Gregory Chanan created HADOOP-11087:
---------------------------------------
Summary: cancel delegation token succeeds if actual token is a
substring of passed token
Key: HADOOP-11087
URL: https://issues.apache.org/jira/browse/HADOOP-11087
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.6.0
Reporter: Gregory Chanan
I'm using the DelegationTokenAuthenticationFilter. If I get "token" via
op=GETDELEGATIONTOKEN and pass "tokenBOGUS" via op=CANCELDELEGATIONTOKEN, the
token is successfully cancelled. It looks like this is because
Token.readFields knows the lengths of the token and just crops it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
