GUAC-1364: Implicitly invalidate user session if unauthorized upon connect.

2025-09-06 13:17:41 +00:00 · 2015-10-16 14:07:08 -07:00
parent 1f316e5e68
commit 2a155cdbac
1 changed files with 24 additions and 6 deletions
--- a/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/TunnelRequestService.java
+++ b/guacamole/src/main/java/org/glyptodon/guacamole/net/basic/TunnelRequestService.java
@@ -27,6 +27,7 @@ import com.google.inject.Singleton;
 import java.util.List;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.GuacamoleUnauthorizedException;
 import org.glyptodon.guacamole.net.DelegatingGuacamoleTunnel;
 import org.glyptodon.guacamole.net.GuacamoleTunnel;
 import org.glyptodon.guacamole.net.auth.Connection;
@@ -228,8 +229,8 @@ public class TunnelRequestService {
     * @throws GuacamoleException
     *     If an error occurs while obtaining the tunnel.
     */
-    protected GuacamoleTunnel createAssociatedTunnel(final GuacamoleSession session,
-            GuacamoleTunnel tunnel, final TunnelRequest.Type type,
+    protected GuacamoleTunnel createAssociatedTunnel(GuacamoleTunnel tunnel,
+            final GuacamoleSession session, final TunnelRequest.Type type,
            final String id) throws GuacamoleException {

        // Monitor tunnel closure and data
@@ -305,13 +306,30 @@ public class TunnelRequestService {
        String authProviderIdentifier   = request.getAuthenticationProviderIdentifier();
        GuacamoleClientInformation info = getClientInformation(request);

-        // Create connected tunnel using provided connection ID and client information
        GuacamoleSession session = authenticationService.getGuacamoleSession(authToken);
        UserContext userContext = retrievalService.retrieveUserContext(session, authProviderIdentifier);
-        GuacamoleTunnel tunnel = createConnectedTunnel(userContext, type, id, info);

-        // Associate tunnel with session
-        return createAssociatedTunnel(session, tunnel, type, id);
+        try {
+
+            // Create connected tunnel using provided connection ID and client information
+            GuacamoleTunnel tunnel = createConnectedTunnel(userContext, type, id, info);
+
+            // Associate tunnel with session
+            return createAssociatedTunnel(tunnel, session, type, id);
+
+        }
+
+        // Ensure any associated session is invalidated if unauthorized
+        catch (GuacamoleUnauthorizedException e) {
+
+            // If there is an associated auth token, invalidate it
+            if (authenticationService.destroyGuacamoleSession(authToken))
+                logger.debug("Implicitly invalidated session for token \"{}\".", authToken);
+
+            // Continue with exception processing
+            throw e;
+
+        }

    }