Fail gracefully on invalid token strings (#51014) (#51097)

When we receive a request with an Authorization header that contains a Bearer token that is not generated by us or that is malformed in some way, attempting to decode it as one of our own might cause a number of exceptions that are not IOExceptions. This commit ensures that we catch and log these too and call onResponse with `null, so that we can return 401 instead of 500. Resolves: #50497
elastic · Jan 16, 2020 · 5b28816 · 5b28816
1 parent 1433b84
commit 5b28816
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...ck/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/...ck/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
@@ -527,7 +527,7 @@ void decodeToken(String token, ActionListener<UserToken> listener) {
                     listener.onResponse(null);
                 }
             }
-        } catch (IOException e) {
+        } catch (Exception e) {
             // could happen with a token that is not ours
             if (logger.isDebugEnabled()) {
                logger.debug("built in token service unable to decode token", e);