HADOOP-14001. Improve delegation token validity checking.

(cherry picked from commit 176346721006a03f41d028560e9e29b5931d5be2)
(cherry picked from commit c6c29d0080964e55ff84246af1e4149d1ef3162a)

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -110,6 +110,8 @@ Release 2.7.4 - UNRELEASED
     HADOOP-13839. Fix outdated tracing documentation.
     (Elek, Marton via iwasakims)
 
+    HADOOP-14001. Improve delegation token validity checking. (aajisaka)
+
 Release 2.7.3 - 2016-08-25
 
   INCOMPATIBLE CHANGES

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java

@@ -21,7 +21,7 @@ package org.apache.hadoop.security.token.delegation;
 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
 import java.io.IOException;
-import java.util.Arrays;
+import java.security.MessageDigest;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -446,7 +446,7 @@ extends AbstractDelegationTokenIdentifier>
   public synchronized void verifyToken(TokenIdent identifier, byte[] password)
       throws InvalidToken {
     byte[] storedPassword = retrievePassword(identifier);
-    if (!Arrays.equals(password, storedPassword)) {
+    if (!MessageDigest.isEqual(password, storedPassword)) {
       throw new InvalidToken("token (" + identifier
           + ") is invalid, password doesn't match");
     }
@@ -489,7 +489,7 @@ extends AbstractDelegationTokenIdentifier>
           + " with sequenceNumber=" + id.getSequenceNumber());
     }
     byte[] password = createPassword(token.getIdentifier(), key.getKey());
-    if (!Arrays.equals(password, token.getPassword())) {
+    if (!MessageDigest.isEqual(password, token.getPassword())) {
       throw new AccessControlException(renewer +
           " is trying to renew a token with wrong password");
     }