GUACAMOLE-284: Reverse structure of restriction enforcement such that the default action is to deny access.

2025-09-08 06:01:22 +00:00 · 2017-06-04 14:04:56 -07:00
parent 0eef629a9d
commit c87ec1bf5d
1 changed files with 41 additions and 38 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -88,52 +88,55 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
        // Retrieve user account for already-authenticated user
        ModeledUser user = userService.retrieveUser(authenticationProvider, authenticatedUser);
-        if (user == null) {
+        if (user != null) {
-            // Do not invalidate the authentication result of users who were
+            // User data only exists for purposes of retrieval if the account
-            // authenticated via our own connection sharing links
+            // is not disabled
-            if (authenticatedUser instanceof SharedAuthenticatedUser)
+            UserModel userModel = user.getModel();
-                return null;
+            if (!userModel.isDisabled()) {
-            // Simply return no data if a database user account is not required
+                // Apply account restrictions if this extension authenticated
-            if (!environment.isUserRequired())
+                // the user OR if an account from this extension is explicitly
-                return null;
+                // required
                if (authenticatedUser instanceof ModeledAuthenticatedUser
                        || environment.isUserRequired()) {
-            // Otherwise, invalidate the authentication result, as database user
+                    // Verify user account is still valid as of today
-            // accounts are absolutely required
+                    if (!user.isAccountValid())
-            throw new GuacamoleInvalidCredentialsException("Invalid login",
+                        throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
-                    CredentialsInfo.USERNAME_PASSWORD);
+
                    // Verify user account is allowed to be used at the current time
                    if (!user.isAccountAccessible())
                        throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
                    // Update password if password is expired
                    if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
                        userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
                }
                // Link to user context
                ModeledUserContext context = userContextProvider.get();
                context.init(user.getCurrentUser());
                return context;
            }
        }
-        // Apply account restrictions if this extension authenticated the user
+        // Do not invalidate the authentication result of users who were
-        // OR if an account from this extension is explicitly required
+        // authenticated via our own connection sharing links
-        UserModel userModel = user.getModel();
+        if (authenticatedUser instanceof SharedAuthenticatedUser)
-        if (authenticatedUser instanceof ModeledAuthenticatedUser || environment.isUserRequired()) {
+            return null;
-            // If user is disabled, pretend user does not exist
+        // Simply return no data if a database user account is not required
-            if (userModel.isDisabled())
+        if (!environment.isUserRequired())
-                throw new GuacamoleInvalidCredentialsException("Invalid login",
+            return null;
                        CredentialsInfo.USERNAME_PASSWORD);
-            // Verify user account is still valid as of today
+        // Otherwise, invalidate the authentication result, as database user
-            if (!user.isAccountValid())
+        // accounts are absolutely required
-                throw new GuacamoleClientException("LOGIN.ERROR_NOT_VALID");
+        throw new GuacamoleInvalidCredentialsException("Invalid login",
-
+                CredentialsInfo.USERNAME_PASSWORD);
            // Verify user account is allowed to be used at the current time
            if (!user.isAccountAccessible())
                throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
        }
        // Update password if password is expired
        if (userModel.isExpired() || passwordPolicyService.isPasswordExpired(user))
            userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
        // Link to user context
        ModeledUserContext context = userContextProvider.get();
        context.init(user.getCurrentUser());
        return context;
    }