.java

@@ -271,7 +271,7 @@ public class UserManager implements UserDataProvider {
 	 */
 	public void passwordReset(User user, ServletOutputStream outputStream) {
 		// TODO: change to public key profile field
-		String resetToken = RandomStringUtils.random(64, true, true);
+		String resetToken = RandomStringUtils.secure().next(64, true, true);
 		String command = "echo \"" + resetToken + "\" | gpg -ear " + getBstlyEmail(user.getUsername())
 				+ " --always-trust";
 

core/src/main/java/de/bstly/we/controller/UserDomainController.java

@@ -60,7 +60,7 @@ public class UserDomainController extends BaseController {
 
 		userDomain.setTarget(getCurrentUserId());
 		userDomain.setValidated(false);
-		userDomain.setSecret(RandomStringUtils.random(UserDomainManager.DEFAULT_SECRET_LENGTH, true, true));
+		userDomain.setSecret(RandomStringUtils.secure().next(UserDomainManager.DEFAULT_SECRET_LENGTH, true, true));
 
 		Errors errors = new RequestBodyErrors(userDomain);
 

core/src/main/java/de/bstly/we/controller/UserDomainManagementController.java

@@ -100,7 +100,7 @@ public class UserDomainManagementController extends BaseController {
 
 		if (userDomain.getId() == null) {
 			userDomain.setValidated(false);
-			userDomain.setSecret(RandomStringUtils.random(UserDomainManager.DEFAULT_SECRET_LENGTH, true, true));
+			userDomain.setSecret(RandomStringUtils.secure().next(UserDomainManager.DEFAULT_SECRET_LENGTH, true, true));
 		}
 
 		return userDomainManager.save(userDomain);

dyndns/src/main/java/de/bstly/we/dyndns/businesslogic/DyndnsTokenManager.java

@@ -53,7 +53,7 @@ public class DyndnsTokenManager implements UserDataProvider {
 	 */
 	public DyndnsToken create(Long owner, boolean quota) {
 		DyndnsToken dyndnsToken = new DyndnsToken();
-		String token = RandomStringUtils.random(TOKEN_LENGTH, true, true);
+		String token = RandomStringUtils.secure().next(TOKEN_LENGTH, true, true);
 		dyndnsToken.setOwner(owner);
 		dyndnsToken.setToken(token);
 		dyndnsToken.setTokenHash(passwordEncoder.encode(dyndnsToken.getToken()));

invite/src/main/java/de/bstly/we/invite/businesslogic/InviteManager.java

@@ -165,9 +165,9 @@ public class InviteManager implements UserDataProvider {
 	 */
 	public Invite save(Invite invite) {
 		if (!StringUtils.hasText(invite.getCode())) {
-			invite.setCode(RandomStringUtils.random(codeLength, true, true).toUpperCase());
+			invite.setCode(RandomStringUtils.secure().next(codeLength, true, true).toUpperCase());
 			while (inviteRepository.exists(qInvite.code.eq(invite.getCode()))) {
-				invite.setCode(RandomStringUtils.random(codeLength, true, true).toUpperCase());
+				invite.setCode(RandomStringUtils.secure().next(codeLength, true, true).toUpperCase());
 			}
 		}
 

oidc/src/main/java/de/bstly/we/oidc/businesslogic/OidcClientManager.java

@@ -107,14 +107,14 @@ public class OidcClientManager {
 		oidcClient.setAlwaysPermitted(alwaysPermitted);
 		oidcClient.setTokenLifetime(OIDC_CLIENT_TOKEN_LIFETIME);
 
-		String clientId = RandomStringUtils.random(OIDC_CLIENT_CLIENT_ID_LENGTH, true, true);
+		String clientId = RandomStringUtils.secure().next(OIDC_CLIENT_CLIENT_ID_LENGTH, true, true);
 
 		while (oidcClientRepository.findOne(qOidcClient.clientId.eq(clientId)).isPresent()) {
-			clientId = RandomStringUtils.random(OIDC_CLIENT_CLIENT_ID_LENGTH, true, true);
+			clientId = RandomStringUtils.secure().next(OIDC_CLIENT_CLIENT_ID_LENGTH, true, true);
 		}
 
 		oidcClient.setClientId(clientId);
-		oidcClient.setClientSecret(RandomStringUtils.random(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
+		oidcClient.setClientSecret(RandomStringUtils.secure().next(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
 
 		return oidcClientRepository.save(oidcClient);
 	}
@@ -138,7 +138,7 @@ public class OidcClientManager {
 	public OidcClient createNewSecretByClientName(String clientName) {
 		OidcClient oidcClient = getByClientName(clientName);
 		Assert.notNull(oidcClient, "No client found for name '" + clientName + "'");
-		oidcClient.setClientSecret(RandomStringUtils.random(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
+		oidcClient.setClientSecret(RandomStringUtils.secure().next(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
 
 		return oidcClientRepository.save(oidcClient);
 	}

oidc/src/main/java/de/bstly/we/oidc/businesslogic/OidcSessionManager.java

@@ -72,11 +72,11 @@ public class OidcSessionManager {
 	 * @return the string
 	 */
 	public String createSid() {
-		String sid = new StringBuilder(RandomStringUtils.random(SID_LENGTH, true, true)).insert(8, "-").insert(13, "-")
+		String sid = new StringBuilder(RandomStringUtils.secure().next(SID_LENGTH, true, true)).insert(8, "-").insert(13, "-")
 				.insert(18, "-").insert(23, "-").toString();
 
 		while (oidcSessionRepository.exists(qOidcSession.sid.eq(sid))) {
-			sid = new StringBuilder(RandomStringUtils.random(SID_LENGTH, true, true)).insert(8, "-").insert(13, "-")
+			sid = new StringBuilder(RandomStringUtils.secure().next(SID_LENGTH, true, true)).insert(8, "-").insert(13, "-")
 					.insert(18, "-").insert(23, "-").toString();
 		}
 		return sid;
@@ -401,7 +401,7 @@ public class OidcSessionManager {
 		claimsSetBuilder.issuer(issuer);
 		claimsSetBuilder.audience(client.getClientId());
 		claimsSetBuilder.issueTime(new Date());
-		claimsSetBuilder.jwtID(RandomStringUtils.random(JWT_ID_LENGTH, true, true));
+		claimsSetBuilder.jwtID(RandomStringUtils.secure().next(JWT_ID_LENGTH, true, true));
 		if (StringUtils.hasText(sid)) {
 			claimsSetBuilder.claim("sid", sid);
 		}

oidc/src/main/java/de/bstly/we/oidc/businesslogic/OidcTokenManager.java

@@ -133,7 +133,7 @@ public class OidcTokenManager implements SmartInitializingSingleton {
 	 */
 	public OidcToken createToken(OidcClient client, Long userId, boolean refreshToken) {
 		return createToken(client, userId,
-				refreshToken ? RandomStringUtils.random(REFRESH_TOKEN_LENGTH, true, true) : null);
+				refreshToken ? RandomStringUtils.secure().next(REFRESH_TOKEN_LENGTH, true, true) : null);
 	}
 
 	/**
@@ -148,7 +148,7 @@ public class OidcTokenManager implements SmartInitializingSingleton {
 		OidcToken token = new OidcToken();
 		token.setClient(client.getId());
 		token.setUserId(userId);
-		token.setAccessToken(RandomStringUtils.random(ACCESS_TOKEN_LENGTH, true, true));
+		token.setAccessToken(RandomStringUtils.secure().next(ACCESS_TOKEN_LENGTH, true, true));
 		if (StringUtils.hasText(refreshToken)) {
 			token.setRefreshToken(refreshToken);
 		}
@@ -179,7 +179,7 @@ public class OidcTokenManager implements SmartInitializingSingleton {
 
 		token.setUserId(user.getId());
 		token.setAlias(alias);
-		token.setAccessToken(RandomStringUtils.random(ACCESS_TOKEN_LENGTH, true, true));
+		token.setAccessToken(RandomStringUtils.secure().next(ACCESS_TOKEN_LENGTH, true, true));
 		token.setExpiresIn(client.getTokenLifetime());
 
 		Builder claimsSetBuilder = createUserClaims(client, user, alias);

oidc/src/main/java/de/bstly/we/oidc/businesslogic/model/OidcAuthorizationCode.java

@@ -41,7 +41,7 @@ public class OidcAuthorizationCode {
 		this.clientId = clientId;
 		this.redirectUri = redirectUri;
 		this.scopes = scopes;
-		this.code = RandomStringUtils.random(CODE_LENGTH, true, true);
+		this.code = RandomStringUtils.secure().next(CODE_LENGTH, true, true);
 		this.expiry = Instant.now().plus(EXPIRY_MINUTES, ChronoUnit.MINUTES);
 		this.userId = userId;
 		this.nonce = nonce;

partey/src/main/java/de/bstly/we/partey/timeslot/controller/validation/TimeslotValidator.java

@@ -182,7 +182,7 @@ public class TimeslotValidator implements Validator {
 		}
 
 		if (!StringUtils.hasText(timeslot.getSecret())) {
-			timeslot.setSecret(RandomStringUtils.random(STREAM_SECRET_LENGTH, true, true));
+			timeslot.setSecret(RandomStringUtils.secure().next(STREAM_SECRET_LENGTH, true, true));
 		}
 	}
 

pom.xml

@@ -20,7 +20,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.4.0</version>
+		<version>3.4.5</version>
 		<relativePath />
 	</parent>
 

urlshortener/src/main/java/de/bstly/we/urlshortener/businesslogic/ShortenedUrlManager.java

@@ -179,9 +179,9 @@ public class ShortenedUrlManager implements SmartInitializingSingleton, UserData
 		if (StringUtils.hasText(code)) {
 			Assert.isTrue(!shortenedUrlRepository.existsById(code), "Given code already exists!");
 		} else {
-			code = RandomStringUtils.random(codeLength, true, true).toUpperCase();
+			code = RandomStringUtils.secure().next(codeLength, true, true).toUpperCase();
 			while (shortenedUrlRepository.existsById(code)) {
-				code = RandomStringUtils.random(codeLength, true, true).toUpperCase();
+				code = RandomStringUtils.secure().next(codeLength, true, true).toUpperCase();
 			}
 		}