From 45ee895044cd7a4e5489ed0d4bd818368522a8ca Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Sun, 4 Jun 2017 13:32:52 -0700
Subject: [PATCH] GUACAMOLE-284: Veto authentication result if a database
 account is required but unavailable.

---
 .../auth/jdbc/JDBCAuthenticationProviderService.java   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index dd39f245b..2e85e788c 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -104,8 +104,16 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
         }
 
-        // Update password if password is expired
+        // Veto authentication result if account is required but unavailable
+        // due to account restrictions
         UserModel userModel = user.getModel();
+        if (environment.isUserRequired()
+                && (userModel.isDisabled() || !user.isAccountValid() || !user.isAccountAccessible())) {
+                throw new GuacamoleInvalidCredentialsException("Invalid login",
+                        CredentialsInfo.USERNAME_PASSWORD);
+        }
+
+        // Update password if password is expired
         if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
             userService.resetExpiredPassword(user, authenticatedUser.getCredentials());