GUACAMOLE-684: Merge changes giving tentative acceptance of credentials priority over complete refusal.
As described in the discussion surrounding the original pull request:
* An extension throws `GuacamoleInsufficientCredentialsException`
specifically to indicate tentative acceptance of the credentials
passed thus far.
* Just as such an extension that fully accepts credentials takes
priority over an extension that refuses to accept the same, it makes
sense to allow an extension that *tentatively* accepts those credentials
to also take priority.
With the above perspective, authentication result priorities are as
follows, with ties broken by the inherent order of the auth providers:
1. Acceptance (returning an `AuthenticedUser` instance).
2. Tentative acceptance (throwing
`GuacamoleInvalidCredentialsException`).
3. Complete refusal (any other subclass of
`GuacamoleCredentialsException`).
4. Neither refusal nor acceptance (returning `null`).
See: https://github.com/apache/guacamole-client/pull/352
diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
index 7f38857..b168514 100644
--- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
@@ -36,6 +36,7 @@
import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleCredentialsException;
+import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
import org.apache.guacamole.net.event.AuthenticationFailureEvent;
import org.apache.guacamole.net.event.AuthenticationSuccessEvent;
@@ -170,7 +171,13 @@
return authenticatedUser;
}
- // First failure takes priority for now
+ // Insufficient credentials should take precedence
+ catch (GuacamoleInsufficientCredentialsException e) {
+ if (authFailure == null || authFailure instanceof GuacamoleInvalidCredentialsException)
+ authFailure = e;
+ }
+
+ // Catch other credentials exceptions and assign the first one
catch (GuacamoleCredentialsException e) {
if (authFailure == null)
authFailure = e;