passwordfix: This removes the password clearing from the authentication service

This fixes a bug when the UsernamePasswordToken is cached in the userContext and reused after it's cleared.

Original commit: elastic/x-pack-elasticsearch@9aab1d8530
This commit is contained in:
c-a-m 2014-09-27 11:23:38 -06:00
parent da3aacf107
commit 402749e12b
1 changed files with 16 additions and 21 deletions

View File

@ -97,7 +97,6 @@ public class InternalAuthenticationService extends AbstractComponent implements
@SuppressWarnings("unchecked")
public User authenticate(String action, TransportMessage<?> message, AuthenticationToken token) throws AuthenticationException {
assert token != null : "cannot authenticate null tokens";
try {
User user = (User) message.getContext().get(USER_CTX_KEY);
if (user != null) {
return user;
@ -117,9 +116,5 @@ public class InternalAuthenticationService extends AbstractComponent implements
auditTrail.authenticationFailed(token, action, message);
}
throw new AuthenticationException("Unable to authenticate user for request");
} finally {
token.clearCredentials();
}
}
}