subbareddyalamur opened a new pull request, #1163: URL: https://github.com/apache/guacamole-client/pull/1163
## Summary When connecting through a BALANCING connection group, the JDBC layer internally selects and connects a child connection, bypassing the vault extension's `TokenInjectingConnection` wrapper. This means `addTokens(Connection)` is never called for the selected child, and vault-managed tokens (e.g. `KEEPER_USER_PASSWORD`) are not resolved — causing authentication failures on the child connection. This PR fixes two related issues: - **`VaultUserContext.addTokens(ConnectionGroup)`** now detects BALANCING groups and pre-resolves vault tokens for all child connections, ensuring tokens are available when the JDBC layer applies them to the selected child's configuration - **`KsmSecretService.getTokens()`** now guards against `null` `GuacamoleConfiguration`, which is always null for connection groups (they have no protocol configuration). Previously this caused a `NullPointerException` ## Root Cause `TokenInjectingConnectionGroup.connect()` calls `addTokens(ConnectionGroup)` and then delegates to the underlying JDBC connection group. For BALANCING groups, `AbstractGuacamoleTunnelService` acquires the child connection internally and connects it directly — the child is a raw `ModeledConnection`, NOT wrapped by `TokenInjectingConnection`. Therefore `addTokens(Connection)` is never invoked for the child, and vault tokens that depend on connection parameters (hostname, username) are never resolved. ## Changes | File | Change | |------|--------| | `VaultUserContext.java` | Iterate child connections of BALANCING groups in `addTokens(ConnectionGroup)` and resolve vault tokens for each child using privileged access to connection configuration | | `KsmSecretService.java` | Return early from `getTokens()` when `config` is null (connection groups have no `GuacamoleConfiguration`) | ## Test Plan - [ ] Connect to a **direct connection** with KSM vault tokens configured — tokens should resolve as before (no regression) - [ ] Connect through a **BALANCING connection group** containing connections with KSM vault tokens — tokens should now resolve correctly for the selected child connection - [ ] Connect through an **ORGANIZATIONAL connection group** — should behave as before (no BALANCING logic triggered) - [ ] Verify no `NullPointerException` in logs when connecting through any connection group type -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
