Trying to keep up with some of the security jiras. You're producing a lot of code, thereby making it tricky
I think, in general, it's not that useful to write arbitrary writables to base64-encoded strings. Most browsers limit how long URL strings can be, so you've got to be pretty careful about what you're up to. Would you consider instead making this more specific, by moving this code into Token.getAsUrlSafeString() and (static) Token.fromUrlSafeString()? Or, equivalently, leave the code here, but in redirectToRandomDataNode() (patch in
HDFS-991), use a method on the Token instead of WritableUtils. (This has the additional property that one could serialize tokens however; they just have to have a URL-safe string serialization.)
Looked at the code and tests. Those look clear and good.