Repository: incubator-guacamole-client Updated Branches: refs/heads/master 32e5c3e68 -> 18565d171
GUACAMOLE-136: Move password reset flow into own function. Invoke from getUserContext(), not authenticateUser(), such that secondary authentication factors have a chance to invalidate the auth attempt prior to password reset. Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/4a1ffbfd Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/4a1ffbfd Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/4a1ffbfd Branch: refs/heads/master Commit: 4a1ffbfdccd0d42e44a164bdbd89176fe1a098ef Parents: 32e5c3e Author: Michael Jumper <[email protected]> Authored: Sat Dec 3 13:39:42 2016 -0800 Committer: Michael Jumper <[email protected]> Committed: Mon Dec 5 20:13:59 2016 -0800 ---------------------------------------------------------------------- .../jdbc/JDBCAuthenticationProviderService.java | 6 ++ .../guacamole/auth/jdbc/user/UserService.java | 90 ++++++++++++-------- 2 files changed, 62 insertions(+), 34 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java index 8f98c74..a0d422a 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java @@ -25,6 +25,7 @@ import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser; import org.apache.guacamole.auth.jdbc.user.ModeledUser; import org.apache.guacamole.auth.jdbc.user.ModeledUserContext; +import org.apache.guacamole.auth.jdbc.user.UserModel; import org.apache.guacamole.auth.jdbc.user.UserService; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticationProvider; @@ -98,6 +99,11 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider } + // Update password if password is expired + UserModel userModel = user.getModel(); + if (userModel.isExpired()) + userService.resetExpiredPassword(user, authenticatedUser.getCredentials()); + // Link to user context ModeledUserContext context = userContextProvider.get(); context.init(user.getCurrentUser()); http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java index 16f25b5..c83d6cb 100644 --- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java +++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java @@ -319,40 +319,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User if (!user.isAccountAccessible()) throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE"); - // Update password if password is expired - if (userModel.isExpired()) { - - // Pull new password from HTTP request - HttpServletRequest request = credentials.getRequest(); - String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER); - String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER); - - // Require new password if account is expired - if (newPassword == null || confirmNewPassword == null) { - logger.info("The password of user \"{}\" has expired and must be reset.", username); - throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD); - } - - // New password must be different from old password - if (newPassword.equals(credentials.getPassword())) - throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME"); - - // New password must not be blank - if (newPassword.isEmpty()) - throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK"); - - // Confirm that the password was entered correctly twice - if (!newPassword.equals(confirmNewPassword)) - throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH"); - - // Change password and reset expiration flag - userModel.setExpired(false); - user.setPassword(newPassword); - userMapper.update(userModel); - logger.info("Expired password of user \"{}\" has been reset.", username); - - } - // Return now-authenticated user return user.getCurrentUser(); @@ -398,4 +364,60 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User } + /** + * Resets the password of the given user to the new password specified via + * the "new-password" and "confirm-new-password" parameters from the + * provided credentials. If these parameters are missing or invalid, + * additional credentials will be requested. + * + * @param user + * The user whose password should be reset. + * + * @param credentials + * The credentials from which the parameters required for password + * reset should be retrieved. + * + * @throws GuacamoleException + * If the password reset parameters within the given credentials are + * invalid or missing. + */ + public void resetExpiredPassword(ModeledUser user, Credentials credentials) + throws GuacamoleException { + + UserModel userModel = user.getModel(); + + // Get username + String username = user.getIdentifier(); + + // Pull new password from HTTP request + HttpServletRequest request = credentials.getRequest(); + String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER); + String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER); + + // Require new password if account is expired + if (newPassword == null || confirmNewPassword == null) { + logger.info("The password of user \"{}\" has expired and must be reset.", username); + throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD); + } + + // New password must be different from old password + if (newPassword.equals(credentials.getPassword())) + throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME"); + + // New password must not be blank + if (newPassword.isEmpty()) + throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK"); + + // Confirm that the password was entered correctly twice + if (!newPassword.equals(confirmNewPassword)) + throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH"); + + // Change password and reset expiration flag + userModel.setExpired(false); + user.setPassword(newPassword); + userMapper.update(userModel); + logger.info("Expired password of user \"{}\" has been reset.", username); + + } + }
