WICKET-7174: DefaultSecureRandomSupplier does not work for FIPS (#1361)

1. Lazy load DefaultSecureRandomSupplier in SecuritySettings.java
2. Lazy load `SecureRandom.getInstance("SHA1PRNG")` in
DefaultSecureRandomSupplier.java

(cherry picked from commit 5710d7d)

Author: martin-g

wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java

@@ -32,23 +32,24 @@
  */
 public class DefaultSecureRandomSupplier implements ISecureRandomSupplier
 {
-	private SecureRandom random;
-
-	public DefaultSecureRandomSupplier()
+	private static final class Holder
 	{
-		try
-		{
-			random = SecureRandom.getInstance("SHA1PRNG");
-		}
-		catch (NoSuchAlgorithmException e)
+		private static final SecureRandom INSTANCE;
+
+		static
 		{
-			throw new WicketRuntimeException(e);
+			try
+			{
+				INSTANCE = SecureRandom.getInstance("SHA1PRNG");
+			} catch (NoSuchAlgorithmException e) {
+				throw new WicketRuntimeException(e);
+			}
 		}
 	}
 
 	@Override
 	public SecureRandom getRandom()
 	{
-		return random;
+		return Holder.INSTANCE;
 	}
 }

wicket-core/src/main/java/org/apache/wicket/settings/SecuritySettings.java

@@ -66,7 +66,7 @@ public class SecuritySettings
 	private ICryptFactory cryptFactory;
 
 	/** supplier of random data and SecureRandom */
-	private ISecureRandomSupplier randomSupplier = new DefaultSecureRandomSupplier();
+	private ISecureRandomSupplier randomSupplier;
 
 	/**
 	 * Whether mounts should be enforced. If {@code true}, requests for a page will be
@@ -146,6 +146,10 @@ public synchronized ICryptFactory getCryptFactory()
 	 */
 	public ISecureRandomSupplier getRandomSupplier()
 	{
+		if (randomSupplier == null)
+		{
+			randomSupplier = new DefaultSecureRandomSupplier();
+		}
 		return randomSupplier;
 	}