guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dmitry Katsubo <>
Subject Setting up HTTP header authentication
Date Tue, 19 Mar 2019 23:56:13 GMT
Dear Guacamole community,

I have difficulties with setting up HTTP header authenticator. I have read the manual ([1])
but I still cannot make it working.

First of all I am not sure if I should set "auth-provider" property in /etc/guacamole/,
e.g. do I need to add:

auth-provider: org.apache.guacamole.auth.header.HTTPHeaderAuthenticationProvider


If I leave it unset, I get the following log:

20:38:21.077 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - Loading extension:
20:38:21.708 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "HTTP
Header Authentication Extension" loaded.
20:38:21.914 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - Binding AuthenticationProvider
20:38:35.919 [http-nio-] INFO  o.a.g.r.auth.AuthenticationService - User
"admin" successfully authenticated from [,].
20:38:35.922 [http-nio-] DEBUG o.a.g.a.f.FileAuthenticationProvider -
Reading user mapping file: "/etc/guacamole/user-mapping.xml"
20:38:35.949 [http-nio-] DEBUG o.a.g.r.auth.AuthenticationService - Login
was successful for user "admin".

and after I open Guacamole I see "admin" user name in right top corner (hence HTTP header
authenticator worked OK), but I am not automatically connected to the server. I suppose I
need to add an entry
to /etc/guacamole/user-mapping.xml, so I did:

    <authorize username="admin">
        <connection name="vnc">
            <param name="hostname">vncserver</param>
            <param name="port">5901</param>
            <param name="password">secret</param>
            <param name="clipboard-encoding">UTF-8</param>

but that does not help (same result after restarting Tomcat). What I want to achieve is that
authenticated user is automatically connected to VNC server.

Another note concerning the structure of user-mapping.xml. [2] reads the following:

  Each user is specified with a corresponding <authorize> tag. This tag contains all
authorized connections for that user, each denoted with a <connection> tag.

however one page before it provides an example where <authorize> tag not necessarily
contains <connection>:

<authorize username="USERNAME" password="PASSWORD">
    <param name="hostname">localhost</param>
    <param name="port">5900</param>
    <param name="password">VNCPASS</param>

So what is the rule: should <authorize> contain <connection>s tags or can it also
describe one connection?


The connection prerequisites are certainly correct, as before I was using NoAuth provider
without any complications:

11:40:29.188 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - Loading extension:
11:40:29.319 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "Disabled
Authentication" loaded.
12:16:52.343 [http-nio-] INFO  o.a.g.r.auth.AuthenticationService - User
"admin" successfully authenticated from [,].
12:16:52.356 [http-nio-] DEBUG o.a.g.a.n.NoAuthenticationProvider - Configuration
file "/etc/guacamole/noauth-config.xml" has been modified.
12:16:52.356 [http-nio-] DEBUG o.a.g.a.n.NoAuthenticationProvider - Reading
configuration file: "/etc/guacamole/noauth-config.xml"
12:16:52.441 [http-nio-] DEBUG o.a.g.r.auth.AuthenticationService - Login
was successful for user "admin".
12:16:53.708 [http-nio-] DEBUG - Connecting
to guacd at localhost:4822.
12:16:53.884 [http-nio-] INFO  o.a.g.tunnel.TunnelRequestService - User
"admin" connected to connection "localhost".


Thanks for any help in advance.

With best regards,

View raw message