GUAC-1364: Finally remove the @AuthProviderRESTExposure annotation.

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/AuthProviderRESTExposure.java

@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2014 Glyptodon LLC
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-
-package org.glyptodon.guacamole.net.basic.rest;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-/**
- * Marks that a method exposes functionality from the Guacamole AuthenticationProvider
- * using a REST interface.
- * 
- * @author James Muehlner
- */
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.METHOD})
-public @interface AuthProviderRESTExposure {}

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTExceptionWrapper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Glyptodon LLC
+ * Copyright (C) 2015 Glyptodon LLC
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -34,13 +34,16 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * A method interceptor to wrap some custom exception handling around methods
+ * A method interceptor which wraps custom exception handling around methods
- * that expose AuthenticationProvider functionality through the REST interface.
+ * which can throw GuacamoleExceptions and which are exposed through the REST
- * Translates various types of GuacamoleExceptions into appropriate HTTP responses.
+ * interface. The various types of GuacamoleExceptions are automatically
- * 
+ * translated into appropriate HTTP responses, including JSON describing the
+ * error that occurred.
+ *
  * @author James Muehlner
+ * @author Michael Jumper
  */
-public class AuthProviderRESTExceptionWrapper implements MethodInterceptor {
+public class RESTExceptionWrapper implements MethodInterceptor {
 
     @Override
     public Object invoke(MethodInvocation invocation) throws Throwable {

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTMethodMatcher.java

@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2015 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.glyptodon.guacamole.net.basic.rest;
+
+import com.google.inject.matcher.AbstractMatcher;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Method;
+import javax.ws.rs.HttpMethod;
+import org.glyptodon.guacamole.GuacamoleException;
+
+/**
+ * A Guice Matcher which matches only methods which throw GuacamoleException
+ * (or a subclass thereof) and are explicitly annotated as with an HTTP method
+ * annotation like <code>@GET</code> or <code>@POST</code>. Any method which
+ * throws GuacamoleException and is annotated with an annotation that is
+ * annotated with <code>@HttpMethod</code> will match.
+ *
+ * @author Michael Jumper
+ */
+public class RESTMethodMatcher extends AbstractMatcher<Method> {
+
+    /**
+     * Returns whether the given method throws the specified exception type,
+     * including any subclasses of that type.
+     *
+     * @param method
+     *     The method to test.
+     *
+     * @param exceptionType
+     *     The exception type to test for.
+     *
+     * @return
+     *     true if the given method throws an exception of the specified type,
+     *     false otherwise.
+     */
+    private boolean methodThrowsException(Method method,
+            Class<? extends Exception> exceptionType) {
+
+        // Check whether the method throws an exception of the specified type
+        for (Class<?> thrownType : method.getExceptionTypes()) {
+            if (exceptionType.isAssignableFrom(thrownType))
+                return true;
+        }
+
+        // No such exception is declared to be thrown
+        return false;
+        
+    }
+
+    /**
+     * Returns whether the given method is annotated as a REST method. A REST
+     * method is annotated with an annotation which is annotated with
+     * <code>@HttpMethod</code>.
+     *
+     * @param method
+     *     The method to test.
+     *
+     * @return
+     *     true if the given method is annotated as a REST method, false
+     *     otherwise.
+     */
+    private boolean isRESTMethod(Method method) {
+
+        // Check whether the required REST annotations are present
+        for (Annotation annotation : method.getAnnotations()) {
+
+            // A method is a REST method if it is annotated with @HttpMethod
+            Class<? extends Annotation> annotationType = annotation.annotationType();
+            if (annotationType.isAnnotationPresent(HttpMethod.class))
+                return true;
+
+        }
+
+        // The method is not an HTTP method
+        return false;
+
+    }
+
+    @Override
+    public boolean matches(Method method) {
+
+        // Guacamole REST methods are REST methods which throw
+        // GuacamoleExceptions
+        return isRESTMethod(method)
+            && methodThrowsException(method, GuacamoleException.class);
+
+    }
+
+}

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/RESTServletModule.java

@@ -45,11 +45,11 @@ public class RESTServletModule extends ServletModule {
     @Override
     protected void configureServlets() {
 
-        // Bind @AuthProviderRESTExposure annotation
+        // Automatically translate GuacamoleExceptions for REST methods
         bindInterceptor(
             Matchers.any(),
-            Matchers.annotatedWith(AuthProviderRESTExposure.class),
+            new RESTMethodMatcher(),
-            new AuthProviderRESTExceptionWrapper()
+            new RESTExceptionWrapper()
         );
 
         // Bind convenience services used by the REST API

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/activeconnection/ActiveConnectionRESTService.java

@@ -47,7 +47,6 @@ import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
 import org.glyptodon.guacamole.net.auth.permission.SystemPermissionSet;
 import org.glyptodon.guacamole.net.basic.GuacamoleSession;
 import org.glyptodon.guacamole.net.basic.rest.APIPatch;
-import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
 import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
 import org.glyptodon.guacamole.net.basic.rest.PATCH;
 import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
@@ -107,7 +106,6 @@ public class ActiveConnectionRESTService {
      *     If an error is encountered while retrieving active connections.
      */
     @GET
-    @AuthProviderRESTExposure
     public Map<String, APIActiveConnection> getActiveConnections(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @QueryParam("permission") List<ObjectPermission.Type> permissions)
@@ -166,7 +164,6 @@ public class ActiveConnectionRESTService {
      *     If an error occurs while deleting the active connections.
      */
     @PATCH
-    @AuthProviderRESTExposure
     public void patchTunnels(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             List<APIPatch<String>> patches) throws GuacamoleException {

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/auth/TokenRESTService.java

@@ -39,6 +39,7 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.xml.bind.DatatypeConverter;
 import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.GuacamoleResourceNotFoundException;
 import org.glyptodon.guacamole.GuacamoleSecurityException;
 import org.glyptodon.guacamole.environment.Environment;
 import org.glyptodon.guacamole.net.auth.AuthenticatedUser;
@@ -49,10 +50,7 @@ import org.glyptodon.guacamole.net.auth.credentials.CredentialsInfo;
 import org.glyptodon.guacamole.net.auth.credentials.GuacamoleCredentialsException;
 import org.glyptodon.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
 import org.glyptodon.guacamole.net.basic.GuacamoleSession;
-import org.glyptodon.guacamole.net.basic.rest.APIError;
 import org.glyptodon.guacamole.net.basic.rest.APIRequest;
-import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
-import org.glyptodon.guacamole.net.basic.rest.APIException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -464,7 +462,6 @@ public class TokenRESTService {
      *     If an error prevents successful authentication.
      */
     @POST
-    @AuthProviderRESTExposure
     public APIAuthenticationResult createToken(@FormParam("username") String username,
             @FormParam("password") String password,
             @FormParam("token") String token,
@@ -523,16 +520,20 @@ public class TokenRESTService {
      * Invalidates a specific auth token, effectively logging out the associated
      * user.
      * 
-     * @param authToken The token being invalidated.
+     * @param authToken
+     *     The token being invalidated.
+     *
+     * @throws GuacamoleException
+     *     If the specified token does not exist.
      */
     @DELETE
     @Path("/{token}")
-    @AuthProviderRESTExposure
+    public void invalidateToken(@PathParam("token") String authToken)
-    public void invalidateToken(@PathParam("token") String authToken) {
+            throws GuacamoleException {
         
         GuacamoleSession session = tokenSessionMap.remove(authToken);
         if (session == null)
-            throw new APIException(APIError.Type.NOT_FOUND, "No such token.");
+            throw new GuacamoleResourceNotFoundException("No such token.");
 
         session.invalidate();
 

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/connection/ConnectionRESTService.java

@@ -49,7 +49,6 @@ import org.glyptodon.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
 import org.glyptodon.guacamole.net.auth.permission.SystemPermissionSet;
 import org.glyptodon.guacamole.net.basic.GuacamoleSession;
-import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
 import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
 import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
 import org.glyptodon.guacamole.protocol.GuacamoleConfiguration;
@@ -105,7 +104,6 @@ public class ConnectionRESTService {
      */
     @GET
     @Path("/{connectionID}")
-    @AuthProviderRESTExposure
     public APIConnection getConnection(@QueryParam("token") String authToken, 
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionID") String connectionID)
@@ -141,7 +139,6 @@ public class ConnectionRESTService {
      */
     @GET
     @Path("/{connectionID}/parameters")
-    @AuthProviderRESTExposure
     public Map<String, String> getConnectionParameters(@QueryParam("token") String authToken, 
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionID") String connectionID)
@@ -195,7 +192,6 @@ public class ConnectionRESTService {
      */
     @GET
     @Path("/{connectionID}/history")
-    @AuthProviderRESTExposure
     public List<APIConnectionRecord> getConnectionHistory(@QueryParam("token") String authToken, 
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionID") String connectionID)
@@ -235,7 +231,6 @@ public class ConnectionRESTService {
      */
     @DELETE
     @Path("/{connectionID}")
-    @AuthProviderRESTExposure
     public void deleteConnection(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionID") String connectionID)
@@ -275,7 +270,6 @@ public class ConnectionRESTService {
      */
     @POST
     @Produces(MediaType.TEXT_PLAIN)
-    @AuthProviderRESTExposure
     public String createConnection(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             APIConnection connection) throws GuacamoleException {
@@ -320,7 +314,6 @@ public class ConnectionRESTService {
      */
     @PUT
     @Path("/{connectionID}")
-    @AuthProviderRESTExposure
     public void updateConnection(@QueryParam("token") String authToken, 
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionID") String connectionID,

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/connectiongroup/ConnectionGroupRESTService.java

@@ -41,7 +41,6 @@ import org.glyptodon.guacamole.net.auth.Directory;
 import org.glyptodon.guacamole.net.auth.UserContext;
 import org.glyptodon.guacamole.net.auth.permission.ObjectPermission;
 import org.glyptodon.guacamole.net.basic.GuacamoleSession;
-import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
 import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
 import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
 import org.slf4j.Logger;
@@ -96,7 +95,6 @@ public class ConnectionGroupRESTService {
      */
     @GET
     @Path("/{connectionGroupID}")
-    @AuthProviderRESTExposure
     public APIConnectionGroup getConnectionGroup(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionGroupID") String connectionGroupID)
@@ -138,7 +136,6 @@ public class ConnectionGroupRESTService {
      */
     @GET
     @Path("/{connectionGroupID}/tree")
-    @AuthProviderRESTExposure
     public APIConnectionGroup getConnectionGroupTree(@QueryParam("token") String authToken, 
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionGroupID") String connectionGroupID,
@@ -176,7 +173,6 @@ public class ConnectionGroupRESTService {
      */
     @DELETE
     @Path("/{connectionGroupID}")
-    @AuthProviderRESTExposure
     public void deleteConnectionGroup(@QueryParam("token") String authToken, 
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionGroupID") String connectionGroupID)
@@ -218,7 +214,6 @@ public class ConnectionGroupRESTService {
      */
     @POST
     @Produces(MediaType.TEXT_PLAIN)
-    @AuthProviderRESTExposure
     public String createConnectionGroup(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             APIConnectionGroup connectionGroup) throws GuacamoleException {
@@ -263,7 +258,6 @@ public class ConnectionGroupRESTService {
      */
     @PUT
     @Path("/{connectionGroupID}")
-    @AuthProviderRESTExposure
     public void updateConnectionGroup(@QueryParam("token") String authToken, 
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("connectionGroupID") String connectionGroupID,

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/schema/SchemaRESTService.java

@@ -38,7 +38,6 @@ import org.glyptodon.guacamole.environment.LocalEnvironment;
 import org.glyptodon.guacamole.form.Form;
 import org.glyptodon.guacamole.net.auth.UserContext;
 import org.glyptodon.guacamole.net.basic.GuacamoleSession;
-import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
 import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
 import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
 import org.glyptodon.guacamole.protocols.ProtocolInfo;
@@ -86,7 +85,6 @@ public class SchemaRESTService {
      */
     @GET
     @Path("/users/attributes")
-    @AuthProviderRESTExposure
     public Collection<Form> getUserAttributes(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier)
             throws GuacamoleException {
@@ -118,7 +116,6 @@ public class SchemaRESTService {
      */
     @GET
     @Path("/connections/attributes")
-    @AuthProviderRESTExposure
     public Collection<Form> getConnectionAttributes(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier)
             throws GuacamoleException {
@@ -151,7 +148,6 @@ public class SchemaRESTService {
      */
     @GET
     @Path("/connectionGroups/attributes")
-    @AuthProviderRESTExposure
     public Collection<Form> getConnectionGroupAttributes(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier)
             throws GuacamoleException {
@@ -186,7 +182,6 @@ public class SchemaRESTService {
      */
     @GET
     @Path("/protocols")
-    @AuthProviderRESTExposure
     public Map<String, ProtocolInfo> getProtocols(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier)
             throws GuacamoleException {

guacamole/src/main/java/org/glyptodon/guacamole/net/basic/rest/user/UserRESTService.java

@@ -39,8 +39,10 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
+import org.glyptodon.guacamole.GuacamoleClientException;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.GuacamoleResourceNotFoundException;
+import org.glyptodon.guacamole.GuacamoleSecurityException;
 import org.glyptodon.guacamole.net.auth.AuthenticationProvider;
 import org.glyptodon.guacamole.net.auth.Credentials;
 import org.glyptodon.guacamole.net.auth.Directory;
@@ -53,12 +55,9 @@ import org.glyptodon.guacamole.net.auth.permission.Permission;
 import org.glyptodon.guacamole.net.auth.permission.SystemPermission;
 import org.glyptodon.guacamole.net.auth.permission.SystemPermissionSet;
 import org.glyptodon.guacamole.net.basic.GuacamoleSession;
-import org.glyptodon.guacamole.net.basic.rest.APIError;
 import org.glyptodon.guacamole.net.basic.rest.APIPatch;
 import static org.glyptodon.guacamole.net.basic.rest.APIPatch.Operation.add;
 import static org.glyptodon.guacamole.net.basic.rest.APIPatch.Operation.remove;
-import org.glyptodon.guacamole.net.basic.rest.AuthProviderRESTExposure;
-import org.glyptodon.guacamole.net.basic.rest.APIException;
 import org.glyptodon.guacamole.net.basic.rest.ObjectRetrievalService;
 import org.glyptodon.guacamole.net.basic.rest.PATCH;
 import org.glyptodon.guacamole.net.basic.rest.auth.AuthenticationService;
@@ -150,7 +149,6 @@ public class UserRESTService {
      *     If an error is encountered while retrieving users.
      */
     @GET
-    @AuthProviderRESTExposure
     public List<APIUser> getUsers(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @QueryParam("permission") List<ObjectPermission.Type> permissions)
@@ -205,7 +203,6 @@ public class UserRESTService {
      */
     @GET
     @Path("/{username}")
-    @AuthProviderRESTExposure
     public APIUser getUser(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("username") String username)
@@ -241,7 +238,6 @@ public class UserRESTService {
      */
     @POST
     @Produces(MediaType.TEXT_PLAIN)
-    @AuthProviderRESTExposure
     public String createUser(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier, APIUser user)
             throws GuacamoleException {
@@ -285,7 +281,6 @@ public class UserRESTService {
      */
     @PUT
     @Path("/{username}")
-    @AuthProviderRESTExposure
     public void updateUser(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("username") String username, APIUser user) 
@@ -299,14 +294,11 @@ public class UserRESTService {
 
         // Validate data and path are sane
         if (!user.getUsername().equals(username))
-            throw new APIException(APIError.Type.BAD_REQUEST,
+            throw new GuacamoleClientException("Username in path does not match username provided JSON data.");
-                    "Username in path does not match username provided JSON data.");
         
         // A user may not use this endpoint to modify himself
-        if (userContext.self().getIdentifier().equals(user.getUsername())) {
+        if (userContext.self().getIdentifier().equals(user.getUsername()))
-            throw new APIException(APIError.Type.PERMISSION_DENIED,
+            throw new GuacamoleSecurityException("Permission denied.");
-                    "Permission denied.");
-        }
 
         // Get the user
         User existingUser = retrievalService.retrieveUser(userContext, username);
@@ -349,7 +341,6 @@ public class UserRESTService {
      */
     @PUT
     @Path("/{username}/password")
-    @AuthProviderRESTExposure
     public void updatePassword(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("username") String username,
@@ -369,18 +360,15 @@ public class UserRESTService {
         // Verify that the old password was correct
         try {
             AuthenticationProvider authProvider = userContext.getAuthenticationProvider();
-            if (authProvider.authenticateUser(credentials) == null) {
+            if (authProvider.authenticateUser(credentials) == null)
-                throw new APIException(APIError.Type.PERMISSION_DENIED,
+                throw new GuacamoleSecurityException("Permission denied.");
-                        "Permission denied.");
-            }
         }
 
         // Pass through any credentials exceptions as simple permission denied
         catch (GuacamoleCredentialsException e) {
-            throw new APIException(APIError.Type.PERMISSION_DENIED,
+            throw new GuacamoleSecurityException("Permission denied.");
-                    "Permission denied.");
         }
-        
+
         // Get the user directory
         Directory<User> userDirectory = userContext.getUserDirectory();
         
@@ -414,7 +402,6 @@ public class UserRESTService {
      */
     @DELETE
     @Path("/{username}")
-    @AuthProviderRESTExposure
     public void deleteUser(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("username") String username) 
@@ -458,7 +445,6 @@ public class UserRESTService {
      */
     @GET
     @Path("/{username}/permissions")
-    @AuthProviderRESTExposure
     public APIPermissionSet getPermissions(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("username") String username) 
@@ -499,11 +485,14 @@ public class UserRESTService {
      *
      * @param permission
      *     The permission being added or removed from the set.
+     *
+     * @throws GuacamoleException
+     *     If the requested patch operation is not supported.
      */
     private <PermissionType extends Permission> void updatePermissionSet(
             APIPatch.Operation operation,
             PermissionSetPatch<PermissionType> permissionSetPatch,
-            PermissionType permission) {
+            PermissionType permission) throws GuacamoleException {
 
         // Add or remove permission based on operation
         switch (operation) {
@@ -520,8 +509,7 @@ public class UserRESTService {
 
             // Unsupported patch operation
             default:
-                throw new APIException(APIError.Type.BAD_REQUEST,
+                throw new GuacamoleClientException("Unsupported patch operation: \"" + operation + "\"");
-                        "Unsupported patch operation: \"" + operation + "\"");
 
         }
 
@@ -553,7 +541,6 @@ public class UserRESTService {
      */
     @PATCH
     @Path("/{username}/permissions")
-    @AuthProviderRESTExposure
     public void patchPermissions(@QueryParam("token") String authToken,
             @PathParam("dataSource") String authProviderIdentifier,
             @PathParam("username") String username,
@@ -645,7 +632,7 @@ public class UserRESTService {
 
             // Otherwise, the path is not supported
             else
-                throw new APIException(APIError.Type.BAD_REQUEST, "Unsupported patch path: \"" + path + "\"");
+                throw new GuacamoleClientException("Unsupported patch path: \"" + path + "\"");
 
         } // end for each patch operation