(cxf) branch 3.6.x-fixes updated: Backporting constant time comparison check

Tue, 12 May 2026 03:35:25 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.6.x-fixes by this push:
     new 3cad19f086e Backporting constant time comparison check
3cad19f086e is described below

commit 3cad19f086ed9629aaf59bbe984aa2409567212c
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue May 12 11:34:58 2026 +0100

    Backporting constant time comparison check
---
 .../cxf/rs/security/oauth2/services/AbstractTokenService.java       | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index 4931de1ab53..fb05cabbbc8 100644
--- 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -19,6 +19,8 @@
 
 package org.apache.cxf.rs.security.oauth2.services;
 
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.List;
@@ -139,7 +141,9 @@ public class AbstractTokenService extends 
AbstractOAuthService {
         if (clientSecretVerifier != null) {
             return clientSecretVerifier.validateClientSecret(client, 
providedClientSecret);
         }
-        return client.getClientSecret() != null && 
client.getClientSecret().equals(providedClientSecret);
+        return client.getClientSecret() != null && providedClientSecret != null
+            && 
MessageDigest.isEqual(client.getClientSecret().getBytes(StandardCharsets.UTF_8),
+                                     
providedClientSecret.getBytes(StandardCharsets.UTF_8));
     }
     protected boolean isValidPublicClient(Client client, String clientId) {
         return canSupportPublicClients

Reply via email to