honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fail gracefully on invalid token strings (#51014) (#51096) 

When we receive a request with an Authorization header that contains
a Bearer token that is not generated by us or that is malformed in
some way, attempting to decode it as one of our own might cause a
number of exceptions that are not IOExceptions. This commit ensures
that we catch and log these too and call onResponse with `null, so
that we can return 401 instead of 500.

Resolves: #50497
This commit is contained in:
Ioannis Kakavas 2020-01-16 17:00:17 +02:00 committed by GitHub
parent 584cb0d926
commit d0554fd317
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
View File

@ -527,7 +527,7 @@ public final class TokenService {
listener.onResponse(null);
}
}
} catch (IOException e) {
} catch (Exception e) {
// could happen with a token that is not ours
if (logger.isDebugEnabled()) {
logger.debug("built in token service unable to decode token", e);