hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregory Chanan (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-11087) cancel delegation token succeeds if actual token is a substring of passed token
Date Fri, 12 Sep 2014 01:23:33 GMT
Gregory Chanan created HADOOP-11087:
---------------------------------------

             Summary: cancel delegation token succeeds if actual token is a substring of passed
token
                 Key: HADOOP-11087
                 URL: https://issues.apache.org/jira/browse/HADOOP-11087
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.6.0
            Reporter: Gregory Chanan


I'm using the DelegationTokenAuthenticationFilter.  If I get "token" via op=GETDELEGATIONTOKEN
and pass "tokenBOGUS" via op=CANCELDELEGATIONTOKEN, the token is successfully cancelled. 
It looks like this is because Token.readFields knows the lengths of the token and just crops
it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message