Google Git
Sign in
apache / guacamole-client / 339c920a89ba6d2363bd442d77490b00237ce650^1..339c920a89ba6d2363bd442d77490b00237ce650 / .
commit339c920a89ba6d2363bd442d77490b00237ce650[log] [tgz]
authorMike Jumper <mjumper@apache.org>Mon Aug 19 00:11:19 2019 -0700
committerGitHub <noreply@github.com>Mon Aug 19 00:11:19 2019 -0700
tree4c33dcba8978c8362bcc5a3e5ef5b60b74de951f
parentdf8b8ab0e60d3ae446a902af9762aaad89678db7 [diff]
parenta710558854092a162161d8e66d1634b5831e1824 [diff]
GUACAMOLE-684: Merge changes giving tentative acceptance of credentials priority over complete refusal.

As described in the discussion surrounding the original pull request:

 * An extension throws `GuacamoleInsufficientCredentialsException`
   specifically to indicate tentative acceptance of the credentials
   passed thus far.
 * Just as such an extension that fully accepts credentials takes
   priority over an extension that refuses to accept the same, it makes
   sense to allow an extension that *tentatively* accepts those credentials
   to also take priority.

With the above perspective, authentication result priorities are as
follows, with ties broken by the inherent order of the auth providers:

 1. Acceptance (returning an `AuthenticedUser` instance).
 2. Tentative acceptance (throwing
    `GuacamoleInvalidCredentialsException`).
 3. Complete refusal (any other subclass of
    `GuacamoleCredentialsException`).
 4. Neither refusal nor acceptance (returning `null`).

See: https://github.com/apache/guacamole-client/pull/352
diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
index 7f38857..b168514 100644
--- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java

@@ -36,6 +36,7 @@
 import org.apache.guacamole.net.auth.UserContext;
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
 import org.apache.guacamole.net.auth.credentials.GuacamoleCredentialsException;
+import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
 import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
 import org.apache.guacamole.net.event.AuthenticationFailureEvent;
 import org.apache.guacamole.net.event.AuthenticationSuccessEvent;
@@ -170,7 +171,13 @@
                     return authenticatedUser;
             }
 
-            // First failure takes priority for now
+            // Insufficient credentials should take precedence
+            catch (GuacamoleInsufficientCredentialsException e) {
+                if (authFailure == null || authFailure instanceof GuacamoleInvalidCredentialsException)
+                    authFailure = e;
+            }
+            
+            // Catch other credentials exceptions and assign the first one
             catch (GuacamoleCredentialsException e) {
                 if (authFailure == null)
                     authFailure = e;