We decided not to shoe-horn this change into version 1.0.0, but in GUACAMOLE-684 I propose making a change such that the GuacamoleInsufficientCredentialsException takes precedence over GuacamoleInvalidCredentialsException. You can see the proposed changes in this PR:
https://github.com/apache/guacamole-client/pull/352 My driver for making this change is that, currently, if you have, for example, the JDBC module and the RADIUS module (in that order), and the RADIUS module issues a GuacamoleInsufficientCredentialsException because it is doing Challenge/Response authentication, authentication will fail because the JDBC module generates the first Credential Exception, which is a GuacamoleInvalidCredentialsException, and the second CredentialException, the GuacamoleInsufficientCredentialsException thrown by the RADIUS module, is ignored. The current work-around is to load the RADIUS module, first, so that it is evaluated, first, and the Insufficient exception occurs, first, and is kept over the Invalid exception. My rationale is that it is very likely that, if an Insufficient Credentials Exception is issued, that authentication has at least part-way succeeded, and the user is needing to enter additional information, versus the Invalid Credentials Exception, which indicates a failure. Mike suggested further discussion on this as it does represent a significant change in behavior, so...any other thoughts? Any scenarios that anyone can foresee where this behavior would not be desirable, or where a vulnerability may be introduced by doing so? We can stick with the current work-around, if there are objections, but if no one objects I propose changing the code to avoid the need for the work-around. -Nick
