[DISCUSS] GUACAMOLE-684: Insufficient vs. Invalid Credentials

[Nick Couchman <vn...@apache.org>]

We decided not to shoe-horn this change into version 1.0.0, but in
GUACAMOLE-684 I propose making a change such that the
GuacamoleInsufficientCredentialsException takes precedence over
GuacamoleInvalidCredentialsException.  You can see the proposed changes in
this PR:

https://github.com/apache/guacamole-client/pull/352

My driver for making this change is that, currently, if you have, for
example, the JDBC module and the RADIUS module (in that order), and the
RADIUS module issues a GuacamoleInsufficientCredentialsException because it
is doing Challenge/Response authentication, authentication will fail
because the JDBC module generates the first Credential Exception, which is
a GuacamoleInvalidCredentialsException, and the second CredentialException,
the GuacamoleInsufficientCredentialsException thrown by the RADIUS module,
is ignored.  The current work-around is to load the RADIUS module, first,
so that it is evaluated, first, and the Insufficient exception occurs,
first, and is kept over the Invalid exception.

My rationale is that it is very likely that, if an Insufficient Credentials
Exception is issued, that authentication has at least part-way succeeded,
and the user is needing to enter additional information, versus the Invalid
Credentials Exception, which indicates a failure.

Mike suggested further discussion on this as it does represent a
significant change in behavior, so...any other thoughts?  Any scenarios
that anyone can foresee where this behavior would not be desirable, or
where a vulnerability may be introduced by doing so?  We can stick with the
current work-around, if there are objections, but if no one objects I
propose changing the code to avoid the need for the work-around.

-Nick