You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Mike Jumper <mi...@guac-dev.org> on 2016/07/01 19:07:12 UTC
Re: Custom Authentication with DIGITAL Certificate from a Apache HTTP
Reverse Proxy
On Tue, Jun 21, 2016 at 7:38 AM, Massimo Cusumano <ma...@gmail.com>
wrote:
> Hi,
>
> I have an Apache HTTP Server with SSL authentication (Client
> certificate Authentication). This Apache HTTP Server reverse proxies from
> port 443 to Guacamole ajp port 8009
>
> The Guacamole setup uses the mysql jdbc authentication extension
> (guacamole-auth-jdbc-mysql-0.9.9.jar).
>
> I wrote an extension that perform authentication based on the "Common
> Name" of the user's Client Digital Certificate. The extension retrieves the
> "Common Name" from the certificate and the "Common Name" is then used by
> MYSQL authenticator (MYSQL authenticator trusts the extension
> authentication).
>
> Now, when I browse to Guacamole web portal (https://MYIP/guacamole/), a
> client certificate is required by Apache; after I select the client
> certificate, the "default Guacamole login page" is displayed (index.html)
> and when clicking on the Login button (without entering any
> username/password) I can access with success to the "Guacamole Home Screen"
>
> My questions are:
> - Can I customize the "default Guacamole login page" to remove the
> username and password field and leave only the "Login" button?
>
There is no login "page" per se - the username and password fields are
generated dynamically, based on a machine-readable description of the
credentials required when an authentication attempt fails:
http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/GuacamoleInvalidCredentialsException.html
http://guacamole.incubator.apache.org/doc/guacamole-ext/org/glyptodon/guacamole/net/auth/credentials/CredentialsInfo.html
If you do not wish the username/password fields to appear, then simply do
not ask for them when you throw your GuacamoleInvalidCredentialsException.
The part of the code that actually does this within the JDBC auth is here:
https://github.com/apache/incubator-guacamole-client/blob/3c2dbbe4f9577ed7da97acec7412c2e43ee48122/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/AuthenticationProviderService.java#L80-L81
Some older code may not throw these exceptions at all, relying instead on
behavior providing backwards compatibility with older versions of Guacamole
that did not have these exceptions. In such a case, Guacamole would throw
this exception for you, and would include the username/password fields.
- Can I insert the "common name" of the certificate in the login page (e.g.
> Welcome "<Common Name> " User;
> or
> - Can I bypass the "default login page" and connect directly to the
> "Guacamole Home Screen"?
>
There no need to bypass it, as it doesn't truly exist. The authentication
system is flexible enough that if you don't wish to prompt the user for
credentials, then all you need to do is not ask for them.
Visiting any page within Guacamole results in an authentication /
reauthentication attempt, so your AuthenticationProvider will be queried
and requeried regarding whether the user is authorized. The login form
appears only in response to an error thrown by the extension indicating
that additional credentials are required, or that the provided credentials
are invalid.
If your AuthenticationProvider's authenticateUser() implementation returns
an AuthenticatedUser and does not throw a
GuacamoleInvalidCredentialsException (or
GuacamoleInsufficientCredentialsException), then they will not be prompted
for anything.
Thanks,
- Mike