You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@guacamole.apache.org by necouchman <gi...@git.apache.org> on 2017/08/11 21:12:15 UTC

[GitHub] incubator-guacamole-client pull request #174: GUACAMOLE-341: Make SSO Authen...

Github user necouchman commented on a diff in the pull request:

    https://github.com/apache/incubator-guacamole-client/pull/174#discussion_r132784755
  
    --- Diff: extensions/guacamole-auth-header/src/main/java/org/apache/guacamole/auth/header/AuthenticationProviderService.java ---
    @@ -73,6 +73,8 @@ public AuthenticatedUser authenticateUser(Credentials credentials)
                 String username = request.getHeader(confService.getHttpAuthHeader());
     
                 if (username != null) {
    +                //  Write username to the credentials object to make tokenfilter work
    --- End diff --
    
    @mike-jumper Any thoughts here on whether it's preferable to set the username inside this module, or modify code elsewhere to use the AuthenticatedUser identifier?  Going the AuthenticatedUser route looks like it would require one of the following approaches:
    - Another method in StandardTokens to be able to pass in the username token, specifically, with its own identifier, and then changes to the various places that StandardTokens is used to add both the credentials and then, alternatively the AuthenticatedUser code.
    - Checks around the existing StandardTokens uses that make sure the Credentials object has a valid username, and then code to create a new object or modify the existing one around there using the AuthenticatedUser object.
    
    It seems to me that setting it up inside the authentication module is the right way to go - it results in the fewest places that have to be reworked, and makes it available across the various places where those Credentials objects are used.  This module (auth-header) needs the fix, as will the CAS module.  I think those are the only two at the moment - any additional SSO-type modules would also have to keep it in mind (SAML, OAuth).



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---