mike-jumper commented on PR #1028: URL: https://github.com/apache/guacamole-client/pull/1028#issuecomment-2417700558
The current approach with the various `*-case-sensitive-usernames` properties is that the property dictates how the relevant extension handles username comparisons, regardless of how the authenticating extension may handle username comparisons. I think the only way to be consistent with that logic would be for `HistoryTrackingConnection` to honor only the value from the `*-case-sensitive-usernames` property of the extension that defines that instance of `HistoryTrackingConnection`. I also think it would make sense to allow the authenticating extension to dictate how the identifiers it presents should be compared (`isCaseSensitive()`), but that would be different semantics from what we currently have here. To switch over to that approach, the other cases where case sensitivity is handled would need to be updated to honor `isCaseSensitive()` instead of relying purely on the configuration property, and care would need to be taken to make sure a case-insensitive authentication provider can't be used to escalate privileges (for example: by creating an unprivileged `GuAcAdMiN` user in some case-insensitive auth system, logging in as that user, and inheriting the permissions of `guacadmin`). The current approach is less automatic, but I think that's a Good Thing, since any change from the default, strict behavior must be explicitly requested by the admin. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
