Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-15 09:46:16 +01:00
Code Issues Packages Projects Releases Activity

Handle invalid tokens

Browse Source 
Eg. after deletion of user signing keys for JWT tokens, resolving
tokens throws an Authentication Exception. This must be caught.
This commit is contained in:
René Pfeuffer
2018-12-06 08:13:55 +01:00
parent 7bcf7a4774
commit c328a94147
2 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scm-webapp/src/main/java/sonia/scm/security/SecureKeyResolver.java
View File

@@ -112,7 +112,9 @@ public class SecureKeyResolver extends SigningKeyResolverAdapter
SecureKey key = store.get(subject); SecureKey key = store.get(subject);
checkState(key != null, "could not resolve key for subject %s", subject); if (key == null) {
return getSecureKey(subject).getBytes();
}
return key.getBytes(); return key.getBytes();
} }

9
scm-webapp/src/main/java/sonia/scm/web/security/TokenRefreshFilter.java
View File

@@ -1,5 +1,6 @@
package sonia.scm.web.security; package sonia.scm.web.security;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.AuthenticationToken;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -64,7 +65,13 @@ public class TokenRefreshFilter extends HttpFilter {
} }
private void examineToken(HttpServletRequest request, HttpServletResponse response, BearerToken token) { private void examineToken(HttpServletRequest request, HttpServletResponse response, BearerToken token) {
AccessToken accessToken = resolver.resolve(token); AccessToken accessToken;
try {
accessToken = resolver.resolve(token);
} catch (AuthenticationException e) {
LOG.trace("could not resolve token", e);
return;
}
if (accessToken instanceof JwtAccessToken) { if (accessToken instanceof JwtAccessToken) {
refresher.refresh((JwtAccessToken) accessToken) refresher.refresh((JwtAccessToken) accessToken)
.ifPresent(jwtAccessToken -> refreshToken(request, response, jwtAccessToken)); .ifPresent(jwtAccessToken -> refreshToken(request, response, jwtAccessToken));