Mailing-List: contact user-help@guacamole.incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@guacamole.incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <CAG8Nh4sYXPdbM2aHujioEyhBsgVQrryMmcGQC84oPd2FmZvdig@mail.gmail.com>
References: <CAG8Nh4sYXPdbM2aHujioEyhBsgVQrryMmcGQC84oPd2FmZvdig@mail.gmail.com>
From: Mike Jumper <mike.jumper@guac-dev.org>
Date: Fri, 1 Jul 2016 12:07:12 -0700
Message-ID: <CALKeL-Nerm9Y2PZnRFXnWv7+Xc9w5D4yMD9ggoVzDqpuKEr7oQ@mail.gmail.com>
Subject: Re: Custom Authentication with DIGITAL Certificate from a Apache HTTP
 Reverse Proxy
To: user@guacamole.incubator.apache.org
Content-Type: multipart/alternative; boundary=001a11426a68bcca03053697b159
archived-at: Fri, 01 Jul 2016 19:07:20 -0000

--001a11426a68bcca03053697b159
Content-Type: text/plain; charset=UTF-8

On Tue, Jun 21, 2016 at 7:38 AM, Massimo Cusumano <maxcus.w@gmail.com>
wrote:

> Hi,
>
> I have an Apache HTTP Server with  SSL authentication  (Client
> certificate  Authentication). This Apache HTTP Server reverse proxies from
> port 443 to Guacamole ajp port  8009
>
> The  Guacamole setup uses the mysql jdbc authentication extension
> (guacamole-auth-jdbc-mysql-0.9.9.jar).
>
> I wrote an extension that perform authentication based on  the "Common
> Name" of the user's Client Digital Certificate. The extension retrieves the
> "Common Name" from the certificate and the "Common Name" is then used by
> MYSQL authenticator (MYSQL authenticator trusts the extension
> authentication).
>
> Now, when I browse to  Guacamole web portal (https://MYIP/guacamole/), a
> client certificate is required by Apache; after I select the  client
> certificate, the   "default Guacamole login page" is displayed (index.html)
> and when clicking  on the Login button (without entering any
> username/password) I can access with success to the "Guacamole Home Screen"
>
> My questions are:
> - Can I customize the "default Guacamole login page"  to remove the
> username and password field and leave only the "Login" button?
>

There is no login "page" per se - the username and password fields are
generated dynamically, based on a machine-readable description of the
credentials required when an authentication attempt fails:

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/GuacamoleInvalidCredentialsException.html

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/CredentialsInfo.html

If you do not wish the username/password fields to appear, then simply do
not ask for them when you throw your GuacamoleInvalidCredentialsException.

The part of the code that actually does this within the JDBC auth is here:

https://github.com/apache/incubator-guacamole-client/blob/3c2dbbe4f9577ed7da97acec7412c2e43ee48122/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticationProviderService.java#L80-L81

Some older code may not throw these exceptions at all, relying instead on
behavior providing backwards compatibility with older versions of Guacamole
that did not have these exceptions. In such a case, Guacamole would throw
this exception for you, and would include the username/password fields.

- Can I insert the "common name" of the certificate in the login page (e.g.
> Welcome "<Common Name> " User;
> or
> - Can I bypass the "default login page" and connect directly to the
> "Guacamole Home Screen"?
>

There no need to bypass it, as it doesn't truly exist. The authentication
system is flexible enough that if you don't wish to prompt the user for
credentials, then all you need to do is not ask for them.

Visiting any page within Guacamole results in an authentication /
reauthentication attempt, so your AuthenticationProvider will be queried
and requeried regarding whether the user is authorized. The login form
appears only in response to an error thrown by the extension indicating
that additional credentials are required, or that the provided credentials
are invalid.

If your AuthenticationProvider's authenticateUser() implementation returns
an AuthenticatedUser and does not throw a
GuacamoleInvalidCredentialsException (or
GuacamoleInsufficientCredentialsException), then they will not be prompted
for anything.

Thanks,

- Mike

--001a11426a68bcca03053697b159
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On T=
ue, Jun 21, 2016 at 7:38 AM, Massimo Cusumano <span dir=3D"ltr">&lt;<a href=
=3D"mailto:maxcus.w@gmail.com" target=3D"_blank">maxcus.w@gmail.com</a>&gt;=
</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px=
 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div di=
r=3D"ltr">Hi,<br><br>I have an Apache HTTP Server with=C2=A0 SSL authentica=
tion=C2=A0=20
(Client certificate=C2=A0 Authentication). This Apache HTTP Server reverse=
=20
proxies from port 443 to Guacamole ajp port=C2=A0 8009<br><br>The=C2=A0 Gua=
camole setup uses the mysql jdbc authentication extension (guacamole-auth-j=
dbc-mysql-0.9.9.jar).<br><br>I
 wrote an extension that perform authentication based on=C2=A0 the &quot;Co=
mmon=20
Name&quot; of the user&#39;s Client Digital Certificate. The extension retr=
ieves=20
the &quot;Common Name&quot; from the certificate and the &quot;Common Name&=
quot; is then=20
used by MYSQL authenticator (MYSQL authenticator trusts the extension=20
authentication).<br><br>Now, when I browse to=C2=A0 Guacamole web portal (<=
a href=3D"https://MYIP/guacamole/" target=3D"_blank">https://MYIP/guacamole=
/</a>),
 a client certificate is required by Apache; after I select the=C2=A0 clien=
t=20
certificate, the=C2=A0=C2=A0 &quot;default Guacamole login page&quot; is di=
splayed=20
(index.html) and when clicking=C2=A0 on the Login button (without entering=
=20
any username/password) I can access with success to the &quot;Guacamole Hom=
e=20
Screen&quot;<br><br>My questions are:<br>- Can I customize the &quot;defaul=
t=20
Guacamole login page&quot;=C2=A0 to remove the username and password field =
and=20
leave only the &quot;Login&quot; button? <br></div></blockquote><div><br></=
div><div>There is no login &quot;page&quot; per se - the username and passw=
ord fields are generated dynamically, based on a machine-readable descripti=
on of the credentials required when an authentication attempt fails:</div><=
div><br></div><div><a href=3D"http://guacamole.incubator.apache.org/doc/gua=
camole-ext/org/glyptodon/guacamole/net/auth/credentials/GuacamoleInvalidCre=
dentialsException.html">http://guacamole.incubator.apache.org/doc/guacamole=
-ext/org/glyptodon/guacamole/net/auth/credentials/GuacamoleInvalidCredentia=
lsException.html</a><br></div><div><br></div><div><a href=3D"http://guacamo=
le.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/=
credentials/CredentialsInfo.html">http://guacamole.incubator.apache.org/doc=
/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/CredentialsInfo=
.html</a><br></div><div><br></div><div>If you do not wish the username/pass=
word fields to appear, then simply do not ask for them when you throw your =
GuacamoleInvalidCredentialsException.</div><div><br></div><div>The part of =
the code that actually does this within the JDBC auth is here:</div><div><b=
r></div><div><a href=3D"https://github.com/apache/incubator-guacamole-clien=
t/blob/3c2dbbe4f9577ed7da97acec7412c2e43ee48122/extensions/guacamole-auth-j=
dbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/aut=
h/jdbc/user/AuthenticationProviderService.java#L80-L81">https://github.com/=
apache/incubator-guacamole-client/blob/3c2dbbe4f9577ed7da97acec7412c2e43ee4=
8122/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/ma=
in/java/org/apache/guacamole/auth/jdbc/user/AuthenticationProviderService.j=
ava#L80-L81</a><br></div><div><br></div><div>Some older code may not throw =
these exceptions at all, relying instead on behavior providing backwards co=
mpatibility with older versions of Guacamole that did not have these except=
ions. In such a case, Guacamole would throw this exception for you, and wou=
ld include the username/password fields.</div><div><br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid=
 rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">- Can I insert the &qu=
ot;common name&quot; of the certificate in the login page (e.g. Welcome &qu=
ot;&lt;Common Name&gt; &quot; User;<br>or<br>- Can I bypass the &quot;defau=
lt login page&quot; and connect directly to the &quot;Guacamole Home Screen=
&quot;?</div></blockquote><div><br></div><div>There no need to bypass it, a=
s it doesn&#39;t truly exist. The authentication system is flexible enough =
that if you don&#39;t wish to prompt the user for credentials, then all you=
 need to do is not ask for them.</div><div><br></div><div>Visiting any page=
 within Guacamole results in an authentication / reauthentication attempt, =
so your AuthenticationProvider will be queried and requeried regarding whet=
her the user is authorized. The login form appears only in response to an e=
rror thrown by the extension indicating that additional credentials are req=
uired, or that the provided credentials are invalid.</div><div><br></div><d=
iv>If your AuthenticationProvider&#39;s authenticateUser() implementation r=
eturns an AuthenticatedUser and does not throw a GuacamoleInvalidCredential=
sException (or GuacamoleInsufficientCredentialsException), then they will n=
ot be prompted for anything.</div></div><br></div><div class=3D"gmail_extra=
">Thanks,</div><div class=3D"gmail_extra"><br></div><div class=3D"gmail_ext=
ra">- Mike</div><div class=3D"gmail_extra"><br></div></div>

--001a11426a68bcca03053697b159--