guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Iker Ibarguren Berasaluze <>
Subject Re: External link to a connection
Date Fri, 27 May 2016 06:39:38 GMT

It works perfect! 

Igorlea: "Mike Jumper" <> 
Hartzailea: "user" <> 
Bidalita: 2016(e)ko Maiatzak 25, Asteazkena 21:05:41 
Gaia: Re: External link to a connection 

On Tue, May 24, 2016 at 11:51 PM, Iker Ibarguren Berasaluze < >

We have an intranet where I want to print the direct url to a connection for a user. I mean,
if in my intranet I´m reading user1 profile, I want to append a button witch can be clicked
in order to control this machine directly. I tried accessing guacamole mysql data but there
is no the necesary info to get the url. 

Is there any way to do this? 

The necessary information is indeed there - you just need to know how to generate the URL.
The base64 bit after ".../guacamole/client/" in the URL of a connection is built from the
following information: 

1. The connection identifier (in MySQL / PostgreSQL, this will be the connection ID) 
2. The type ("c" for connections and "g" for balancing groups) 
3. The identifier of the auth provider storing the connection data (usually "postgresql",
"mysql", or "ldap" - in your case the correct value would be "mysql") 

Each of these components separated from the other by a single NULL character (U+0000), with
the resulting string encoded with base64. 

For example, "NQBjAHBvc3RncmVzcWw=", a valid base64 string taken from an actual Guacamole
deployment, decodes to: 

$ echo 'NQBjAHBvc3RncmVzcWw=' | base64 -d | xxd 
0000000: 3500 6300 706f 7374 6772 6573 716c 5.c.postgresql 

"5" being the connection identifier, "c" indicating that this is a connection and not a group,
and "postgresql" representing the auth provider (PostgreSQL). Within the Guacamole web application,
this string is generated within JavaScript by the "ClientIdentifier" class using "ClientIdentifier.toString()"

The base64 identifier actually only has meaning to the JavaScript code - it is decoded and
parsed out into its individual components prior to making the request to open the tunnel,
at which point these values are included as normal HTTP parameters:

The easiest way to obtain this string would be to simply copy it from the URL of the connection
from within the Guacamole interface, but you can also use the above algorithm to generate
it yourself. 

Note that this does not bypass authentication - the users will still need to authenticate
with Guacamole to gain access to any connection, even if they know the URL ahead of time.

If you would rather that users login to your existing application only, the proper way to
achieve this is to integrate Guacamole into that application using an extension (such that
Guacamole can validate the user's authenticated status and pull their data, without prompting
them again for credentials). Avoid the temptation to disable Guacamole's authentication entirely;
it may seem simpler, but it is an EXTREMELY bad idea. 

Hope this helps, 

- Mike 

View raw message