On Sun, Jun 18, 2017 at 11:49 PM, Suncatcher16 <[email protected]> wrote:
> I wanna restrict certain users of Guacamole by IP-address. In particular, I > want *guacadmin* (user with admin privileges) can access Guacamole > (settings) only from LAN, whilst other users (with standard privileges) can > access from Internet too. > I didn't find appropriate setting in config. Is this possible on > Guacamole-level? Or should I set up this in Tomcat? > > There is no setting for this, but you can write an extension which provides such behavior. If you implement an AuthenticationProvider which does not attempt to authenticate users (returns null for authenticateUser()), you can leverage getUserContext() to veto the authentication result of other extensions. Any exception thrown within getUserContext() will result in the entire authentication process being canceled and the user auth attempt rejected. >From within getUserContext(), you can check the IP address of the request using the Credentials object associated with the AuthenticatedUser. - Mike
