So precisely instead of getting connection details from the user-mapping.xml how can we embed the same into the URL at run time.
Regards, Abdul Qadir From: Abdul Qadir (aqadir) Sent: Thursday, June 18, 2020 7:34 PM To: [email protected] Subject: RE: Query for beginner user how to use Guacamole Hi Mike, Thanks for the heads-up. We have successfully installed the application and now it’s working fine. You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this. I understand your concern, but these url’s are not going to be exposed to the customer or anyone else. URL will be formed in the application and internal to our application and anyhow once the url is hit it will change in the encrypted form, as we can see in the guacamole as well. Earlier we were using stoneware’s HTML5 web RDP gateway for the same purpose but as it is End Of Life, we are evaluating other options and guacamole seems to be one of the best of option for us. We just wanted to know if Guacamole provides that capability to use HTTP url and if yes then how to form the url ? We don’t want any input from the user, just click and user landed in the machine! Regards, Abdul Qadir From: Mike Jumper [mailto:[email protected]] Sent: Thursday, June 18, 2020 2:22 PM To: [email protected]<mailto:[email protected]> Subject: Re: Query for beginner user how to use Guacamole CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. On Thu, Jun 18, 2020 at 1:00 AM Abdul Qadir (aqadir) <[email protected]<mailto:[email protected]>> wrote: ... From browser above given link was opened but facing issue in login. From where I can collect the log and information for review? The Guacamole logs will be the Tomcat logs. Where these logs are specifically will depend on how Tomcat was installed. On CentOS / RHEL, for example, the provided "tomcat" package logs things to the systemd journal. On other distributions, the log may be /var/log/tomcat/catalina.out or /var/log/tomcat8/catalina.out or similar. If Tomcat was installed manually, there should be some sort of log directory that was created as part of that installation process, and the Tomcat logs will be in there. Also, we want to integrate Guacamole capabilities in our solution for RDP of windows servers. We want to know how can we form the http url so that it will automatically login into the Guacamole server and the machine for which we want to RDP wit credential and other parameters. Any example or documentation? You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this. Your main options here are: 1) Use features of Guacamole provided out-of-the-box, like Active Directory integration (via LDAP) and credential passthrough. Depending on what you're trying to achieve, this may already be what you're looking for. 2) Leverage an extension which allows an external application to provide authentication and authorization details via the URL, but does so in such a way that user manipulation is not possible. I wrote such an extension some time ago for my day job, and there may be other similar extensions elsewhere: https://github.com/glyptodon/guacamole-auth-json<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fglyptodon%2Fguacamole-auth-json&data=02%7C01%7CAbdul.Qadir%40quest.com%7Cef089aefc6c94b305f2208d813650208%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637280671850143566&sdata=ueMEw9LoZpVVs5TYe9A%2FUbb52GRuxhWbLgifsynTVow%3D&reserved=0> 3) Write your own extension which directly integrates whichever authentication and authorization system your application provides. The Guacamole extension API (http://guacamole.apache.org/doc/gug/guacamole-ext.html<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fguacamole.apache.org%2Fdoc%2Fgug%2Fguacamole-ext.html&data=02%7C01%7CAbdul.Qadir%40quest.com%7Cef089aefc6c94b305f2208d813650208%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637280671850143566&sdata=qLGHtkJZiPOgL21bKYKe3pd%2B4fV8ght9xFYBDzaIKvs%3D&reserved=0>) is quite flexible, and allows you to derive connection information however you see fit. There are basic examples on writing an extension within the manual and within the guacamole-client source. - Mike
