Hi, We have been unable to get HTTP header authentication to work with our Guacamole server and need some help.
Our Guacamole server 0.9.12 from source using MySQL Auth has been working well for us but we now want to use our single sign on http header to authenticate. To enable this we have installed nginx as a proxy in front of our Guamole server with an authentication plugin. The SSO authentication nginx module is working an we have been able to confirm the http headers are being added. * HTTP_X_USER_UID = keith * HTTP_X_USER_NAME = Keith * HTTP_X_USER_EMAIL = [email protected]<mailto:[email protected]> When we visit our guacamole we are just getting the login web form appearing, I am able to login using my mysql user/pass (my mysql user is also keith) Our Guacmole built is using the prebuilt the binary files from Apache Guacamole website May 9 13:07:11 guacamole server: 13:07:11.909 [http-bio-8080-exec-6] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [xxx.xxx.xxx.xxx, 127.0.0.1] for user "" failed. Our guacamole.properties files looks as follows... ---------------------------------------------------------------------------------------- api-session-timeout: 20 available-languages: en guacd-hostname: localhost guacd-port: 4822 http-auth-header: X_USER_UID mysql-hostname: db_host mysql-port: 3306 mysql-database: db_name mysql-username: db_user mysql-password: db_pass Our /var/log/messages log as tomcat starts up.... ---------------------------------------------------------------------------------------- May 9 13:27:35 guacamole systemd: Started Apache Tomcat Web Application Container. May 9 13:27:35 guacamole systemd: Starting Apache Tomcat Web Application Container... May 9 13:27:35 guacamole server: Java virtual machine used: /usr/lib/jvm/jre/bin/java May 9 13:27:35 guacamole server: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar May 9 13:27:35 guacamole server: main class used: org.apache.catalina.startup.Bootstrap May 9 13:27:35 guacamole server: flags used: -Xmx1524M -XX:MaxPermSize=256M May 9 13:27:35 guacamole server: options used: -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager May 9 13:27:35 guacamole server: arguments used: start May 9 13:27:35 guacamole server: OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256M; support was removed in 8.0 May 9 13:27:36 guacamole server: May 09, 2017 1:27:36 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent May 9 13:27:36 guacamole server: INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib May 9 13:27:36 guacamole server: May 09, 2017 1:27:36 PM org.apache.coyote.AbstractProtocol init May 9 13:27:36 guacamole server: INFO: Initializing ProtocolHandler ["http-bio-8080"] May 9 13:27:36 guacamole server: May 09, 2017 1:27:36 PM org.apache.coyote.AbstractProtocol init May 9 13:27:36 guacamole server: INFO: Initializing ProtocolHandler ["ajp-bio-8009"] May 9 13:27:36 guacamole server: May 09, 2017 1:27:36 PM org.apache.catalina.startup.Catalina load May 9 13:27:36 guacamole server: INFO: Initialization processed in 744 ms May 9 13:27:36 guacamole server: May 09, 2017 1:27:36 PM org.apache.catalina.core.StandardService startInternal May 9 13:27:36 guacamole server: INFO: Starting service Catalina May 9 13:27:36 guacamole server: May 09, 2017 1:27:36 PM org.apache.catalina.core.StandardEngine startInternal May 9 13:27:36 guacamole server: INFO: Starting Servlet Engine: Apache Tomcat/7.0.69 May 9 13:27:36 guacamole server: May 09, 2017 1:27:36 PM org.apache.catalina.startup.HostConfig deployWAR May 9 13:27:36 guacamole server: INFO: Deploying web application archive /var/lib/tomcat/webapps/remote.war May 9 13:27:38 guacamole server: May 09, 2017 1:27:38 PM org.apache.catalina.startup.TldConfig execute May 9 13:27:38 guacamole server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. May 9 13:27:38 guacamole server: 13:27:38.621 [localhost-startStop-1] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 20 minutes of inactivity. May 9 13:27:39 guacamole server: 13:27:39.045 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "HTTP Header Authentication Extension" loaded. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.connection.ConnectionDirectory.add(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.connection.ConnectionDirectory.update(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupDirectory.add(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.connectiongroup.ConnectionGroupDirectory.update(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileDirectory.add(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileDirectory.update(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.user.UserDirectory.add(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:39 guacamole server: May 09, 2017 1:27:39 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:39 guacamole server: WARNING: Method [public void org.apache.guacamole.auth.jdbc.user.UserDirectory.update(org.apache.guacamole.net.auth.Identifiable) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.mybatis.guice.transactional.TransactionalMethodInterceptor@32780ad6]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:40 guacamole server: 13:27:40.402 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" loaded. May 9 13:27:40 guacamole server: 13:27:40.540 [localhost-startStop-1] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support... May 9 13:27:40 guacamole server: May 09, 2017 1:27:40 PM com.google.inject.internal.ProxyFactory <init> May 9 13:27:40 guacamole server: WARNING: Method [public void org.apache.guacamole.rest.user.UserResource.updateObject(java.lang.Object) throws org.apache.guacamole.GuacamoleException] is synthetic and is being intercepted by [org.apache.guacamole.rest.RESTExceptionWrapper@539e8d9c]. This could indicate a bug. The method may be intercepted twice, or may not be intercepted at all. May 9 13:27:41 guacamole server: May 09, 2017 1:27:41 PM org.apache.catalina.util.SessionIdGeneratorBase createSecureRandom May 9 13:27:41 guacamole server: INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [877] milliseconds. May 9 13:27:41 guacamole server: May 09, 2017 1:27:41 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register May 9 13:27:41 guacamole server: INFO: Registering org.apache.guacamole.rest.language.LanguageRESTService as a root resource class May 9 13:27:41 guacamole server: May 09, 2017 1:27:41 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register May 9 13:27:41 guacamole server: INFO: Registering org.apache.guacamole.rest.patch.PatchRESTService as a root resource class May 9 13:27:41 guacamole server: May 09, 2017 1:27:41 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register May 9 13:27:41 guacamole server: INFO: Registering org.apache.guacamole.rest.auth.TokenRESTService as a root resource class May 9 13:27:41 guacamole server: May 09, 2017 1:27:41 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register May 9 13:27:41 guacamole server: INFO: Registering org.apache.guacamole.rest.session.SessionRESTService as a root resource class May 9 13:27:41 guacamole server: May 09, 2017 1:27:41 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register May 9 13:27:41 guacamole server: INFO: Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider class May 9 13:27:41 guacamole server: May 09, 2017 1:27:41 PM com.sun.jersey.server.impl.application.WebApplicationImpl _initiate May 9 13:27:41 guacamole server: INFO: Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM' May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider May 9 13:27:42 guacamole server: INFO: Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to GuiceManagedComponentProvider with the scope "Singleton" May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider May 9 13:27:42 guacamole server: INFO: Binding org.apache.guacamole.rest.language.LanguageRESTService to GuiceManagedComponentProvider with the scope "PerRequest" May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider May 9 13:27:42 guacamole server: INFO: Binding org.apache.guacamole.rest.patch.PatchRESTService to GuiceManagedComponentProvider with the scope "PerRequest" May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider May 9 13:27:42 guacamole server: INFO: Binding org.apache.guacamole.rest.auth.TokenRESTService to GuiceManagedComponentProvider with the scope "PerRequest" May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider May 9 13:27:42 guacamole server: INFO: Binding org.apache.guacamole.rest.session.SessionRESTService to GuiceManagedComponentProvider with the scope "PerRequest" May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM org.webjars.servlet.WebjarsServlet init May 9 13:27:42 guacamole server: INFO: WebjarsServlet initialization completed May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM org.apache.catalina.startup.HostConfig deployWAR May 9 13:27:42 guacamole server: INFO: Deployment of web application archive /var/lib/tomcat/webapps/remote.war has finished in 6,494 ms May 9 13:27:42 guacamole server: May 09, 2017 1:27:42 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:42 guacamole server: INFO: Deploying web application directory /var/lib/tomcat/webapps/host-manager May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TldConfig execute May 9 13:27:43 guacamole server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:43 guacamole server: INFO: Deployment of web application directory /var/lib/tomcat/webapps/host-manager has finished in 222 ms May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:43 guacamole server: INFO: Deploying web application directory /var/lib/tomcat/webapps/manager May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TldConfig execute May 9 13:27:43 guacamole server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:43 guacamole server: INFO: Deployment of web application directory /var/lib/tomcat/webapps/manager has finished in 209 ms May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:43 guacamole server: INFO: Deploying web application directory /var/lib/tomcat/webapps/examples May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/core_rt is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/core is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/core is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/fmt_rt is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/fmt is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/fmt is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/functions is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://jakarta.apache.org/taglibs/standard/permittedTaglibs is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://jakarta.apache.org/taglibs/standard/scriptfree is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/sql_rt is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/sql is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/sql is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/xml_rt is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jstl/xml is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TaglibUriRule body May 9 13:27:43 guacamole server: INFO: TLD skipped. URI: http://java.sun.com/jsp/jstl/xml is already defined May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.TldConfig execute May 9 13:27:43 guacamole server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:43 guacamole server: INFO: Deployment of web application directory /var/lib/tomcat/webapps/examples has finished in 496 ms May 9 13:27:43 guacamole server: May 09, 2017 1:27:43 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:43 guacamole server: INFO: Deploying web application directory /var/lib/tomcat/webapps/sample May 9 13:27:44 guacamole server: May 09, 2017 1:27:44 PM org.apache.catalina.startup.TldConfig execute May 9 13:27:44 guacamole server: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. May 9 13:27:44 guacamole server: May 09, 2017 1:27:44 PM org.apache.catalina.startup.HostConfig deployDirectory May 9 13:27:44 guacamole server: INFO: Deployment of web application directory /var/lib/tomcat/webapps/sample has finished in 247 ms May 9 13:27:44 guacamole server: May 09, 2017 1:27:44 PM org.apache.coyote.AbstractProtocol start May 9 13:27:44 guacamole server: INFO: Starting ProtocolHandler ["http-bio-8080"] May 9 13:27:44 guacamole server: May 09, 2017 1:27:44 PM org.apache.coyote.AbstractProtocol start May 9 13:27:44 guacamole server: INFO: Starting ProtocolHandler ["ajp-bio-8009"] May 9 13:27:44 guacamole server: May 09, 2017 1:27:44 PM org.apache.catalina.startup.Catalina start May 9 13:27:44 guacamole server: INFO: Server startup in 7759 ms Please help. ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents: to do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. NHSmail provides an email address for your career in the NHS and can be accessed anywhere For more information and to find out how you can switch, visit http://support.nhs.net/joiningnhsmail ********************************************************************************************************************
