On Tue, Jun 21, 2016 at 7:38 AM, Massimo Cusumano <[email protected]> wrote:
> Hi, > > I have an Apache HTTP Server with SSL authentication (Client > certificate Authentication). This Apache HTTP Server reverse proxies from > port 443 to Guacamole ajp port 8009 > > The Guacamole setup uses the mysql jdbc authentication extension > (guacamole-auth-jdbc-mysql-0.9.9.jar). > > I wrote an extension that perform authentication based on the "Common > Name" of the user's Client Digital Certificate. The extension retrieves the > "Common Name" from the certificate and the "Common Name" is then used by > MYSQL authenticator (MYSQL authenticator trusts the extension > authentication). > > Now, when I browse to Guacamole web portal (https://MYIP/guacamole/), a > client certificate is required by Apache; after I select the client > certificate, the "default Guacamole login page" is displayed (index.html) > and when clicking on the Login button (without entering any > username/password) I can access with success to the "Guacamole Home Screen" > > My questions are: > - Can I customize the "default Guacamole login page" to remove the > username and password field and leave only the "Login" button? > There is no login "page" per se - the username and password fields are generated dynamically, based on a machine-readable description of the credentials required when an authentication attempt fails: http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/GuacamoleInvalidCredentialsException.html http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/CredentialsInfo.html If you do not wish the username/password fields to appear, then simply do not ask for them when you throw your GuacamoleInvalidCredentialsException. The part of the code that actually does this within the JDBC auth is here: https://github.com/apache/incubator-guacamole-client/blob/3c2dbbe4f9577ed7da97acec7412c2e43ee48122/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticationProviderService.java#L80-L81 Some older code may not throw these exceptions at all, relying instead on behavior providing backwards compatibility with older versions of Guacamole that did not have these exceptions. In such a case, Guacamole would throw this exception for you, and would include the username/password fields. - Can I insert the "common name" of the certificate in the login page (e.g. > Welcome "<Common Name> " User; > or > - Can I bypass the "default login page" and connect directly to the > "Guacamole Home Screen"? > There no need to bypass it, as it doesn't truly exist. The authentication system is flexible enough that if you don't wish to prompt the user for credentials, then all you need to do is not ask for them. Visiting any page within Guacamole results in an authentication / reauthentication attempt, so your AuthenticationProvider will be queried and requeried regarding whether the user is authorized. The login form appears only in response to an error thrown by the extension indicating that additional credentials are required, or that the provided credentials are invalid. If your AuthenticationProvider's authenticateUser() implementation returns an AuthenticatedUser and does not throw a GuacamoleInvalidCredentialsException (or GuacamoleInsufficientCredentialsException), then they will not be prompted for anything. Thanks, - Mike
