Re: How to get GuacamoleConfiguration from url?
On Mon, Dec 18, 2017 at 5:59 AM, genesiswrote: > > I could not find some topics about the anonymous_identifier const, is there > any example on how to use that? > The manual has an overview of the general authentication process, structure of a Guacamole extension, and the nature of the key interfaces: http://guacamole.apache.org/doc/gug/guacamole-ext.html#ext-auth-providers The ANONYMOUS_IDENTIFIER is the value you will want to use for the identifier of the AuthenticatedUser object returned by your AuthenticationProvider implementation's authenticateUser() function. Doing this tells Guacamole that the user is authenticated but that they have no specific identity, and the Guacamole interface will adjust itself accordingly. My suggestion for going forward here would be to start by implementing AuthenticationProvider and gradually filling in the gaps - implementing authenticateUser(), implementing UserContext, implementing any applicable Directory objects, etc., leveraging the Simple* versions of these where helpful and applicable. There will likely be some point at which you can go back to using the Simple* objects, but the Simple* objects which deal with the main authentication process partly simplify things with the assumptions that the user's session will not change while they're logged in and that each user has a definite identity, which are incompatible with your intended use. Once you've started going through that implementation process, just come back here if you encounter specific problems or need specific clarification, and we can nudge you back on track. - Mike
Re: How to get GuacamoleConfiguration from url?
I could not find some topics about the anonymous_identifier const, is there any example on how to use that? Thanks! -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: How to get GuacamoleConfiguration from url?
Hi Mike, thanks for your response! Actually I just need to simplify the process. I just want to show the client screen directly (without login, home page menu, etc), after the user clicks on a url containing a single GuacamoleConfiguration. The validation process i will do transparently for the user, under the hood using the jwt token wich i get from the URL. This anonymous_identifier const seems promising, but i could not find a way on how to use it properly, do you know where i can find some example of how to use it? Thanks. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: How to get GuacamoleConfiguration from url?
On Wed, Dec 13, 2017 at 9:59 AM, genesiswrote: > Hi Carl, I see. > And what do you do with this cookie on the getAuthorizedConfiguration > method? Do you decrypt it and map to a Map > object? > > My doubt is, how do you update the configs list when the user opens another > tab, with another GuacamoleConfiguration on cookie? You must insert this > new > configuration in the configs object. One for the first url and one for the > second url, to have multiple connections at the same time. > > If the data available for the user will be changing with updated credentials, you will need to avoid the SimpleAuthenticationProvider class and instead implement AuthenticationProvider directly. The AuthenticationProvider interface provides two functions for producing the object representing the data available to the user: 1) getUserContext() - invoked upon successful authentication at the beginning of the user's session 2) updateUserContext() - invoked for new requests within an existing session, to allow for updating the UserContext based on new credentials You can leverage these to continuously update the data available to the user. I would also recommend looking into using the ANONYMOUS_IDENTIFIER for the AuthenticatedUser: http://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticatedUser.html#ANONYMOUS_IDENTIFIER An anonymous user has different semantics and is given a slightly different interface. The menu which contains user-specific options in the upper-right of most Guacamole screens is no longer shown, and the user's session is not persisted. A successful authentication attempt for an anonymous user in one tab will have no influence on tabs opened later; outside that tab, it will be as if the user is not logged in at all, with each new tab getting its own session. In this case, you wouldn't need to worry about updating the UserContext at all, and would just need to be sure to provide the correct data given a particular set of credentials. - Mike
Re: How to get GuacamoleConfiguration from url?
Hi Carl, I see. And what do you do with this cookie on the getAuthorizedConfiguration method? Do you decrypt it and map to a Mapobject? My doubt is, how do you update the configs list when the user opens another tab, with another GuacamoleConfiguration on cookie? You must insert this new configuration in the configs object. One for the first url and one for the second url, to have multiple connections at the same time. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: How to get GuacamoleConfiguration from url?
> On Dec 13, 2017, at 6:44 AM, genesiswrote: > Did just substitute the GUAC_AUTH value with the encoded jwt? No, we did not replace the GUAC_AUTH cookie. That's private state for Guacamole itself, so we didn't want to muck with it. We simply added our own cookie to the browser using a REST service running in the same domain, and evaluated that cookie in our custom auth provider when called in the getAuthorizedConfigurations(Credentials) method. carl
Re: How to get GuacamoleConfiguration from url?
> On Dec 12, 2017, at 3:21 PM, genesiswrote: > But after that, if I click on other url: > http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_2} with different > GuacamoleConfiguration parameters, the browser will open another tab, but > with the same connection of the first url, the same > (/#/client/NzI0NwBjAG5vYXV0aA), this identifier should be different, because > the id of the second connection is different. In our application we tried doing something very similar -- put a base64 encoded JWT into the URL as either a parameter or additional URI path segment and using a simple extension to process the URL -- and we had the same result. Instead we put the JWT into the browser as a session cookie, and modified our extension to look for the cookie containing our token. This worked for us. I feel I'd be remiss if I didn't point out, for those reading along who might be interested in doing something similar, it is really imperative with either of these approaches that you carefully validate the authenticity of the token. JWTs used in this way must be signed and signatures must be properly validated, and depending on what sorts of details you're including in connection parameters, should probably be encrypted as well. Also, the signing and encryption is worth nothing unless you're extremely careful about key management -- as an attacker, if I can get your key(s), I can almost certainly make tokens for myself that will let me access your resources via Guacamole. carl
Re: How to get GuacamoleConfiguration from url?
Hi, thanks for the quick reply. Guacamole maps the GuacamoleConfiguration from the noauth-config.xml file. In my scenario i would like to pass a single GuacamoleConfiguration through the URL (and yes, all of the data - protocol, username, password, etc), then map it to the Maptype, and its working fine now for one connection. When I click on a URL, i.e: http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_1}, the browser opens a new tab with the guacamoleconfig_encrypted_1 connection (and redirect to /#/client/NzI0NwBjAG5vYXV0aA) But after that, if I click on other url: http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_2} with different GuacamoleConfiguration parameters, the browser will open another tab, but with the same connection of the first url, the same (/#/client/NzI0NwBjAG5vYXV0aA), this identifier should be different, because the id of the second connection is different. If I understood correctly, I need to update the configs property in the updateAuthenticatedUser method of the SimpleAuthenticationProvider. So when the user clicks on the second URL, this method will be called and I add the new GuacamoleConfiguration(from the URL) to the existing configs property. But I am missing something, even after clicking on a second url and adding the GuacamoleConfiguration object to the configs theres just one connection on the angularjs side, on this piece of code exactly: var generateHomePage = function generateHomePage(rootGroups) { //.. var connection = connections[0]; } I dont know if its the right path to do that. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: How to get GuacamoleConfiguration from url?
On Tue, Dec 12, 2017 at 2:29 PM, genesiswrote: > Hi, first of all I would like to congratulate the team for this amazing > product. > > I would like to provide the GuacamoleConfiguration data from a encrypted > string in URL, without authentication, with multiple connections, for > example: > I'm having a little trouble understanding what you're trying to do. When you say you would like to provide the "GuacamoleConfiguration" data from an encrypted string in the URL, are you saying that you are providing all of the data - hostname, protocol, port, username, password, etc., - encoded in the URL? Or you're providing a connection identifier in the URL and then mapping that on the servlet side? The later is the way Guacamole currently works - I wouldn't call it in encrypted token, I'd called it encoded. > > http://guacamoleclient:8090/#/{ENCRYPTED_TOKEN_1} > > First thing I did is to replace the noauth extension method > getAuthorizedConfigurations to take the config from the encrypted token, > and > it worked fine. > Please bear in mind that the noauth extension is deprecated and likely to be removed from future versions. Building an application upon this module is not likely to be a good long-term move, unless you intend to maintain the noauth module yourself in a separate repository from the main Guacamole code. > > The problem im facing now is for multiple connections at the same time. If > I > click on another URL with a different GuacamoleConfiguration of the first > one, a tab will open but with the same connection of the first URL. > Again, if you can clarify what you mean by GuacamoleConfiguration in the token in the URL, that might help figure out where to go from here. Regards, Nick
How to get GuacamoleConfiguration from url?
Hi, first of all I would like to congratulate the team for this amazing product. I would like to provide the GuacamoleConfiguration data from a encrypted string in URL, without authentication, with multiple connections, for example: http://guacamoleclient:8090/#/{ENCRYPTED_TOKEN_1} First thing I did is to replace the noauth extension method getAuthorizedConfigurations to take the config from the encrypted token, and it worked fine. The problem im facing now is for multiple connections at the same time. If I click on another URL with a different GuacamoleConfiguration of the first one, a tab will open but with the same connection of the first URL. Do you have some recipes or tips to resolve this problem? Thanks! -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/