HADOOP-14001. Improve delegation token validity checking.

(cherry picked from commit 176346721006a03f41d028560e9e29b5931d5be2)
(cherry picked from commit c6c29d0080964e55ff84246af1e4149d1ef3162a)
(cherry picked from commit b8b8b9a32b0b12ea3f6356f0317729197871eac4)

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java

@@ -21,7 +21,7 @@ package org.apache.hadoop.security.token.delegation;
 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
 import java.io.IOException;
-import java.util.Arrays;
+import java.security.MessageDigest;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -467,7 +467,7 @@ extends AbstractDelegationTokenIdentifier>
   public synchronized void verifyToken(TokenIdent identifier, byte[] password)
       throws InvalidToken {
     byte[] storedPassword = retrievePassword(identifier);
-    if (!Arrays.equals(password, storedPassword)) {
+    if (!MessageDigest.isEqual(password, storedPassword)) {
       throw new InvalidToken("token " + formatTokenId(identifier)
           + " is invalid, password doesn't match");
     }
@@ -516,7 +516,7 @@ extends AbstractDelegationTokenIdentifier>
           + id.getSequenceNumber());
     }
     byte[] password = createPassword(token.getIdentifier(), key.getKey());
-    if (!Arrays.equals(password, token.getPassword())) {
+    if (!MessageDigest.isEqual(password, token.getPassword())) {
       throw new AccessControlException(renewer
           + " is trying to renew a token "
           + formatTokenId(id) + " with wrong password");