Gregory Chanan created HADOOP-11087: ---------------------------------------
Summary: cancel delegation token succeeds if actual token is a substring of passed token Key: HADOOP-11087 URL: https://issues.apache.org/jira/browse/HADOOP-11087 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.6.0 Reporter: Gregory Chanan I'm using the DelegationTokenAuthenticationFilter. If I get "token" via op=GETDELEGATIONTOKEN and pass "tokenBOGUS" via op=CANCELDELEGATIONTOKEN, the token is successfully cancelled. It looks like this is because Token.readFields knows the lengths of the token and just crops it. -- This message was sent by Atlassian JIRA (v6.3.4#6332)