WICKET-7174: DefaultSecureRandomSupplier does not work for FIPS (#1361)

martin-g · web-flow · commit 5710d7d276bb · 2026-01-27T08:50:03.000+02:00
1. Lazy load DefaultSecureRandomSupplier in SecuritySettings.java
2. Lazy load `SecureRandom.getInstance("SHA1PRNG")` in
DefaultSecureRandomSupplier.java
diff --git a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java
@@ -32,23 +32,24 @@
  */
 public class DefaultSecureRandomSupplier implements ISecureRandomSupplier
 {
-	private SecureRandom random;
-
-	public DefaultSecureRandomSupplier()
+	private static final class Holder
 	{
-		try
-		{
-			random = SecureRandom.getInstance("SHA1PRNG");
-		}
-		catch (NoSuchAlgorithmException e)
+		private static final SecureRandom INSTANCE;
+
+		static
 		{
-			throw new WicketRuntimeException(e);
+			try
+			{
+				INSTANCE = SecureRandom.getInstance("SHA1PRNG");
+			} catch (NoSuchAlgorithmException e) {
+				throw new WicketRuntimeException(e);
+			}
 		}
 	}
 
 	@Override
 	public SecureRandom getRandom()
 	{
-		return random;
+		return Holder.INSTANCE;
 	}
 }
diff --git a/wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java b/wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java
@@ -59,7 +59,7 @@ public class SecuritySettings
 	private ICryptFactory cryptFactory;
 
 	/** supplier of random data and SecureRandom */
-	private ISecureRandomSupplier randomSupplier = new DefaultSecureRandomSupplier();
+	private ISecureRandomSupplier randomSupplier;
 
 	/**
 	 * Whether mounts should be enforced. If {@code true}, requests for a page will be
@@ -139,6 +139,10 @@ public synchronized ICryptFactory getCryptFactory()
 	 */
 	public ISecureRandomSupplier getRandomSupplier()
 	{
+		if (randomSupplier == null)
+		{
+			randomSupplier = new DefaultSecureRandomSupplier();
+		}
 		return randomSupplier;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -32,23 +32,24 @@`
`32`	`32`	`*/`
`33`	`33`	`public class DefaultSecureRandomSupplier implements ISecureRandomSupplier`
`34`	`34`	`{`
`35`		`- private SecureRandom random;`
`36`		`-`
`37`		`- public DefaultSecureRandomSupplier()`
	`35`	`+ private static final class Holder`
`38`	`36`	`{`
`39`		`- try`
`40`		`- {`
`41`		`- random = SecureRandom.getInstance("SHA1PRNG");`
`42`		`- }`
`43`		`- catch (NoSuchAlgorithmException e)`
	`37`	`+ private static final SecureRandom INSTANCE;`
	`38`	`+`
	`39`	`+ static`
`44`	`40`	`{`
`45`		`- throw new WicketRuntimeException(e);`
	`41`	`+ try`
	`42`	`+ {`
	`43`	`+ INSTANCE = SecureRandom.getInstance("SHA1PRNG");`
	`44`	`+ } catch (NoSuchAlgorithmException e) {`
	`45`	`+ throw new WicketRuntimeException(e);`
	`46`	`+ }`
`46`	`47`	`}`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`@Override`
`50`	`51`	`public SecureRandom getRandom()`
`51`	`52`	`{`
`52`		`- return random;`
	`53`	`+ return Holder.INSTANCE;`
`53`	`54`	`}`
`54`	`55`	`}`