guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Connection errors on no-auth unless logout first.
Date Mon, 20 Mar 2017 18:26:25 GMT
On Mon, Mar 20, 2017 at 10:59 AM, tek0011 <thecptsparrow@gmail.com> wrote:

> Still working on this.  Another person is trying to fork our own no-auth
> extension, that will be a true no-auth.


I strongly recommend against any approach centered around the idea of
disabling authentication.

The idea when integrating Guacamole with an external authentication system
should be to (1) verify the authentication result with that system and (2)
pull/generate the connection data required for each user based on that
result. If the connection data is generated dynamically, you will need to
look into both getUserContext() (which is called to generate the data
available for the user upon login) and updateUserContext() (which is called
for every request for users who are already logged in) for the
AuthenticationProvider interface:

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#getUserContext-org.apache.guacamole.net.auth.AuthenticatedUser-

http://guacamole.incubator.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#updateUserContext-org.apache.guacamole.net.auth.UserContext-org.apache.guacamole.net.auth.AuthenticatedUser-org.apache.guacamole.net.auth.Credentials-

In the meantime, we may have found
> another possible way, but I also don't understand why this isn't working.
>
> We moved from no-auth to user-mapping but we run into the exact same issue.
> PHP script runs, checks for the existence of <hostname> in
> user-mapping.xml.
> If it doesn't exist, it add's it, then redirects the user to it.
>
>
Both NoAuth and the default XML-driver authentication (user-mapping.xml)
will cache the data available to a user upon login. In the case of NoAuth,
users are logged in to a placeholder account without checking credentials
of any kind, but they are still logged in. Because the data is cached until
the user logs out, external changes to configuration will not take effect
as you expect.

It is possible to write an extension which does not cache configuration
(see updateUserContext() mentioned above), but there is still a client-side
cache of REST responses, including the response which contains all
connections available to a particular user. This will not affect the
ability to connect to a particular connection if you happen to know its
URL, but it will affect the contents of the home screen renders.

Ultimately, relying on a script to update XML configuration will always be
a hack. The proper approach is to write an authentication extension which
directly integrates things the way you need. If that still doesn't fit the
way you're intending to embed Guacamole, then it sounds like you should be
looking toward using the Guacamole API itself:

http://guacamole.incubator.apache.org/doc/gug/writing-you-own-guacamole-app.html

The web application is kept separate from the APIs which drive it for
exactly this sort of scenario. The expectation is that either Guacamole
will work as needed out-of-the-box, an authentication extension can be
written to integrate Guacamole with an external auth sytem (and then
otherwise function normally), or a different web application can be written
based on the same core (the Guacamole API).

- Mike

Mime
View raw message