You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by vn...@apache.org on 2018/04/02 13:47:05 UTC
[1/2] guacamole-client git commit: GUACAMOLE-529: Apply
database-specific account restrictions depending on context.
Repository: guacamole-client
Updated Branches:
refs/heads/master 4f27a03ad -> d35d67fee
GUACAMOLE-529: Apply database-specific account restrictions depending on context.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/6dde0e77
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/6dde0e77
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/6dde0e77
Branch: refs/heads/master
Commit: 6dde0e778a9ef70f405b88584d7e4c10431cbad5
Parents: 4f27a03
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Apr 1 23:19:40 2018 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Apr 1 23:29:19 2018 -0700
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 49 +++++++++++---------
1 file changed, 28 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/6dde0e77/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 284a5aa..68e2a47 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -85,15 +85,21 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
public ModeledUserContext getUserContext(AuthenticationProvider authenticationProvider,
AuthenticatedUser authenticatedUser) throws GuacamoleException {
+ // Always allow but provide no data for users authenticated via our own
+ // connection sharing links
+ if (authenticatedUser instanceof SharedAuthenticatedUser)
+ return null;
+
+ // Set semantic flags based on context
+ boolean databaseCredentialsUsed = (authenticatedUser instanceof ModeledAuthenticatedUser);
+ boolean databaseRestrictionsApplicable = (databaseCredentialsUsed || environment.isUserRequired());
+
// Retrieve user account for already-authenticated user
ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
if (user != null && !user.isDisabled()) {
- // Account restrictions specific to this extension apply if this
- // extension authenticated the user OR if an account from this
- // extension is explicitly required
- if (authenticatedUser instanceof ModeledAuthenticatedUser
- || environment.isUserRequired()) {
+ // Enforce applicable account restrictions
+ if (databaseRestrictionsApplicable) {
// Verify user account is still valid as of today
if (!user.isAccountValid())
@@ -103,32 +109,33 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
- // Update password if password is expired
+ }
+
+ // Update password if password is expired AND the password was
+ // actually involved in the authentication process
+ if (databaseCredentialsUsed) {
if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
-
}
- // Link to user context
+ // Return all data associated with the authenticated user
ModeledUserContext context = userContextProvider.get();
context.init(user.getCurrentUser());
return context;
}
- // Do not invalidate the authentication result of users who were
- // authenticated via our own connection sharing links
- if (authenticatedUser instanceof SharedAuthenticatedUser)
- return null;
-
- // Simply return no data if a database user account is not required
- if (!environment.isUserRequired())
- return null;
-
- // Otherwise, invalidate the authentication result, as database user
- // accounts are absolutely required
- throw new GuacamoleInvalidCredentialsException("Invalid login",
- CredentialsInfo.USERNAME_PASSWORD);
+ // Veto authentication result only if database-specific account
+ // restrictions apply in this situation
+ if (databaseRestrictionsApplicable)
+ throw new GuacamoleInvalidCredentialsException("Invalid login",
+ CredentialsInfo.USERNAME_PASSWORD);
+
+ // There is no data to be returned for the user, either because they do
+ // not exist or because restrictions prevent their data from being
+ // retrieved, but no restrictions apply which should prevent the user
+ // from authenticating entirely
+ return null;
}
[2/2] guacamole-client git commit: GUACAMOLE-529: Merge apply
database-specific account restrictions depending on context
Posted by vn...@apache.org.
GUACAMOLE-529: Merge apply database-specific account restrictions depending on context
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/d35d67fe
Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/d35d67fe
Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/d35d67fe
Branch: refs/heads/master
Commit: d35d67fee750f92aea4ff922014c70f55d555720
Parents: 4f27a03 6dde0e7
Author: Nick Couchman <vn...@apache.org>
Authored: Mon Apr 2 09:46:07 2018 -0400
Committer: Nick Couchman <vn...@apache.org>
Committed: Mon Apr 2 09:46:07 2018 -0400
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 49 +++++++++++---------
1 file changed, 28 insertions(+), 21 deletions(-)
----------------------------------------------------------------------