guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Custom Authentication with DIGITAL Certificate from a Apache HTTP Reverse Proxy
Date Fri, 01 Jul 2016 19:07:12 GMT
On Tue, Jun 21, 2016 at 7:38 AM, Massimo Cusumano <maxcus.w@gmail.com>
wrote:

> Hi,
>
> I have an Apache HTTP Server with  SSL authentication  (Client
> certificate  Authentication). This Apache HTTP Server reverse proxies from
> port 443 to Guacamole ajp port  8009
>
> The  Guacamole setup uses the mysql jdbc authentication extension
> (guacamole-auth-jdbc-mysql-0.9.9.jar).
>
> I wrote an extension that perform authentication based on  the "Common
> Name" of the user's Client Digital Certificate. The extension retrieves the
> "Common Name" from the certificate and the "Common Name" is then used by
> MYSQL authenticator (MYSQL authenticator trusts the extension
> authentication).
>
> Now, when I browse to  Guacamole web portal (https://MYIP/guacamole/), a
> client certificate is required by Apache; after I select the  client
> certificate, the   "default Guacamole login page" is displayed (index.html)
> and when clicking  on the Login button (without entering any
> username/password) I can access with success to the "Guacamole Home Screen"
>
> My questions are:
> - Can I customize the "default Guacamole login page"  to remove the
> username and password field and leave only the "Login" button?
>

There is no login "page" per se - the username and password fields are
generated dynamically, based on a machine-readable description of the
credentials required when an authentication attempt fails:

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/GuacamoleInvalidCredentialsException.html

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/CredentialsInfo.html

If you do not wish the username/password fields to appear, then simply do
not ask for them when you throw your GuacamoleInvalidCredentialsException.

The part of the code that actually does this within the JDBC auth is here:

https://github.com/apache/incubator-guacamole-client/blob/3c2dbbe4f9577ed7da97acec7412c2e43ee48122/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticationProviderService.java#L80-L81

Some older code may not throw these exceptions at all, relying instead on
behavior providing backwards compatibility with older versions of Guacamole
that did not have these exceptions. In such a case, Guacamole would throw
this exception for you, and would include the username/password fields.

- Can I insert the "common name" of the certificate in the login page (e.g.
> Welcome "<Common Name> " User;
> or
> - Can I bypass the "default login page" and connect directly to the
> "Guacamole Home Screen"?
>

There no need to bypass it, as it doesn't truly exist. The authentication
system is flexible enough that if you don't wish to prompt the user for
credentials, then all you need to do is not ask for them.

Visiting any page within Guacamole results in an authentication /
reauthentication attempt, so your AuthenticationProvider will be queried
and requeried regarding whether the user is authorized. The login form
appears only in response to an error thrown by the extension indicating
that additional credentials are required, or that the provided credentials
are invalid.

If your AuthenticationProvider's authenticateUser() implementation returns
an AuthenticatedUser and does not throw a
GuacamoleInvalidCredentialsException (or
GuacamoleInsufficientCredentialsException), then they will not be prompted
for anything.

Thanks,

- Mike

Mime
View raw message