This implementation simply returns the provided {@code credentials}
+ * without performing any updates. Implementations that wish to perform
+ * credential updates for in-progress authentication requests should
+ * override this function.
+ */
+ @Override
+ public Credentials updateCredentials(Credentials credentials)
+ throws GuacamoleException {
+ return credentials;
+ }
+
/**
* {@inheritDoc}
*
diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationProvider.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationProvider.java
index fd7d844780..680c7c3820 100644
--- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationProvider.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationProvider.java
@@ -62,6 +62,33 @@ public interface AuthenticationProvider {
*/
Object getResource() throws GuacamoleException;
+ /**
+ * Given the set of credentials that a user has submitted during
+ * authentication but has not yet been provided to the
+ * {@link #authenticateUser(org.apache.guacamole.net.auth.Credentials)} or
+ * {@link #updateAuthenticatedUser(org.apache.guacamole.net.auth.AuthenticatedUser, org.apache.guacamole.net.auth.Credentials)}
+ * functions of installed AuthenticationProviders, returns the set of
+ * credentials that should be used instead. The returned credentials may
+ * be the original credentials, with or without modifications, or may be an
+ * entirely new {@link Credentials} object.
+ *
+ * @param credentials
+ * The credentials provided by a user during authentication.
+ *
+ * @return
+ * The set of credentials that should be provided to all
+ * AuthenticationProviders, including this AuthenticationProvider. This
+ * set of credentials may optionally be entirely new or may have been
+ * modified.
+ *
+ * @throws GuacamoleException
+ * If an error occurs while updating the provided credentials.
+ */
+ default Credentials updateCredentials(Credentials credentials)
+ throws GuacamoleException {
+ return credentials;
+ }
+
/**
* Returns an AuthenticatedUser representing the user authenticated by the
* given credentials, if any.
diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java
index 45eebe80df..6ad0e240b3 100644
--- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java
@@ -34,16 +34,6 @@
*/
public class Credentials implements Serializable {
- /**
- * The RESUME_QUERY is a query parameter key used to determine which
- * authentication provider's process should be resumed during multi-step
- * authentication. The auth provider will set this parameter before
- * redirecting to an external service, and it is checked upon return to
- * Guacamole to ensure the correct authentication state is continued
- * without starting over.
- */
- public static final String RESUME_QUERY = "provider_id";
-
/**
* Unique identifier associated with this specific version of Credentials.
*/
diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/IdentifierGenerator.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/IdentifierGenerator.java
index fcc365a9b7..2a2dd340f9 100644
--- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/IdentifierGenerator.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/IdentifierGenerator.java
@@ -36,6 +36,12 @@ public class IdentifierGenerator {
*/
private static final SecureRandom secureRandom = new SecureRandom();
+ /**
+ * IdentifierGenerator is a utility class that is not intended to be
+ * separately instantiated.
+ */
+ private IdentifierGenerator() {}
+
/**
* Generates a unique and unpredictable identifier. Each identifier is at
* least 256-bit and produced using a cryptographically-secure random
diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java
index 8c76694743..06ae3ea5c6 100644
--- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java
@@ -28,95 +28,6 @@
*/
public class GuacamoleInsufficientCredentialsException extends GuacamoleCredentialsException {
- /**
- * The default state token to use when no specific state information is provided.
- */
- private static final String DEFAULT_STATE = "";
-
- /**
- * The default provider identifier to use when no specific provider is identified.
- * This serves as a placeholder indicating that either no specific provider is
- * responsible for the exception or the responsible provider has not been identified.
- */
- private static final String DEFAULT_PROVIDER_IDENTIFIER = "";
-
- /**
- * The default query identifier to use when no specific query is identified.
- * This serves as a placeholder and indicates that the specific query related to
- * the provider's state resume operation has not been provided.
- */
- private static final String DEFAULT_QUERY_IDENTIFIER = "";
-
- /**
- * The default expiration timestamp to use when no specific expiration is provided,
- * effectively indicating that the state token does not expire.
- */
- private static final long DEFAULT_EXPIRES = -1L;
-
- /**
- * An opaque value that may be used by a client to maintain state across requests
- * which are part of the same authentication transaction.
- */
- protected final String state;
-
- /**
- * The identifier for the authentication provider that threw this exception.
- * This is used to link the exception back to the originating source of the
- * authentication attempt, allowing clients to determine which provider's
- * authentication process should be resumed.
- */
- protected final String providerIdentifier;
-
- /**
- * An identifier for the specific query within the URL for this provider that can
- * be checked to resume the authentication state.
- */
- protected final String queryIdentifier;
-
- /**
- * The timestamp after which the state token associated with the authentication process
- * should no longer be considered valid, expressed as the number of milliseconds since
- * UNIX epoch.
- */
- protected final long expires;
-
- /**
- * Creates a new GuacamoleInsufficientCredentialsException with the specified
- * message, the credential information required for authentication, the state
- * token associated with the authentication process, and an expiration timestamp.
- *
- * @param message
- * A human-readable description of the exception that occurred.
- *
- * @param credentialsInfo
- * Information describing the form of valid credentials.
- *
- * @param state
- * An opaque value that may be used by a client to maintain state
- * across requests which are part of the same authentication transaction.
- *
- * @param providerIdentifier
- * The identifier of the authentication provider that this exception pertains to.
- *
- * @param queryIdentifier
- * The identifier of the specific query parameter within the
- * authentication process that this exception pertains to.
- *
- * @param expires
- * The timestamp after which the state token associated with the
- * authentication process should no longer be considered valid, expressed
- * as the number of milliseconds since UNIX epoch.
- */
- public GuacamoleInsufficientCredentialsException(String message,
- CredentialsInfo credentialsInfo, String state,
- String providerIdentifier, String queryIdentifier, long expires) {
- super(message, credentialsInfo);
- this.state = state;
- this.providerIdentifier = providerIdentifier;
- this.queryIdentifier = queryIdentifier;
- this.expires = expires;
- }
-
/**
* Creates a new GuacamoleInsufficientCredentialsException with the given
* message, cause, and associated credential information.
@@ -133,10 +44,6 @@ public GuacamoleInsufficientCredentialsException(String message,
public GuacamoleInsufficientCredentialsException(String message, Throwable cause,
CredentialsInfo credentialsInfo) {
super(message, cause, credentialsInfo);
- this.state = DEFAULT_STATE;
- this.providerIdentifier = DEFAULT_PROVIDER_IDENTIFIER;
- this.queryIdentifier = DEFAULT_QUERY_IDENTIFIER;
- this.expires = DEFAULT_EXPIRES;
}
/**
@@ -151,10 +58,6 @@ public GuacamoleInsufficientCredentialsException(String message, Throwable cause
*/
public GuacamoleInsufficientCredentialsException(String message, CredentialsInfo credentialsInfo) {
super(message, credentialsInfo);
- this.state = DEFAULT_STATE;
- this.providerIdentifier = DEFAULT_PROVIDER_IDENTIFIER;
- this.queryIdentifier = DEFAULT_QUERY_IDENTIFIER;
- this.expires = DEFAULT_EXPIRES;
}
/**
@@ -169,52 +72,6 @@ public GuacamoleInsufficientCredentialsException(String message, CredentialsInfo
*/
public GuacamoleInsufficientCredentialsException(Throwable cause, CredentialsInfo credentialsInfo) {
super(cause, credentialsInfo);
- this.state = DEFAULT_STATE;
- this.providerIdentifier = DEFAULT_PROVIDER_IDENTIFIER;
- this.queryIdentifier = DEFAULT_QUERY_IDENTIFIER;
- this.expires = DEFAULT_EXPIRES;
- }
-
- /**
- * Retrieves the state token associated with the authentication process.
- *
- * @return The opaque state token used to maintain consistency across multiple
- * requests in the same authentication transaction.
- */
- public String getState() {
- return state;
- }
-
- /**
- * Retrieves the identifier of the authentication provider responsible for this exception.
- *
- * @return The identifier of the authentication provider, allowing clients to know
- * which provider's process should be resumed in response to this exception.
- */
- public String getProviderIdentifier() {
- return providerIdentifier;
- }
-
- /**
- * Retrieves the specific query identifier associated with the URL for the provider
- * that can be checked to resume the authentication state.
- *
- * @return The query identifier that serves as a reference to a specific point or
- * transaction within the provider's authentication process.
- */
- public String getQueryIdentifier() {
- return queryIdentifier;
- }
-
- /**
- * Retrieves the expiration timestamp of the state token, specified as the
- * number of milliseconds since the UNIX epoch.
- *
- * @return The expiration timestamp of the state token, or a negative value if
- * the token does not expire.
- */
- public long getExpires() {
- return expires;
}
}
diff --git a/guacamole/src/main/java/org/apache/guacamole/extension/AuthenticationProviderFacade.java b/guacamole/src/main/java/org/apache/guacamole/extension/AuthenticationProviderFacade.java
index 9855cd6fdd..b89b2ada64 100644
--- a/guacamole/src/main/java/org/apache/guacamole/extension/AuthenticationProviderFacade.java
+++ b/guacamole/src/main/java/org/apache/guacamole/extension/AuthenticationProviderFacade.java
@@ -119,6 +119,18 @@ public Object getResource() throws GuacamoleException {
}
+ @Override
+ public Credentials updateCredentials(Credentials credentials) throws GuacamoleException {
+
+ // Do nothing if underlying auth provider could not be loaded
+ if (authProvider == null)
+ return credentials;
+
+ // Delegate to underlying auth provider
+ return authProvider.updateCredentials(credentials);
+
+ }
+
/**
* Returns whether this authentication provider should tolerate internal
* failures during the authentication process, allowing other
diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
index dc8d3bb7da..5a0e4c5fe7 100644
--- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
@@ -21,11 +21,8 @@
import java.util.ArrayList;
import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
import javax.inject.Inject;
-import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
@@ -47,7 +44,6 @@
import org.slf4j.LoggerFactory;
import com.google.inject.Singleton;
-import java.util.Iterator;
/**
* A service for performing authentication checks in REST endpoints.
@@ -103,11 +99,6 @@ public class AuthenticationService {
*/
public static final String TOKEN_PARAMETER_NAME = "token";
- /**
- * Map to store resumable authentication states with an expiration time.
- */
- private Map