Fail gracefully on invalid token strings (#51014)

jkakavas · web-flow · commit b02119c42377 · 2020-01-16T14:11:56.000+02:00
When we receive a request with an Authorization header that contains a Bearer token that is not generated by us or that is malformed in some way, attempting to decode it as one of our own might cause a number of exceptions that are not IOExceptions. This commit ensures that we catch and log these too and call onResponse with `null, so that we can return 401 instead of 500. Resolves: #50497
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/TokenService.java
@@ -526,7 +526,7 @@ void decodeToken(String token, ActionListener<UserToken> listener) {
                     listener.onResponse(null);
                 }
             }
-        } catch (IOException e) {
+        } catch (Exception e) {
             // could happen with a token that is not ours
             if (logger.isDebugEnabled()) {
                logger.debug("built in token service unable to decode token", e);

Original file line number	Diff line number	Diff line change
`@@ -526,7 +526,7 @@ void decodeToken(String token, ActionListener<UserToken> listener) {`
`526`	`526`	`listener.onResponse(null);`
`527`	`527`	`}`
`528`	`528`	`}`
`529`		`- } catch (IOException e) {`
	`529`	`+ } catch (Exception e) {`
`530`	`530`	`// could happen with a token that is not ours`
`531`	`531`	`if (logger.isDebugEnabled()) {`
`532`	`532`	`logger.debug("built in token service unable to decode token", e);`