diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java index 52795a0df7e..a8aa602442b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java @@ -58,7 +58,7 @@ public MultivaluedMap fromRedirectState(MessageContext mc, MultivaluedMap redirectState) { String stateParam = redirectState.getFirst(OAuthConstants.STATE); String sessionToken = OAuthUtils.getSessionToken(mc, "state"); - if (sessionToken == null || !sessionToken.equals(stateParam)) { + if (!OAuthUtils.compareTokens(sessionToken, stateParam)) { throw new OAuthServiceException("Invalid session token"); } return map.remove(stateParam); diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java index e5c09023760..e9b46b53692 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java @@ -76,7 +76,7 @@ public Response register(ClientRegistration request) { protected void checkInitialAuthentication() { if (initialAccessToken != null) { String accessToken = getRequestAccessToken(); - if (!initialAccessToken.equals(accessToken)) { + if (!OAuthUtils.compareTokens(initialAccessToken, accessToken)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } } else { @@ -105,7 +105,7 @@ protected String createRegAccessToken(Client client) { protected void checkRegistrationAccessToken(Client c, String accessToken) { String regAccessToken = c.getProperties().get(ClientRegistrationResponse.REG_ACCESS_TOKEN); - if (regAccessToken == null || !regAccessToken.equals(accessToken)) { + if (!OAuthUtils.compareTokens(regAccessToken, accessToken)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } } diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 466c31fa6f8..0267ed33080 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -529,7 +529,7 @@ private boolean compareRequestAndSessionTokens(String requestToken, if (StringUtils.isEmpty(sessionToken)) { return false; } - return requestToken.equals(sessionToken); + return OAuthUtils.compareTokens(requestToken, sessionToken); } /** diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java index 9864791e8b6..cee0893b95d 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java @@ -88,6 +88,13 @@ public static void setCertificateThumbprintConfirmation(MessageContext mc, X509C } } + public static boolean compareTokens(String token1, String token2) { + if (token1 == null || token2 == null) { + return false; + } + return MessageDigest.isEqual(StringUtils.toBytesUTF8(token1), StringUtils.toBytesUTF8(token2)); + } + public static boolean compareCertificateThumbprints(X509Certificate cert, String encodedThumbprint) { try { byte[] thumbprint = createCertificateThumbprint(cert);