You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by jm...@apache.org on 2016/12/06 04:44:23 UTC
[1/2] incubator-guacamole-client git commit: GUACAMOLE-136: Move
password reset flow into own function. Invoke from getUserContext(),
not authenticateUser(),
such that secondary authentication factors have a chance to invalidate the
auth attempt prior to
Repository: incubator-guacamole-client
Updated Branches:
refs/heads/master 32e5c3e68 -> 18565d171
GUACAMOLE-136: Move password reset flow into own function. Invoke from getUserContext(), not authenticateUser(), such that secondary authentication factors have a chance to invalidate the auth attempt prior to password reset.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/4a1ffbfd
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/4a1ffbfd
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/4a1ffbfd
Branch: refs/heads/master
Commit: 4a1ffbfdccd0d42e44a164bdbd89176fe1a098ef
Parents: 32e5c3e
Author: Michael Jumper <mj...@apache.org>
Authored: Sat Dec 3 13:39:42 2016 -0800
Committer: Michael Jumper <mj...@apache.org>
Committed: Mon Dec 5 20:13:59 2016 -0800
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 6 ++
.../guacamole/auth/jdbc/user/UserService.java | 90 ++++++++++++--------
2 files changed, 62 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 8f98c74..a0d422a 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -25,6 +25,7 @@ import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUser;
import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
+import org.apache.guacamole.auth.jdbc.user.UserModel;
import org.apache.guacamole.auth.jdbc.user.UserService;
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -98,6 +99,11 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
}
+ // Update password if password is expired
+ UserModel userModel = user.getModel();
+ if (userModel.isExpired())
+ userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+
// Link to user context
ModeledUserContext context = userContextProvider.get();
context.init(user.getCurrentUser());
http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index 16f25b5..c83d6cb 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -319,40 +319,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
if (!user.isAccountAccessible())
throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
- // Update password if password is expired
- if (userModel.isExpired()) {
-
- // Pull new password from HTTP request
- HttpServletRequest request = credentials.getRequest();
- String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
- String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
-
- // Require new password if account is expired
- if (newPassword == null || confirmNewPassword == null) {
- logger.info("The password of user \"{}\" has expired and must be reset.", username);
- throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
- }
-
- // New password must be different from old password
- if (newPassword.equals(credentials.getPassword()))
- throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
-
- // New password must not be blank
- if (newPassword.isEmpty())
- throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
-
- // Confirm that the password was entered correctly twice
- if (!newPassword.equals(confirmNewPassword))
- throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
-
- // Change password and reset expiration flag
- userModel.setExpired(false);
- user.setPassword(newPassword);
- userMapper.update(userModel);
- logger.info("Expired password of user \"{}\" has been reset.", username);
-
- }
-
// Return now-authenticated user
return user.getCurrentUser();
@@ -398,4 +364,60 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
}
+ /**
+ * Resets the password of the given user to the new password specified via
+ * the "new-password" and "confirm-new-password" parameters from the
+ * provided credentials. If these parameters are missing or invalid,
+ * additional credentials will be requested.
+ *
+ * @param user
+ * The user whose password should be reset.
+ *
+ * @param credentials
+ * The credentials from which the parameters required for password
+ * reset should be retrieved.
+ *
+ * @throws GuacamoleException
+ * If the password reset parameters within the given credentials are
+ * invalid or missing.
+ */
+ public void resetExpiredPassword(ModeledUser user, Credentials credentials)
+ throws GuacamoleException {
+
+ UserModel userModel = user.getModel();
+
+ // Get username
+ String username = user.getIdentifier();
+
+ // Pull new password from HTTP request
+ HttpServletRequest request = credentials.getRequest();
+ String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
+ String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
+
+ // Require new password if account is expired
+ if (newPassword == null || confirmNewPassword == null) {
+ logger.info("The password of user \"{}\" has expired and must be reset.", username);
+ throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
+ }
+
+ // New password must be different from old password
+ if (newPassword.equals(credentials.getPassword()))
+ throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
+
+ // New password must not be blank
+ if (newPassword.isEmpty())
+ throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
+
+ // Confirm that the password was entered correctly twice
+ if (!newPassword.equals(confirmNewPassword))
+ throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
+
+ // Change password and reset expiration flag
+ userModel.setExpired(false);
+ user.setPassword(newPassword);
+ userMapper.update(userModel);
+ logger.info("Expired password of user \"{}\" has been reset.", username);
+
+ }
+
}
[2/2] incubator-guacamole-client git commit: GUACAMOLE-136: Merge
password reset flow fix for 2FA.
Posted by jm...@apache.org.
GUACAMOLE-136: Merge password reset flow fix for 2FA.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/18565d17
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/18565d17
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/18565d17
Branch: refs/heads/master
Commit: 18565d171e26d700b126f56bbf73950c57638096
Parents: 32e5c3e 4a1ffbf
Author: James Muehlner <ja...@guac-dev.org>
Authored: Mon Dec 5 20:43:39 2016 -0800
Committer: James Muehlner <ja...@guac-dev.org>
Committed: Mon Dec 5 20:43:39 2016 -0800
----------------------------------------------------------------------
.../jdbc/JDBCAuthenticationProviderService.java | 6 ++
.../guacamole/auth/jdbc/user/UserService.java | 90 ++++++++++++--------
2 files changed, 62 insertions(+), 34 deletions(-)
----------------------------------------------------------------------