Fail gracefully on invalid token strings (elastic#51014)

When we receive a request with an Authorization header that contains a Bearer token that is not generated by us or that is malformed in some way, attempting to decode it as one of our own might cause a number of exceptions that are not IOExceptions. This commit ensures that we catch and log these too and call onResponse with `null, so that we can return 401 instead of 500. Resolves: elastic#50497
jkakavas · Jan 16, 2020 · 295ca50 · 295ca50
1 parent 67d8fdb
commit 295ca50
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...ck/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/...ck/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
@@ -527,7 +527,7 @@ void decodeToken(String token, ActionListener<UserToken> listener) {
                     listener.onResponse(null);
                 }
             }
-        } catch (IOException e) {
+        } catch (Exception e) {
             // could happen with a token that is not ours
             if (logger.isDebugEnabled()) {
                logger.debug("built in token service unable to decode token", e);