mike-jumper commented on PR #758: URL: https://github.com/apache/guacamole-client/pull/758#issuecomment-1222970355
**NOTE:** This extension works by aborting authentication early by throwing a `GuacamoleClientTooManyException`, which immediately aborts via the following code path: https://github.com/apache/guacamole-client/blob/fe56df73fbbe640ed276bac823bcfb2f296ac493/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java#L208-L211 This is naturally dependent on the order that extensions are loaded, hence naming things such that it's loaded first within the Docker image: https://github.com/apache/guacamole-client/blob/fe56df73fbbe640ed276bac823bcfb2f296ac493/guacamole-docker/bin/start.sh#L1168-L1173 **Loading the extension before all other auth extensions is necessary for correct behavior with respect to timing**, and we'll have to document this in the manual. If the extension is installed but _not_ loaded first, then extensions that load earlier will be given a chance to authenticate the user before guacamole-auth-ban can abort the auth process. Even though repeated auth attempts will still be blocked, the amount of time taken until that block occurs might vary by whether the credentials provided were valid according to those other extensions, and that variance in timing might allow an attacker to determine whether their guess is correct even though full auth is temporarily blocked. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
