From 2a79c468f8624c3ccb452884dfd99e639d2d47da Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 9 Jan 2019 07:19:34 +0200 Subject: [PATCH] Ensure that ActionListener is called exactly once This bug was introduced in #36893 and had the effect that execution would continue after calling onFailure on the the listener in checkIfTokenIsValid in the case that the token is expired. In a case of many consecutive requests this could lead to the unwelcome side effect of an expired access token producing a successful authentication response. --- .../org/elasticsearch/xpack/security/authc/TokenService.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java index b7bf96119a2..52c10813674 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java @@ -1017,8 +1017,7 @@ public final class TokenService { Instant currentTime = clock.instant(); if (currentTime.isAfter(userToken.getExpirationTime())) { listener.onFailure(traceLog("validate token", userToken.getId(), expiredTokenException())); - } - if (securityIndex.indexExists() == false) { + } else if (securityIndex.indexExists() == false) { // index doesn't exist so the token is considered invalid as we cannot verify its validity logger.warn("failed to validate token [{}] since the security index doesn't exist", userToken.getId()); listener.onResponse(null);