[
https://issues.apache.org/jira/browse/GUACAMOLE-362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16131988#comment-16131988
]
Nicklas Björk commented on GUACAMOLE-362:
-----------------------------------------
I cloned and built GUACAMOLE-362 from your repo and as far as I can tell, it
works very well as long as the CAS server is releasing the password. The tokens
are populated with the username and password from CAS.
I tested with both of the following in the CAS service definition:
{code:javascript}
authorizedToReleaseCredentialPassword: true
{code}
and
{code:javascript}
authorizedToReleaseCredentialPassword: false
{code}
It seems like we are missing some error handling if the CAS server doesn't
release the password (when set to false above). I think we need to accept that
and I suppose the fallback should be to populate GUAC_PASSWORD with an empty
string?
{noformat}
11:42:14.412 [http-nio-8443-exec-6] ERROR o.a.g.rest.RESTExceptionWrapper - An
internal error occurred, but did not contain an error message. Enable
debug-level logging for details.
11:42:14.415 [http-nio-8443-exec-6] DEBUG o.a.g.rest.RESTExceptionWrapper -
Unexpected error in REST endpoint.
java.lang.NullPointerException: null
at
org.apache.guacamole.auth.cas.AuthenticationProviderService.authenticateUser(AuthenticationProviderService.java:114)
~[na:na]
at
org.apache.guacamole.auth.cas.CASAuthenticationProvider.authenticateUser(CASAuthenticationProvider.java:77)
~[na:na]
at
org.apache.guacamole.extension.AuthenticationProviderFacade.authenticateUser(AuthenticationProviderFacade.java:162)
~[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.authenticateUser(AuthenticationService.java:152)
~[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.getAuthenticatedUser(AuthenticationService.java:239)
~[classes/:na]
at
org.apache.guacamole.rest.auth.AuthenticationService.authenticate(AuthenticationService.java:383)
~[classes/:na]
at
org.apache.guacamole.rest.auth.TokenRESTService.createToken(TokenRESTService.java:181)
~[classes/:na]
at
org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:153)
~[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.8.0_131]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[na:1.8.0_131]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.8.0_131]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_131]
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
[jersey-server-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
[jersey-servlet-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
[jersey-servlet-1.17.1.jar:1.17.1]
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
[jersey-servlet-1.17.1.jar:1.17.1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
[servlet-api-3.1.jar:na]
at
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
[guice-servlet-3.0.jar:na]
at
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
[guice-servlet-3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
[tomcat8-catalina-8.0.32.jar:8.0.32]
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
[tomcat8-coyote-8.0.32.jar:8.0.32]
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
[tomcat8-coyote-8.0.32.jar:8.0.32]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1504)
[tomcat8-coyote-8.0.32.jar:8.0.32]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1460)
[tomcat8-coyote-8.0.32.jar:8.0.32]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_131]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_131]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat8-util-8.0.32.jar:8.0.32]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]
Aug 18, 2017 11:42:14 AM com.sun.jersey.spi.container.ContainerResponse
logException
SEVERE: Mapped exception to response: 500 (Internal Server Error)
org.apache.guacamole.rest.APIException
at
org.apache.guacamole.rest.RESTExceptionWrapper.invoke(RESTExceptionWrapper.java:202)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
at
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
at
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
at
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
at
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
at
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
at
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
at
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
at
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1504)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1460)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
{noformat}
> CAS authentication and ClearPass
> --------------------------------
>
> Key: GUACAMOLE-362
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-362
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-cas
> Affects Versions: 0.9.13-incubating
> Reporter: Nicklas Björk
> Assignee: Nick Couchman
> Priority: Minor
>
> Because of the nature of logging in with CAS, Guacamole does not know the
> user password. That means that automatic login using the ${GUAC_USERNAME} and
> ${GUAC_PASSWORD} tokens can not be used. It actually seems like the tokens
> are not available at all when using CAS as authentication method.
> For the brave, CAS offers a functionality called ClearPass to deliver the
> password in an encrypted message to the requesting service
> (https://apereo.github.io/cas/5.1.x/integration/ClearPass.html). That could
> be a way to populate ${GUAC_PASSWORD}, as long as username and password is
> being used to authenticate the user in CAS. If the tokens are being used in a
> connection profile, but isn't populated, I guess it would make sense to fall
> back to manual login.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)