Replace Random with SecureRandom for improved randomness in SAML2SSOTestBase

[HarishRock0]

Problem
The createID() method used java.util.Random, which relies on a linear congruential generator (LCG). LCGs are not cryptographically secure — an attacker who observes a sufficient number of generated SAML request IDs can predict future values, enabling:

SAML request ID spoofing
Replay attacks against the SAML authentication flow
This is a violation of OWASP Top 10 — A02: Cryptographic Failures.

Changes
SAML2SSOTestBase.java: Replaced import java.util.Random with import java.security.SecureRandom
SAML2SSOTestBase.java: Changed field declaration from private static Random random = new Random() to private static SecureRandom random = new SecureRandom()
Impact
SecureRandom is backed by OS-level entropy sources and satisfies cryptographic unpredictability requirements. The nextBytes() call site at createID() requires no changes — the API is identical.

No functional behaviour changes; this is a security hardening fix.

Summary by CodeRabbit

• Bug Fixes
  • Improved ID generation in SAML2SSO test infrastructure.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a66df125-ca9f-4b7f-86dd-21c4c00488a3

📥 Commits

Reviewing files that changed from the base of the PR and between 5f04fac and fedd9f6.

📒 Files selected for processing (1)

• product-scenarios/scenarios-commons/src/main/java/org/wso2/identity/scenarios/commons/SAML2SSOTestBase.java

---

Walkthrough

A security improvement was made to switch the random number generation in SAML2 SSO testing from a non-cryptographic Random instance to SecureRandom, enhancing the randomness quality used for ID generation in test scenarios.

Changes

Cohort / File(s)	Summary
SecureRandom Migration product-scenarios/scenarios-commons/src/main/java/org/wso2/identity/scenarios/commons/SAML2SSOTestBase.java	Replaced java.util.Random import with java.security.SecureRandom and updated the static field initialization to use SecureRandom instead of Random for improved cryptographic randomness in SAML2 ID generation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A hop towards security's light,
Random now wears armor bright,
SecureRandom takes the stage,
IDs safer, age by age! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change—replacing Random with SecureRandom in SAML2SSOTestBase—and is concise, clear, and specific enough for teammates to understand the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR hardens SAML AuthnRequest ID generation in the product scenario test utilities by switching from java.util.Random to java.security.SecureRandom in SAML2SSOTestBase, improving unpredictability of generated request IDs.

Changes:

• Replace Random import with SecureRandom.
• Update the static RNG field to use SecureRandom while keeping the existing createID() logic intact.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[HarishRock0]

Hi @splinter , @gnudeep , @hevayo ,
I’ve submitted this PR to WSO2 Identity Server and all automated checks have passed.
Could you please review it when you have some time?
Thank you for your guidance and support!

Regards,
Hariksan Thulasithas

[HarishRock0]

Hi @NipunaMadhushan ,

I’ve submitted this PR to WSO2 Identity Server and all automated checks have passed.
Could you please review it when you have some time?
Thank you for your guidance and support!

Regards,
Hariksan Thulasithas