You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by jm...@apache.org on 2017/06/07 03:08:55 UTC
[1/6] incubator-guacamole-client git commit: GUACAMOLE-284: Veto
authentication result if a database account is required but unavailable.
Repository: incubator-guacamole-client
Updated Branches:
refs/heads/master eb087ae29 -> 728d9b937
GUACAMOLE-284: Veto authentication result if a database account is required but unavailable.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/45ee8950
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/45ee8950
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/45ee8950
Branch: refs/heads/master
Commit: 45ee895044cd7a4e5489ed0d4bd818368522a8ca
Parents: bedd09f
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Jun 4 13:32:52 2017 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jun 4 22:21:18 2017 -0700
----------------------------------------------------------------------
.../auth/jdbc/JDBCAuthenticationProviderService.java | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/45ee8950/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index dd39f24..2e85e78 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -104,8 +104,16 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
}
- // Update password if password is expired
+ // Veto authentication result if account is required but unavailable
+ // due to account restrictions
UserModel userModel = user.getModel();
+ if (environment.isUserRequired()
+ && (userModel.isDisabled() || !user.isAccountValid() || !user.isAccountAccessible())) {
+ throw new GuacamoleInvalidCredentialsException("Invalid login",
+ CredentialsInfo.USERNAME_PASSWORD);
+ }
+
+ // Update password if password is expired
if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
[6/6] incubator-guacamole-client git commit: GUACAMOLE-284: Merge
database account restrictions when users required.
Posted by jm...@apache.org.
GUACAMOLE-284: Merge database account restrictions when users required.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/728d9b93
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/728d9b93
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/728d9b93
Branch: refs/heads/master
Commit: 728d9b937c80bbf61ac79dd563dc1775203b34e6
Parents: eb087ae 862e2c3
Author: James Muehlner <ja...@guac-dev.org>
Authored: Tue Jun 6 20:06:28 2017 -0700
Committer: James Muehlner <ja...@guac-dev.org>
Committed: Tue Jun 6 20:06:28 2017 -0700
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 58 +++++++++++++-------
.../guacamole/auth/jdbc/user/ModeledUser.java | 26 +++++++++
.../guacamole/auth/jdbc/user/UserModel.java | 31 ++++++-----
.../guacamole/auth/jdbc/user/UserService.java | 19 ++-----
4 files changed, 84 insertions(+), 50 deletions(-)
----------------------------------------------------------------------
[3/6] incubator-guacamole-client git commit: GUACAMOLE-284: Add
convenience methods for determining whether a user account is
disabled/expired.
Posted by jm...@apache.org.
GUACAMOLE-284: Add convenience methods for determining whether a user account is disabled/expired.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/f4fce6a0
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/f4fce6a0
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/f4fce6a0
Branch: refs/heads/master
Commit: f4fce6a07a94a6a4f8919df5bffe171e82aa3081
Parents: c87ec1b
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Jun 4 14:08:49 2017 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jun 4 22:21:19 2017 -0700
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 48 ++++++++------------
.../guacamole/auth/jdbc/user/ModeledUser.java | 24 ++++++++++
2 files changed, 44 insertions(+), 28 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/f4fce6a0/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 37ff3bc..b753ff8 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -28,7 +28,6 @@ import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
-import org.apache.guacamole.auth.jdbc.user.UserModel;
import org.apache.guacamole.auth.jdbc.user.UserService;
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -88,40 +87,33 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
// Retrieve user account for already-authenticated user
ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
- if (user != null) {
+ if (user != null && !user.isDisabled()) {
- // User data only exists for purposes of retrieval if the account
- // is not disabled
- UserModel userModel = user.getModel();
- if (!userModel.isDisabled()) {
+ // Apply account restrictions if this extension authenticated
+ // the user OR if an account from this extension is explicitly
+ // required
+ if (authenticatedUser instanceof ModeledAuthenticatedUser
+ || environment.isUserRequired()) {
- // Apply account restrictions if this extension authenticated
- // the user OR if an account from this extension is explicitly
- // required
- if (authenticatedUser instanceof ModeledAuthenticatedUser
- || environment.isUserRequired()) {
+ // Verify user account is still valid as of today
+ if (!user.isAccountValid())
+ throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
- // Verify user account is still valid as of today
- if (!user.isAccountValid())
- throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
+ // Verify user account is allowed to be used at the current time
+ if (!user.isAccountAccessible())
+ throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
- // Verify user account is allowed to be used at the current time
- if (!user.isAccountAccessible())
- throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
-
- // Update password if password is expired
- if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
- userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
-
- }
-
- // Link to user context
- ModeledUserContext context = userContextProvider.get();
- context.init(user.getCurrentUser());
- return context;
+ // Update password if password is expired
+ if (user.isExpired() || passwordPolicyService.isPasswordExpired(user))
+ userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
}
+ // Link to user context
+ ModeledUserContext context = userContextProvider.get();
+ context.init(user.getCurrentUser());
+ return context;
+
}
// Do not invalidate the authentication result of users who were
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/f4fce6a0/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
index 418ffad..745fe5f 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
@@ -766,4 +766,28 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
return isActive(getAccessWindowStart(), getAccessWindowEnd());
}
+ /**
+ * Returns whether the user has been disabled. Disabled users are not
+ * allowed to login. Although their account data exists, all login attempts
+ * will fail as if the account does not exist.
+ *
+ * @return
+ * true if the account is disabled, false otherwise.
+ */
+ public boolean isDisabled() {
+ return getModel().isDisabled();
+ }
+
+ /**
+ * Returns whether the user's password has expired. If a user's password is
+ * expired, it must be immediately changed upon login. A user account with
+ * an expired password cannot be used until the password has been changed.
+ *
+ * @return
+ * true if the user's password has expired, false otherwise.
+ */
+ public boolean isExpired() {
+ return getModel().isExpired();
+ }
+
}
[4/6] incubator-guacamole-client git commit: GUACAMOLE-284: Move
enforcement of account restrictions into AuthenticationProviderService.
Posted by jm...@apache.org.
GUACAMOLE-284: Move enforcement of account restrictions into AuthenticationProviderService.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/0eef629a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/0eef629a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/0eef629a
Branch: refs/heads/master
Commit: 0eef629a9dad12ad6d60a0d045e845236761be88
Parents: 45ee895
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Jun 4 13:42:28 2017 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jun 4 22:21:19 2017 -0700
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 21 ++++++++++++++++----
.../guacamole/auth/jdbc/user/UserService.java | 19 ++++--------------
2 files changed, 21 insertions(+), 19 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/0eef629a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 2e85e78..a5cc164 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -21,9 +21,11 @@ package org.apache.guacamole.auth.jdbc;
import com.google.inject.Inject;
import com.google.inject.Provider;
+import org.apache.guacamole.GuacamoleClientException;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.jdbc.security.PasswordPolicyService;
import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
+import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
import org.apache.guacamole.auth.jdbc.user.UserModel;
@@ -104,13 +106,24 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
}
- // Veto authentication result if account is required but unavailable
- // due to account restrictions
+ // Apply account restrictions if this extension authenticated the user
+ // OR if an account from this extension is explicitly required
UserModel userModel = user.getModel();
- if (environment.isUserRequired()
- && (userModel.isDisabled() || !user.isAccountValid() || !user.isAccountAccessible())) {
+ if (authenticatedUser instanceof ModeledAuthenticatedUser || environment.isUserRequired()) {
+
+ // If user is disabled, pretend user does not exist
+ if (userModel.isDisabled())
throw new GuacamoleInvalidCredentialsException("Invalid login",
CredentialsInfo.USERNAME_PASSWORD);
+
+ // Verify user account is still valid as of today
+ if (!user.isAccountValid())
+ throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
+
+ // Verify user account is allowed to be used at the current time
+ if (!user.isAccountAccessible())
+ throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
+
}
// Update password if password is expired
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/0eef629a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index 7935f86..3dc025f 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -312,9 +312,10 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
/**
* Retrieves the user corresponding to the given credentials from the
- * database. If the user account is expired, and the credentials contain
- * the necessary additional parameters to reset the user's password, the
- * password is reset.
+ * database. Note that this function will not enforce any additional
+ * account restrictions, including explicitly disabled accounts,
+ * scheduling, and password expiration. It is the responsibility of the
+ * caller to enforce such restrictions, if desired.
*
* @param authenticationProvider
* The AuthenticationProvider on behalf of which the user is being
@@ -342,10 +343,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
if (userModel == null)
return null;
- // If user is disabled, pretend user does not exist
- if (userModel.isDisabled())
- return null;
-
// Verify provided password is correct
byte[] hash = encryptionService.createPasswordHash(password, userModel.getPasswordSalt());
if (!Arrays.equals(hash, userModel.getPasswordHash()))
@@ -355,14 +352,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
ModeledUser user = getObjectInstance(null, userModel);
user.setCurrentUser(new ModeledAuthenticatedUser(authenticationProvider, user, credentials));
- // Verify user account is still valid as of today
- if (!user.isAccountValid())
- throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
-
- // Verify user account is allowed to be used at the current time
- if (!user.isAccountAccessible())
- throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
-
// Return now-authenticated user
return user.getCurrentUser();
[2/6] incubator-guacamole-client git commit: GUACAMOLE-284: Clarify
semantics of disabled user accounts.
Posted by jm...@apache.org.
GUACAMOLE-284: Clarify semantics of disabled user accounts.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/862e2c39
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/862e2c39
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/862e2c39
Branch: refs/heads/master
Commit: 862e2c398aaa346d59766f7cc3bec61c2e4a4639
Parents: f4fce6a
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Jun 4 14:15:47 2017 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jun 4 22:21:19 2017 -0700
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 6 ++--
.../guacamole/auth/jdbc/user/ModeledUser.java | 18 +++++++-----
.../guacamole/auth/jdbc/user/UserModel.java | 31 +++++++++++---------
3 files changed, 30 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/862e2c39/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index b753ff8..284a5aa 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -89,9 +89,9 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
if (user != null && !user.isDisabled()) {
- // Apply account restrictions if this extension authenticated
- // the user OR if an account from this extension is explicitly
- // required
+ // Account restrictions specific to this extension apply if this
+ // extension authenticated the user OR if an account from this
+ // extension is explicitly required
if (authenticatedUser instanceof ModeledAuthenticatedUser
|| environment.isUserRequired()) {
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/862e2c39/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
index 745fe5f..0ed115f 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
@@ -767,24 +767,26 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
}
/**
- * Returns whether the user has been disabled. Disabled users are not
- * allowed to login. Although their account data exists, all login attempts
- * will fail as if the account does not exist.
+ * Returns whether this user account has been disabled. The credentials of
+ * disabled user accounts are treated as invalid, effectively disabling
+ * that user's access to data for which they would otherwise have
+ * permission.
*
* @return
- * true if the account is disabled, false otherwise.
+ * true if this user account has been disabled, false otherwise.
*/
public boolean isDisabled() {
return getModel().isDisabled();
}
/**
- * Returns whether the user's password has expired. If a user's password is
- * expired, it must be immediately changed upon login. A user account with
- * an expired password cannot be used until the password has been changed.
+ * Returns whether this user's password has expired. If a user's password
+ * is expired, it must be immediately changed upon login. A user account
+ * with an expired password cannot be used until the password has been
+ * changed.
*
* @return
- * true if the user's password has expired, false otherwise.
+ * true if this user's password has expired, false otherwise.
*/
public boolean isExpired() {
return getModel().isExpired();
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/862e2c39/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java
index 2376cae..afaeb55 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserModel.java
@@ -194,48 +194,51 @@ public class UserModel extends ObjectModel {
}
/**
- * Returns whether the user has been disabled. Disabled users are not
- * allowed to login. Although their account data exists, all login attempts
- * will fail as if the account does not exist.
+ * Returns whether this user account has been disabled. The credentials of
+ * disabled user accounts are treated as invalid, effectively disabling
+ * that user's access to data for which they would otherwise have
+ * permission.
*
* @return
- * true if the account is disabled, false otherwise.
+ * true if this user account is disabled, false otherwise.
*/
public boolean isDisabled() {
return disabled;
}
/**
- * Sets whether the user is disabled. Disabled users are not allowed to
- * login. Although their account data exists, all login attempts will fail
- * as if the account does not exist.
+ * Sets whether this user account has been disabled. The credentials of
+ * disabled user accounts are treated as invalid, effectively disabling
+ * that user's access to data for which they would otherwise have
+ * permission.
*
* @param disabled
- * true if the account should be disabled, false otherwise.
+ * true if this user account should be disabled, false otherwise.
*/
public void setDisabled(boolean disabled) {
this.disabled = disabled;
}
/**
- * Returns whether the user's password has expired. If a user's password is
- * expired, it must be immediately changed upon login. A user account with
- * an expired password cannot be used until the password has been changed.
+ * Returns whether this user's password has expired. If a user's password
+ * is expired, it must be immediately changed upon login. A user account
+ * with an expired password cannot be used until the password has been
+ * changed.
*
* @return
- * true if the user's password has expired, false otherwise.
+ * true if this user's password has expired, false otherwise.
*/
public boolean isExpired() {
return expired;
}
/**
- * Sets whether the user's password is expired. If a user's password is
+ * Sets whether this user's password is expired. If a user's password is
* expired, it must be immediately changed upon login. A user account with
* an expired password cannot be used until the password has been changed.
*
* @param expired
- * true to expire the user's password, false otherwise.
+ * true if this user's password has expired, false otherwise.
*/
public void setExpired(boolean expired) {
this.expired = expired;
[5/6] incubator-guacamole-client git commit: GUACAMOLE-284: Reverse
structure of restriction enforcement such that the default action is to deny
access.
Posted by jm...@apache.org.
GUACAMOLE-284: Reverse structure of restriction enforcement such that the default action is to deny access.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/c87ec1bf
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/c87ec1bf
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/c87ec1bf
Branch: refs/heads/master
Commit: c87ec1bf5d6545cb8f4ed631257f4ba9667bdceb
Parents: 0eef629
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Jun 4 14:04:56 2017 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Sun Jun 4 22:21:19 2017 -0700
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 71 ++++++++++----------
1 file changed, 37 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/c87ec1bf/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index a5cc164..37ff3bc 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -88,52 +88,55 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
// Retrieve user account for already-authenticated user
ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
- if (user == null) {
+ if (user != null) {
- // Do not invalidate the authentication result of users who were
- // authenticated via our own connection sharing links
- if (authenticatedUser instanceof SharedAuthenticatedUser)
- return null;
+ // User data only exists for purposes of retrieval if the account
+ // is not disabled
+ UserModel userModel = user.getModel();
+ if (!userModel.isDisabled()) {
- // Simply return no data if a database user account is not required
- if (!environment.isUserRequired())
- return null;
+ // Apply account restrictions if this extension authenticated
+ // the user OR if an account from this extension is explicitly
+ // required
+ if (authenticatedUser instanceof ModeledAuthenticatedUser
+ || environment.isUserRequired()) {
- // Otherwise, invalidate the authentication result, as database user
- // accounts are absolutely required
- throw new GuacamoleInvalidCredentialsException("Invalid login",
- CredentialsInfo.USERNAME_PASSWORD);
+ // Verify user account is still valid as of today
+ if (!user.isAccountValid())
+ throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
- }
+ // Verify user account is allowed to be used at the current time
+ if (!user.isAccountAccessible())
+ throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
- // Apply account restrictions if this extension authenticated the user
- // OR if an account from this extension is explicitly required
- UserModel userModel = user.getModel();
- if (authenticatedUser instanceof ModeledAuthenticatedUser || environment.isUserRequired()) {
+ // Update password if password is expired
+ if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
+ userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
- // If user is disabled, pretend user does not exist
- if (userModel.isDisabled())
- throw new GuacamoleInvalidCredentialsException("Invalid login",
- CredentialsInfo.USERNAME_PASSWORD);
+ }
- // Verify user account is still valid as of today
- if (!user.isAccountValid())
- throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
+ // Link to user context
+ ModeledUserContext context = userContextProvider.get();
+ context.init(user.getCurrentUser());
+ return context;
- // Verify user account is allowed to be used at the current time
- if (!user.isAccountAccessible())
- throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
+ }
}
- // Update password if password is expired
- if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
- userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+ // Do not invalidate the authentication result of users who were
+ // authenticated via our own connection sharing links
+ if (authenticatedUser instanceof SharedAuthenticatedUser)
+ return null;
- // Link to user context
- ModeledUserContext context = userContextProvider.get();
- context.init(user.getCurrentUser());
- return context;
+ // Simply return no data if a database user account is not required
+ if (!environment.isUserRequired())
+ return null;
+
+ // Otherwise, invalidate the authentication result, as database user
+ // accounts are absolutely required
+ throw new GuacamoleInvalidCredentialsException("Invalid login",
+ CredentialsInfo.USERNAME_PASSWORD);
}