[jira] [Updated] (GUACAMOLE-2219) Vault tokens not resolved for child connections in BALANCING connection groups

Wed, 11 Feb 2026 10:40:08 -0800 


     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-2219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nick Couchman updated GUACAMOLE-2219:
-------------------------------------
    Priority: Minor  (was: Major)

> Vault tokens not resolved for child connections in BALANCING connection groups
> ------------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-2219
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-2219
>             Project: Guacamole
>          Issue Type: Improvement
>            Reporter: Subba Reddy Alamuru
>            Priority: Minor
>
> When connecting through a BALANCING connection group, vault-managed tokens 
> (e.g. KEEPER_USER_PASSWORD, KEEPER_USER_USERNAME) are not resolved for the 
> child connection selected by the load balancer. This causes authentication 
> failures (e.g. "invalid credentials" for RDP) on connections that work 
> correctly when connected to directly.
> h3. Root Cause
> {{TokenInjectingConnectionGroup.connect()}} calls 
> {{addTokens(ConnectionGroup)}} and then delegates to the underlying JDBC 
> connection group. For BALANCING groups, {{AbstractGuacamoleTunnelService}} 
> acquires the child connection internally and connects it directly — the child 
> is a raw {{ModeledConnection}}, not wrapped by {{TokenInjectingConnection}}. 
> Therefore {{addTokens(Connection)}} is never invoked for the selected child, 
> and vault tokens that depend on connection parameters (hostname, username) 
> are never resolved.
> Additionally, {{KsmSecretService.getTokens()}} does not guard against a null 
> {{GuacamoleConfiguration}}, which is always null for connection groups (they 
> have no protocol configuration). This causes a {{NullPointerException}} 
> before the BALANCING group token resolution issue is even reached.
> h3. Fix
> # {{VaultUserContext.addTokens(ConnectionGroup)}} now detects BALANCING 
> groups and pre-resolves vault tokens for all child connections using 
> privileged access to connection configuration.
> # {{KsmSecretService.getTokens()}} now returns early when {{config}} is null.
> h3. Affected Versions
> All versions with vault extension support (tested on 1.5.5 and 1.6.0).
> PR: https://github.com/apache/guacamole-client/pull/1163



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to