passwordfix: This removes the password clearing from the authentication service

This fixes a bug when the UsernamePasswordToken is cached in the userContext and reused after it's cleared. Original commit: elastic/x-pack-elasticsearch@9aab1d8530
2014-09-27 11:23:38 -06:00 · 2014-09-27 11:23:38 -06:00 · 402749e12b
parent da3aacf107
commit 402749e12b
1 changed files with 16 additions and 21 deletions
--- a/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
+++ b/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
@ -97,29 +97,24 @@ public class InternalAuthenticationService extends AbstractComponent implements
    @SuppressWarnings("unchecked")
    public User authenticate(String action, TransportMessage<?> message, AuthenticationToken token) throws AuthenticationException {
        assert token != null : "cannot authenticate null tokens";
-        try {
-            User user = (User) message.getContext().get(USER_CTX_KEY);
-            if (user != null) {
-                return user;
-            }
-            for (Realm realm : realms) {
-                if (realm.supports(token)) {
-                    user = realm.authenticate(token);
-                    if (user != null) {
-                        message.putInContext(USER_CTX_KEY, user);
-                        return user;
-                    } else if (auditTrail != null) {
-                        auditTrail.authenticationFailed(realm.type(), token, action, message);
-                    }
+        User user = (User) message.getContext().get(USER_CTX_KEY);
+        if (user != null) {
+            return user;
+        }
+        for (Realm realm : realms) {
+            if (realm.supports(token)) {
+                user = realm.authenticate(token);
+                if (user != null) {
+                    message.putInContext(USER_CTX_KEY, user);
+                    return user;
+                } else if (auditTrail != null) {
+                    auditTrail.authenticationFailed(realm.type(), token, action, message);
                }
            }
-            if (auditTrail != null) {
-                auditTrail.authenticationFailed(token, action, message);
-            }
-            throw new AuthenticationException("Unable to authenticate user for request");
-        } finally {
-            token.clearCredentials();
        }
-
+        if (auditTrail != null) {
+            auditTrail.authenticationFailed(token, action, message);
+        }
+        throw new AuthenticationException("Unable to authenticate user for request");
    }
 }