GUACAMOLE-96: Merge allow extensions to decorate each other's objects.

guacamole/src/main/java/org/apache/guacamole/GuacamoleSession.java

@@ -28,6 +28,7 @@ import org.apache.guacamole.net.GuacamoleTunnel;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
 import org.apache.guacamole.net.auth.UserContext;
+import org.apache.guacamole.rest.auth.DecoratedUserContext;
 import org.apache.guacamole.tunnel.UserTunnel;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,7 +53,7 @@ public class GuacamoleSession {
      * All UserContexts associated with this session. Each
      * AuthenticationProvider may provide its own UserContext.
      */
-    private List<UserContext> userContexts;
+    private List<DecoratedUserContext> userContexts;
 
     /**
      * All currently-active tunnels, indexed by tunnel UUID.
@@ -84,7 +85,7 @@ public class GuacamoleSession {
      */
     public GuacamoleSession(Environment environment,
             AuthenticatedUser authenticatedUser,
-            List<UserContext> userContexts)
+            List<DecoratedUserContext> userContexts)
             throws GuacamoleException {
         this.lastAccessedTime = System.currentTimeMillis();
         this.authenticatedUser = authenticatedUser;
@@ -121,7 +122,7 @@ public class GuacamoleSession {
      *     An unmodifiable list of all UserContexts associated with this
      *     session.
      */
-    public List<UserContext> getUserContexts() {
+    public List<DecoratedUserContext> getUserContexts() {
         return Collections.unmodifiableList(userContexts);
     }
 
@@ -141,12 +142,12 @@ public class GuacamoleSession {
      * @throws GuacamoleException
      *     If no such UserContext exists.
      */
-    public UserContext getUserContext(String authProviderIdentifier)
+    public DecoratedUserContext getUserContext(String authProviderIdentifier)
             throws GuacamoleException {
 
         // Locate and return the UserContext associated with the
         // AuthenticationProvider having the given identifier, if any
-        for (UserContext userContext : getUserContexts()) {
+        for (DecoratedUserContext userContext : getUserContexts()) {
 
             // Get AuthenticationProvider associated with current UserContext
             AuthenticationProvider authProvider = userContext.getAuthenticationProvider();
@@ -170,7 +171,7 @@ public class GuacamoleSession {
      * @param userContexts
      *     The List of UserContexts to associate with this session.
      */
-    public void setUserContexts(List<UserContext> userContexts) {
+    public void setUserContexts(List<DecoratedUserContext> userContexts) {
         this.userContexts = userContexts;
     }
     

guacamole/src/main/java/org/apache/guacamole/extension/AuthenticationProviderFacade.java

@@ -158,6 +158,35 @@ public class AuthenticationProviderFacade implements AuthenticationProvider {
         
     }
 
+    @Override
+    public UserContext decorate(UserContext context,
+            AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // Do nothing if underlying auth provider could not be loaded
+        if (authProvider == null)
+            return context;
+
+        // Delegate to underlying auth provider
+        return authProvider.decorate(context, authenticatedUser, credentials);
+
+    }
+
+    @Override
+    public UserContext redecorate(UserContext decorated, UserContext context,
+            AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // Do nothing if underlying auth provider could not be loaded
+        if (authProvider == null)
+            return context;
+
+        // Delegate to underlying auth provider
+        return authProvider.redecorate(decorated, context,
+                authenticatedUser, credentials);
+
+    }
+
     @Override
     public void shutdown() {
         if (authProvider != null)

guacamole/src/main/java/org/apache/guacamole/rest/RESTServiceModule.java

@@ -33,6 +33,7 @@ import org.codehaus.jackson.jaxrs.JacksonJsonProvider;
 import org.apache.guacamole.rest.auth.TokenRESTService;
 import org.apache.guacamole.rest.auth.AuthTokenGenerator;
 import org.apache.guacamole.rest.auth.AuthenticationService;
+import org.apache.guacamole.rest.auth.DecorationService;
 import org.apache.guacamole.rest.auth.SecureRandomAuthTokenGenerator;
 import org.apache.guacamole.rest.auth.TokenSessionMap;
 import org.apache.guacamole.rest.connection.ConnectionModule;
@@ -80,6 +81,7 @@ public class RESTServiceModule extends ServletModule {
         bind(ListenerService.class);
         bind(AuthenticationService.class);
         bind(AuthTokenGenerator.class).to(SecureRandomAuthTokenGenerator.class);
+        bind(DecorationService.class);
 
         // Automatically translate GuacamoleExceptions for REST methods
         MethodInterceptor interceptor = new RESTExceptionWrapper();

guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java

@@ -78,6 +78,12 @@ public class AuthenticationService {
     @Inject
     private AuthTokenGenerator authTokenGenerator;
 
+    /**
+     * Service for applying or reapplying layers of decoration.
+     */
+    @Inject
+    private DecorationService decorationService;
+
     /**
      * The service to use to notify registered authentication listeners.
      */
@@ -343,26 +349,30 @@ public class AuthenticationService {
      * @throws GuacamoleException
      *     If an error occurs while creating or updating any UserContext.
      */
-    private List<UserContext> getUserContexts(GuacamoleSession existingSession,
+    private List<DecoratedUserContext> getUserContexts(GuacamoleSession existingSession,
             AuthenticatedUser authenticatedUser, Credentials credentials)
             throws GuacamoleException {
 
-        List<UserContext> userContexts = new ArrayList<UserContext>(authProviders.size());
+        List<DecoratedUserContext> userContexts =
+                new ArrayList<DecoratedUserContext>(authProviders.size());
 
         // If UserContexts already exist, update them and add to the list
         if (existingSession != null) {
 
             // Update all old user contexts
-            List<UserContext> oldUserContexts = existingSession.getUserContexts();
-            for (UserContext oldUserContext : oldUserContexts) {
+            List<DecoratedUserContext> oldUserContexts = existingSession.getUserContexts();
+            for (DecoratedUserContext userContext : oldUserContexts) {
+
+                UserContext oldUserContext = userContext.getUndecoratedUserContext();
 
                 // Update existing UserContext
                 AuthenticationProvider authProvider = oldUserContext.getAuthenticationProvider();
-                UserContext userContext = authProvider.updateUserContext(oldUserContext, authenticatedUser, credentials);
+                UserContext updatedUserContext = authProvider.updateUserContext(oldUserContext, authenticatedUser, credentials);
 
                 // Add to available data, if successful
-                if (userContext != null)
-                    userContexts.add(userContext);
+                if (updatedUserContext != null)
+                    userContexts.add(decorationService.redecorate(userContext,
+                            updatedUserContext, authenticatedUser, credentials));
 
                 // If unsuccessful, log that this happened, as it may be a bug
                 else
@@ -384,7 +394,8 @@ public class AuthenticationService {
 
                 // Add to available data, if successful
                 if (userContext != null)
-                    userContexts.add(userContext);
+                    userContexts.add(decorationService.decorate(userContext,
+                            authenticatedUser, credentials));
 
             }
 
@@ -428,7 +439,7 @@ public class AuthenticationService {
 
         // Get up-to-date AuthenticatedUser and associated UserContexts
         AuthenticatedUser authenticatedUser = getAuthenticatedUser(existingSession, credentials);
-        List<UserContext> userContexts = getUserContexts(existingSession, authenticatedUser, credentials);
+        List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, credentials);
 
         // Update existing session, if it exists
         String authToken;
@@ -513,7 +524,7 @@ public class AuthenticationService {
      * @throws GuacamoleException
      *     If the auth token does not correspond to any logged in user.
      */
-    public List<UserContext> getUserContexts(String authToken)
+    public List<DecoratedUserContext> getUserContexts(String authToken)
             throws GuacamoleException {
         return getGuacamoleSession(authToken).getUserContexts();
     }

guacamole/src/main/java/org/apache/guacamole/rest/auth/DecoratedUserContext.java

@@ -0,0 +1,361 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest.auth;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.AuthenticationProvider;
+import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.DelegatingUserContext;
+import org.apache.guacamole.net.auth.UserContext;
+
+/**
+ * A UserContext which has been decorated by an AuthenticationProvider through
+ * invoking decorate() or redecorate().
+ */
+public class DecoratedUserContext extends DelegatingUserContext {
+
+    /**
+     * The original, undecorated UserContext.
+     */
+    private final UserContext undecoratedUserContext;
+
+    /**
+     * The AuthenticationProvider which applied this layer of decoration.
+     */
+    private final AuthenticationProvider decoratingAuthenticationProvider;
+
+    /**
+     * The DecoratedUserContext which applies the layer of decoration
+     * immediately beneath this DecoratedUserContext. If no further decoration
+     * has been applied, this will be null.
+     */
+    private final DecoratedUserContext decoratedUserContext;
+
+    /**
+     * Decorates a newly-created UserContext (as would be returned by
+     * getUserContext()), invoking the decorate() function of the given
+     * AuthenticationProvider to apply an additional layer of decoration. If the
+     * AuthenticationProvider originated the given UserContext, this function
+     * has no effect.
+     *
+     * @param authProvider
+     *     The AuthenticationProvider which should be used to decorate the
+     *     given UserContext.
+     *
+     * @param userContext
+     *     The UserContext to decorate.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @return
+     *     A UserContext instance which has been decorated (wrapped) by the
+     *     given AuthenticationProvider, or the original UserContext if the
+     *     given AuthenticationProvider originated the UserContext.
+     *
+     * @throws GuacamoleException
+     *     If the given AuthenticationProvider fails while decorating the
+     *     UserContext.
+     */
+    private static UserContext decorate(AuthenticationProvider authProvider,
+            UserContext userContext, AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // Skip the AuthenticationProvider which produced the UserContext
+        // being decorated
+        if (authProvider != userContext.getAuthenticationProvider()) {
+
+            // Apply layer of wrapping around UserContext
+            UserContext decorated = authProvider.decorate(userContext,
+                    authenticatedUser, credentials);
+
+            // Do not allow misbehaving extensions to wipe out the
+            // UserContext entirely
+            if (decorated != null)
+                return decorated;
+
+        }
+
+        return userContext;
+
+    }
+
+    /**
+     * Redecorates an updated UserContext (as would be returned by
+     * updateUserContext()), invoking the redecorate() function of the given
+     * AuthenticationProvider to apply an additional layer of decoration. If the
+     * AuthenticationProvider originated the given UserContext, this function
+     * has no effect.
+     *
+     * @param decorated
+     *     The DecoratedUserContext associated with an older version of the
+     *     given UserContext.
+     *
+     * @param userContext
+     *     The new version of the UserContext which should be decorated.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @return
+     *     A UserContext instance which has been decorated (wrapped) by the
+     *     given AuthenticationProvider, or the original UserContext if the
+     *     given AuthenticationProvider originated the UserContext.
+     *
+     * @throws GuacamoleException
+     *     If the given AuthenticationProvider fails while decorating the
+     *     UserContext.
+     */
+    private static UserContext redecorate(DecoratedUserContext decorated,
+            UserContext userContext, AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        AuthenticationProvider authProvider = decorated.getDecoratingAuthenticationProvider();
+
+        // Skip the AuthenticationProvider which produced the UserContext
+        // being decorated
+        if (authProvider != userContext.getAuthenticationProvider()) {
+
+            // Apply next layer of wrapping around UserContext
+            UserContext redecorated = authProvider.redecorate(decorated,
+                    userContext, authenticatedUser, credentials);
+
+            // Do not allow misbehaving extensions to wipe out the
+            // UserContext entirely
+            if (redecorated != null)
+                return redecorated;
+
+        }
+
+        return userContext;
+
+    }
+
+    /**
+     * Creates a new DecoratedUserContext, invoking the the decorate() function
+     * of the given AuthenticationProvider to decorate the provided, undecorated
+     * UserContext. If the AuthenticationProvider originated the given
+     * UserContext, then the given UserContext is wrapped without any
+     * decoration.
+     *
+     * @param authProvider
+     *     The AuthenticationProvider which should be used to decorate the
+     *     given UserContext.
+     *
+     * @param userContext
+     *     The undecorated UserContext to decorate.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @throws GuacamoleException
+     *     If any of the given AuthenticationProviders fails while decorating
+     *     the UserContext.
+     */
+    public DecoratedUserContext(AuthenticationProvider authProvider,
+            UserContext userContext, AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // Wrap the result of invoking decorate() on the given AuthenticationProvider
+        super(decorate(authProvider, userContext, authenticatedUser, credentials));
+        this.decoratingAuthenticationProvider = authProvider;
+
+        // The wrapped UserContext is undecorated
+        this.undecoratedUserContext = userContext;
+        this.decoratedUserContext = null;
+
+    }
+
+    /**
+     * Creates a new DecoratedUserContext, invoking the the decorate() function
+     * of the given AuthenticationProvider to apply an additional layer of
+     * decoration to a DecoratedUserContext. If the AuthenticationProvider
+     * originated the given UserContext, then the given UserContext is wrapped
+     * without any decoration.
+     *
+     * @param authProvider
+     *     The AuthenticationProvider which should be used to decorate the
+     *     given UserContext.
+     *
+     * @param userContext
+     *     The DecoratedUserContext to decorate.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @throws GuacamoleException
+     *     If any of the given AuthenticationProviders fails while decorating
+     *     the UserContext.
+     */
+    public DecoratedUserContext(AuthenticationProvider authProvider,
+            DecoratedUserContext userContext, AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // Wrap the result of invoking decorate() on the given AuthenticationProvider
+        super(decorate(authProvider, userContext, authenticatedUser, credentials));
+        this.decoratingAuthenticationProvider = authProvider;
+
+        // The wrapped UserContext has at least one layer of decoration
+        this.undecoratedUserContext = userContext.getUndecoratedUserContext();
+        this.decoratedUserContext = userContext;
+
+    }
+
+    /**
+     * Creates a new DecoratedUserContext, invoking the the redecorate()
+     * function of the given AuthenticationProvider to reapply decoration to the
+     * provided, undecorated UserContext, which has been updated relative to a
+     * past version which was decorated. If the AuthenticationProvider
+     * originated the given UserContext, then the given UserContext is wrapped
+     * without any decoration.
+     *
+     * @param decorated
+     *     The DecoratedUserContext associated with the older version of the
+     *     given UserContext.
+     *
+     * @param userContext
+     *     The undecorated UserContext to decorate.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @throws GuacamoleException
+     *     If any of the given AuthenticationProviders fails while decorating
+     *     the UserContext.
+     */
+    public DecoratedUserContext(DecoratedUserContext decorated,
+            UserContext userContext, AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // Wrap the result of invoking redecorate() on the given AuthenticationProvider
+        super(redecorate(decorated, userContext, authenticatedUser, credentials));
+        this.decoratingAuthenticationProvider = decorated.getDecoratingAuthenticationProvider();
+
+        // The wrapped UserContext is undecorated
+        this.undecoratedUserContext = userContext;
+        this.decoratedUserContext = null;
+
+    }
+
+    /**
+     * Creates a new DecoratedUserContext, invoking the the redecorate()
+     * function of the given AuthenticationProvider to reapply decoration to a
+     * DecoratedUserContext which already has at least one layer of decoration
+     * applied, and which is associated with a UserContext which was updated
+     * relative to a past version which was decorated. If the
+     * AuthenticationProvider originated the given UserContext, then the given
+     * UserContext is wrapped without any decoration.
+     *
+     * @param decorated
+     *     The DecoratedUserContext associated with the older version of the
+     *     UserContext wrapped within one or more layers of decoration.
+     *
+     * @param userContext
+     *     The DecoratedUserContext to decorate.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @throws GuacamoleException
+     *     If any of the given AuthenticationProviders fails while decorating
+     *     the UserContext.
+     */
+    public DecoratedUserContext(DecoratedUserContext decorated,
+            DecoratedUserContext userContext, AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // Wrap the result of invoking redecorate() on the given AuthenticationProvider
+        super(redecorate(decorated, userContext, authenticatedUser, credentials));
+        this.decoratingAuthenticationProvider = decorated.getDecoratingAuthenticationProvider();
+
+        // The wrapped UserContext has at least one layer of decoration
+        this.undecoratedUserContext = userContext.getUndecoratedUserContext();
+        this.decoratedUserContext = userContext;
+
+    }
+
+    /**
+     * Returns the original UserContext with absolutely no layers of decoration
+     * applied.
+     *
+     * @return
+     *     The original, undecorated UserContext.
+     */
+    public UserContext getUndecoratedUserContext() {
+        return undecoratedUserContext;
+    }
+
+    /**
+     * Returns the AuthenticationProvider which applied the layer of decoration
+     * represented by this DecoratedUserContext.
+     *
+     * @return
+     *     The AuthenticationProvider which applied this layer of decoration.
+     */
+    public AuthenticationProvider getDecoratingAuthenticationProvider() {
+        return decoratingAuthenticationProvider;
+    }
+
+    /**
+     * Returns the DecoratedUserContext representing the next layer of
+     * decoration, itself decorated by this DecoratedUserContext. If no further
+     * layers of decoration exist, this will be null.
+     *
+     * @return
+     *     The DecoratedUserContext which applies the layer of decoration
+     *     immediately beneath this DecoratedUserContext, or null if no further
+     *     decoration has been applied.
+     */
+    public DecoratedUserContext getDecoratedUserContext() {
+        return decoratedUserContext;
+    }
+
+}

guacamole/src/main/java/org/apache/guacamole/rest/auth/DecorationService.java

@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.rest.auth;
+
+import com.google.inject.Inject;
+import java.util.Iterator;
+import java.util.List;
+
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.AuthenticatedUser;
+import org.apache.guacamole.net.auth.AuthenticationProvider;
+import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.UserContext;
+
+/**
+ * A service for applying or reapplying layers of decoration to UserContexts.
+ * The semantics of UserContext decoration/redecoration is defined by the
+ * AuthenticationProvider interface.
+ */
+public class DecorationService {
+
+    /**
+     * All configured authentication providers which can be used to
+     * authenticate users or retrieve data associated with authenticated users.
+     */
+    @Inject
+    private List<AuthenticationProvider> authProviders;
+
+    /**
+     * Creates a new DecoratedUserContext, invoking the the decorate() function
+     * of all AuthenticationProviders to decorate the provided UserContext.
+     * Decoration by each AuthenticationProvider will occur in the order that
+     * the AuthenticationProviders were loaded. Only AuthenticationProviders
+     * which did not originate the given UserContext will be used.
+     *
+     * @param userContext
+     *     The UserContext to decorate.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @return
+     *     A new DecoratedUserContext which has been decorated by all
+     *     AuthenticationProviders.
+     *
+     * @throws GuacamoleException
+     *     If any AuthenticationProvider fails while decorating the UserContext.
+     */
+    public DecoratedUserContext decorate(UserContext userContext,
+            AuthenticatedUser authenticatedUser, Credentials credentials)
+            throws GuacamoleException {
+
+        // Get first AuthenticationProvider in list
+        Iterator<AuthenticationProvider> current = authProviders.iterator();
+        if (!current.hasNext())
+            return null;
+
+        // Use first AuthenticationProvider to produce the root-level
+        // decorated UserContext
+        DecoratedUserContext decorated = new DecoratedUserContext(current.next(),
+                userContext, authenticatedUser, credentials);
+
+        // Repeatedly wrap the decorated UserContext with additional layers of
+        // decoration for each remaining AuthenticationProvider
+        while (current.hasNext()) {
+            decorated = new DecoratedUserContext(current.next(), decorated,
+                    authenticatedUser, credentials);
+        }
+
+        return decorated;
+
+    }
+
+    /**
+     * Creates a new DecoratedUserContext, invoking the the redecorate()
+     * function of all AuthenticationProviders to reapply decoration. Decoration
+     * by each AuthenticationProvider will occur in the order that the
+     * AuthenticationProviders were loaded. Only AuthenticationProviders which
+     * did not originate the given UserContext will be used.
+     *
+     * @param decorated
+     *     The DecoratedUserContext associated with an older version of the
+     *     given UserContext.
+     *
+     * @param userContext
+     *     The new version of the UserContext which should be decorated.
+     *
+     * @param authenticatedUser
+     *     The AuthenticatedUser identifying the user associated with the given
+     *     UserContext.
+     *
+     * @param credentials
+     *     The credentials associated with the request which produced the given
+     *     UserContext.
+     *
+     * @return
+     *     A new DecoratedUserContext which has been decorated by all
+     *     AuthenticationProviders.
+     *
+     * @throws GuacamoleException
+     *     If any AuthenticationProvider fails while decorating the UserContext.
+     */
+    public DecoratedUserContext redecorate(DecoratedUserContext decorated,
+            UserContext userContext, AuthenticatedUser authenticatedUser,
+            Credentials credentials) throws GuacamoleException {
+
+        // If the given DecoratedUserContext contains further decorated layers,
+        // redecorate those first
+        DecoratedUserContext next = decorated.getDecoratedUserContext();
+        if (next != null) {
+            return new DecoratedUserContext(decorated,
+                    redecorate(next, userContext, authenticatedUser, credentials),
+                    authenticatedUser, credentials);
+        }
+
+        // If only one layer of decoration is present, simply redecorate that
+        // layer
+        return new DecoratedUserContext(decorated, userContext,
+                authenticatedUser, credentials);
+
+    }
+
+}

guacamole/src/main/java/org/apache/guacamole/rest/auth/TokenRESTService.java

@@ -186,7 +186,7 @@ public class TokenRESTService {
             throw new GuacamoleResourceNotFoundException("No such token.");
 
         // Build list of all available auth providers
-        List<UserContext> userContexts = session.getUserContexts();
+        List<DecoratedUserContext> userContexts = session.getUserContexts();
         List<String> authProviderIdentifiers = new ArrayList<String>(userContexts.size());
         for (UserContext userContext : userContexts)
             authProviderIdentifiers.add(userContext.getAuthenticationProvider().getIdentifier());