From 8dd87f93d6d8a5fb39ffa45c89cde2b0d5d30530 Mon Sep 17 00:00:00 2001
From: Martin Tzvetanov Grigorov <mgrigorov@apache.org>
Date: Mon, 26 Jan 2026 15:02:08 +0200
Subject: [PATCH] WICKET-7174: DefaultSecureRandomSupplier does not work for
 FIPS

1. Lazy load DefaultSecureRandomSupplier in SecuritySettings.java
2. Lazy load `SecureRandom.getInstance("SHA1PRNG")` in
DefaultSecureRandomSupplier.java
---
 .../random/DefaultSecureRandomSupplier.java   | 21 ++++++++++---------
 .../wicket/settings/SecuritySettings.java     |  6 +++++-
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java
index b8168b35de0..42e12ea6ddd 100644
--- a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java
+++ b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java
@@ -32,23 +32,24 @@
  */
 public class DefaultSecureRandomSupplier implements ISecureRandomSupplier
 {
-	private SecureRandom random;
-
-	public DefaultSecureRandomSupplier()
+	private static final class Holder
 	{
-		try
-		{
-			random = SecureRandom.getInstance("SHA1PRNG");
-		}
-		catch (NoSuchAlgorithmException e)
+		private static final SecureRandom INSTANCE;
+
+		static
 		{
-			throw new WicketRuntimeException(e);
+			try
+			{
+				INSTANCE = SecureRandom.getInstance("SHA1PRNG");
+			} catch (NoSuchAlgorithmException e) {
+				throw new WicketRuntimeException(e);
+			}
 		}
 	}
 
 	@Override
 	public SecureRandom getRandom()
 	{
-		return random;
+		return Holder.INSTANCE;
 	}
 }
diff --git a/wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java b/wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java
index 1c55aadadff..fdd97825386 100644
--- a/wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java
+++ b/wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java
@@ -59,7 +59,7 @@ public class SecuritySettings
 	private ICryptFactory cryptFactory;
 
 	/** supplier of random data and SecureRandom */
-	private ISecureRandomSupplier randomSupplier = new DefaultSecureRandomSupplier();
+	private ISecureRandomSupplier randomSupplier;
 
 	/**
 	 * Whether mounts should be enforced. If {@code true}, requests for a page will be
@@ -139,6 +139,10 @@ public synchronized ICryptFactory getCryptFactory()
 	 */
 	public ISecureRandomSupplier getRandomSupplier()
 	{
+		if (randomSupplier == null)
+		{
+			randomSupplier = new DefaultSecureRandomSupplier();
+		}
 		return randomSupplier;
 	}