Handle invalid tokens

Eg. after deletion of user signing keys for JWT tokens, resolving tokens throws an Authentication Exception. This must be caught.
2025-11-17 10:41:06 +01:00 · 2018-12-06 08:13:55 +01:00
parent 7bcf7a4774
commit c328a94147
2 changed files with 11 additions and 2 deletions
--- a/scm-webapp/src/main/java/sonia/scm/web/security/TokenRefreshFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/TokenRefreshFilter.java
@@ -1,5 +1,6 @@
 package sonia.scm.web.security;

+import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -64,7 +65,13 @@ public class TokenRefreshFilter extends HttpFilter {
  }

  private void examineToken(HttpServletRequest request, HttpServletResponse response, BearerToken token) {
-    AccessToken accessToken = resolver.resolve(token);
+    AccessToken accessToken;
+    try {
+      accessToken = resolver.resolve(token);
+    } catch (AuthenticationException e) {
+      LOG.trace("could not resolve token", e);
+      return;
+    }
    if (accessToken instanceof JwtAccessToken) {
      refresher.refresh((JwtAccessToken) accessToken)
        .ifPresent(jwtAccessToken -> refreshToken(request, response, jwtAccessToken));