This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/misc-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 7b4d15e8230bb42da0ba3dd6a387c2892881a3e0 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Tue May 12 08:27:30 2026 +0100 Switch to use constant time secret comparison --- .../cxf/rs/security/oauth2/services/AbstractTokenService.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java index b2a94b1092e..b9fa880fece 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java @@ -19,6 +19,8 @@ package org.apache.cxf.rs.security.oauth2.services; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; import java.security.Principal; import java.security.cert.X509Certificate; import java.util.List; @@ -138,7 +140,9 @@ public class AbstractTokenService extends AbstractOAuthService { if (clientSecretVerifier != null) { return clientSecretVerifier.validateClientSecret(client, providedClientSecret); } - return client.getClientSecret() != null && client.getClientSecret().equals(providedClientSecret); + return client.getClientSecret() != null && providedClientSecret != null + && MessageDigest.isEqual(client.getClientSecret().getBytes(StandardCharsets.UTF_8), + providedClientSecret.getBytes(StandardCharsets.UTF_8)); } protected boolean isValidPublicClient(Client client, String clientId) { return canSupportPublicClients
