You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Brian Snyder <br...@beavercreek.k12.oh.us> on 2023/03/01 21:00:41 UTC
Guacamole 1.4.0 Error
Hello All,
I am running into an error. Can someone point me in the right direction?
I am getting the "An error has occurred and this action cant be completed"
Errors in Tomcat are:
23:13:23.599 [https-openssl-nio-10.10.18.30-443-exec-5] WARN
o.a.g.e.AuthenticationProviderFacade - The "mysql-shared" authentication
provider has been skipped due to an internal error. If this is unexpected
or you are the developer of this authentication provider, you may wish to
enable debug-level logging: 'javax.servlet.http.HttpServletRequest
org.apache.guacamole.net.auth.Credentials.getRequest()'
23:13:31.144 [https-openssl-nio-10.10.18.30-443-exec-6] INFO
o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully
authenticated from 10.10.170.134.
23:13:31.168 [https-openssl-nio-10.10.18.30-443-exec-8] ERROR
o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
'javax.servlet.http.HttpServletRequest
org.apache.guacamole.net.auth.Credentials.getRequest()'
Has anyone seen this? Works as expected if I use authentication other than
mysql. As soon as I add the connector extension it does not work.
Thanks,
Brian
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Ok Nick:
Thanks a lot for your valuable help. I appreciate it.
I will check it.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: miércoles, 15 de marzo de 2023 08:49 a. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Tue, Mar 14, 2023 at 7:36 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I found class SharedAuthenticationProviderService, which has below method(authenticateUser). It receives credentials of Credentials type. Below is its definition:
>
> @Override
> public AuthenticatedUser authenticateUser(AuthenticationProvider authenticationProvider,
> Credentials credentials) throws GuacamoleException {
>
> // Check whether user is authenticating with a valid sharing key
> AuthenticatedUser user = sharingService.retrieveSharedConnectionUser(authenticationProvider, credentials);
> if (user != null)
> return user;
>
> // Otherwise, unauthorized
> throw new GuacamoleInvalidCredentialsException("Invalid
> login", CredentialsInfo.USERNAME_PASSWORD);
>
> }
>
> By above code, I think I have to make call to Perl invocation before retrieving authenticated user, and then compare with it. If their credentials are diferents, to update credentials with Tacacs value using updateUserContext function.
>
> How do you see my implementation proposal?
A couple of things:
* I would not look at the ShareAuthenticationProviderService as an example of this - it is fairly complex in creating temporary tokens and authenticating users temporarily. The simplest module out there is probably the guacamole-auth-header module, and it might be a better starting point for you to create a simple authentication extension that will call the Perl script.
* It would be better to avoid trying to change an existing authentication module, you should take the time to fully implement a new one. You can use the header extension as a starting point, but you should take the time to name the classes properly, set up any logging you feel is necessary, etc. Even if you copy the existing header extension and make changes, make sure you rename the classes, remove items that aren't required, etc. It'll help you out in the long run.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
With previous file sent gives errors. With this one, I can enter into web application and with Tacacs password I do not see Active Sessions, I just see them with user and DB password. (user is same for Tacacs and DB)
-Gavriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: sábado, 15 de abril de 2023 06:56 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 8:27 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Ok Nick
>
> Then what I need to do in order to see Active Sessions when I enter with Tacacs authentication?
There's nothing you need to do in your Java code to enable this. You only need to make sure that the user you're logging in as via TACACS is granted privileges in the JDBC module to see the active sessions.
The username in the JDBC module must match the TACACS username
*exactly* (including case sensitivity), but the password need not be synchronized.
You can also enable the JDBC user auto-creation feature, which will automatically create a JDBC user for any account that is successfully logged in via another module, and then grant those accounts the required privileges.
https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Ok
Tacacs user and DB user is same. I am going to check JDBC user auto-creation feature
Thanks Nick
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: sábado, 15 de abril de 2023 06:56 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 8:27 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Ok Nick
>
> Then what I need to do in order to see Active Sessions when I enter with Tacacs authentication?
There's nothing you need to do in your Java code to enable this. You only need to make sure that the user you're logging in as via TACACS is granted privileges in the JDBC module to see the active sessions.
The username in the JDBC module must match the TACACS username
*exactly* (including case sensitivity), but the password need not be synchronized.
You can also enable the JDBC user auto-creation feature, which will automatically create a JDBC user for any account that is successfully logged in via another module, and then grant those accounts the required privileges.
https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Thanks a lot, Nick.
It works. There is left pending a way to make a massive update of the Database accounts so that their password is the same as that of Tacacs.
I will take care of it.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: domingo, 16 de abril de 2023 02:03 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 9:17 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I did a test and It does not work
>
> I put mysql-auto-create-accounts (guacamole properties) with true value.
>
> In fact Tacacs user is same to DB user, but why when I enter with DB user and its password as is saved in this repository, I can see Active Sessions?
The likely explanation for why this works is because the database module gets evaluated, first, and, if the password is the same, the authentication to Guacamole is done by the database module and *not* by the TACACS module. I'd bet that, once the passwords are the same between DB and TACACS, the Guacamole logins will stop showing up in your TACACS system.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Michael Jumper <mj...@apache.org>.
There's a lot here you can probably get rid of, unless you truly need
dependency injection via Guice for some other purpose.
Why are you checking the username using indexOf()?
- Mike
On Wed, Apr 19, 2023, 9:29 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
> This is class which authenticates, there is just one method just like you
> estipulate:
>
>
>
> public class TacacsAuthenticationProvider extends
> AbstractAuthenticationProvider {
>
>
>
> private static final String MYSQLAuthenticationProviderString =
> "mysql";
>
>
>
> /**
>
> * Logger for this class.
>
> */
>
> private static final Logger logger =
> LoggerFactory.getLogger(TacacsAuthenticationProvider.class);
>
>
>
> /**
>
> * Injector which will manage the object graph of this authentication
>
> * provider.
>
> */
>
> private final Injector injector;
>
>
>
> /**
>
> * Creates a new TacacsAuthenticationProvider that authenticates users
>
> * using Tacacs.
>
> *
>
> * @throws GuacamoleException
>
> * If a required property is missing, or an error occurs while
> parsing
>
> * a property.
>
> */
>
> public TacacsAuthenticationProvider() throws GuacamoleException {
>
>
>
> // Set up Guice injector.
>
> injector = Guice.createInjector(
>
> new TacacsAuthenticationProviderModule(this)
>
> );
>
>
>
> }
>
>
>
> @Override
>
> public String getIdentifier() {
>
> return "tacacs";
>
> }
>
>
>
> @Override
>
> public AuthenticatedUser authenticateUser(Credentials credentials)
>
> throws GuacamoleException {
>
>
>
> // Pass credentials to authentication service.
>
> AuthenticationProviderService authProviderService =
>
> injector.getInstance(AuthenticationProviderService.class);
>
> return authProviderService.authenticateUser(credentials);
>
>
>
> }
>
>
>
> }
>
>
>
> And below is the class about how is authentication done in Tacacs
>
>
>
> public class AuthenticationProviderService {
>
> /**
>
> * Logger for this class.
>
> */
>
> private static final Logger logger =
> LoggerFactory.getLogger(AuthenticationProviderService.class);
>
>
>
> /**
>
> * Guacamole's administrator user.
>
> */
>
> private static final String GUACAMOLE_ADMINISTRATOR = "guacadmin";
>
>
>
> /**
>
> * Provider for AuthenticatedUser objects.
>
> */
>
> @Inject
>
> private Provider<AuthenticatedUser> authenticatedUserProvider;
>
>
>
> /**
>
> * Returns an AuthenticatedUser representing the user authenticated by
> the
>
> * given credentials.
>
>
>
> * @param credentials
>
> * The credentials to use for authentication.
>
> *
>
> * @return
>
> * An AuthenticatedUser representing the user authenticated by the
>
> * given credentials.
>
> *
>
> * @throws GuacamoleException
>
> * If an error occurs while authenticating the user, or if access
> is
>
> * denied.
>
> */
>
> public AuthenticatedUser authenticateUser(Credentials credentials)
>
> throws GuacamoleException {
>
> if (credentials.getUsername() != null &&
> credentials.getPassword() != null
>
> && credentials.getUsername().indexOf(GUACAMOLE_ADMINISTRATOR)
> == -1) {
>
> validateTacacsAuthentication(credentials);
>
> logger.debug("User:" + credentials.getUsername() + " [" +
> credentials.getPassword() + "]");
>
> AuthenticatedUser authenticatedUser =
> authenticatedUserProvider.get();
>
> authenticatedUser.init(credentials.getUsername(), credentials);
>
> return authenticatedUser;
>
> }
>
> // Authentication not provided via Tacacs, yet, so we request it.
>
> throw new GuacamoleInvalidCredentialsException("Invalid login.",
> CredentialsInfo.USERNAME_PASSWORD);
>
> }
>
>
>
> private void validateTacacsAuthentication(Credentials credentials)
> throws GuacamoleException {
>
> if (credentials.getUsername() != null
>
> &&
> credentials.getUsername().indexOf(GUACAMOLE_ADMINISTRATOR) == -1) {
>
> if
> (!AuthenticationTacacs.authenticate(credentials.getUsername(),
>
> credentials.getPassword(),
>
> credentials.getRemoteAddress())) {
>
> logger.warn("Tacacs authentication attempt from {}
> for user \"{}\" failed.",
>
> credentials.getRemoteAddress(),
> credentials.getUsername());
>
> throw new GuacamoleInvalidCredentialsException(
>
> "Tacacs authentication attempt
> from " + credentials.getRemoteAddress()
>
> + " for user \"" +
> credentials.getUsername() + "\" failed.",
>
> CredentialsInfo.USERNAME_PASSWORD);
>
> } else {
>
> if (logger.isInfoEnabled())
>
> logger.info("User \"{}\" successfully authenticated
> with Tacacs from {}.",
>
> credentials.getUsername(),
>
>
> Utils.getLoggableAddress(credentials.getRequest()));
>
>
>
> }
>
> }
>
> }
>
> }
>
>
>
> And problem is Active Sessions are not shown,
>
>
>
> Any idea, what is missing?
>
>
>
> -Gabriel
>
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Ok Michael.
I will take it on account for future releases.
Thanks a lot for your support.
-Gabriel
De: Michael Jumper <mj...@apache.org>
Enviado el: miércoles, 26 de abril de 2023 11:42 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Wed, Apr 26, 2023, 6:30 PM Nick Couchman <vn...@apache.org>> wrote:
On Sat, Apr 22, 2023 at 8:09 PM Gabriel Huerta Araujo
<hu...@globalhitss.com>.invalid> wrote:
>
> Thanks a lot Michael and Nick for your valuable help.
>
>
>
> I found out that I was doing something wrong. The Tacacs authentication provider jar was made with Guacamole version 0.9.14 and I was doing my tests with Guacamole version 1.4.0. I got a new version of Guacamole (1.4.0) and added the Tacacs jar and everything works fine. I think for some reason Guacamole version I had (1.4.0), had some errors.
>
>
Thanks for posting your solution back, here. We do generally design
the components to be as backward-compatible as possible, but that is
quite a large difference in versions, and things have changed pretty
drastically between those versions, so it isn't shocking that some
things would not work.
With the version sanity checks built into the extension format, a copy of 1.4.0 will refuse to load extensions for 0.9.14, and will instead log an error noting the incompatibility.
Gabriel, if your extension lists the target version as "*", you should change it to the specific version your extension was built against. Future versions of Guacamole will still load it as long as they are compatible, and will safely refuse to load it if not. That (or reading the compatibility notes in the release notes) is your signal to rebuild your extension against the new version, making any changes necessary for it to build.
- Mike
Re: Change to the way of authenticating provided by Guacamole
Posted by Michael Jumper <mj...@apache.org>.
On Wed, Apr 26, 2023, 6:30 PM Nick Couchman <vn...@apache.org> wrote:
> On Sat, Apr 22, 2023 at 8:09 PM Gabriel Huerta Araujo
> <hu...@globalhitss.com.invalid> wrote:
> >
> > Thanks a lot Michael and Nick for your valuable help.
> >
> >
> >
> > I found out that I was doing something wrong. The Tacacs authentication
> provider jar was made with Guacamole version 0.9.14 and I was doing my
> tests with Guacamole version 1.4.0. I got a new version of Guacamole
> (1.4.0) and added the Tacacs jar and everything works fine. I think for
> some reason Guacamole version I had (1.4.0), had some errors.
> >
> >
>
> Thanks for posting your solution back, here. We do generally design
> the components to be as backward-compatible as possible, but that is
> quite a large difference in versions, and things have changed pretty
> drastically between those versions, so it isn't shocking that some
> things would not work.
With the version sanity checks built into the extension format, a copy of
1.4.0 will refuse to load extensions for 0.9.14, and will instead log an
error noting the incompatibility.
Gabriel, if your extension lists the target version as "*", you should
change it to the specific version your extension was built against. Future
versions of Guacamole will still load it as long as they are compatible,
and will safely refuse to load it if not. That (or reading the
compatibility notes in the release notes) is your signal to rebuild your
extension against the new version, making any changes necessary for it to
build.
- Mike
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Sat, Apr 22, 2023 at 8:09 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> Thanks a lot Michael and Nick for your valuable help.
>
>
>
> I found out that I was doing something wrong. The Tacacs authentication provider jar was made with Guacamole version 0.9.14 and I was doing my tests with Guacamole version 1.4.0. I got a new version of Guacamole (1.4.0) and added the Tacacs jar and everything works fine. I think for some reason Guacamole version I had (1.4.0), had some errors.
>
>
Thanks for posting your solution back, here. We do generally design
the components to be as backward-compatible as possible, but that is
quite a large difference in versions, and things have changed pretty
drastically between those versions, so it isn't shocking that some
things would not work.
Glad you found the solution.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Thanks a lot Michael and Nick for your valuable help.
I found out that I was doing something wrong. The Tacacs authentication provider jar was made with Guacamole version 0.9.14 and I was doing my tests with Guacamole version 1.4.0. I got a new version of Guacamole (1.4.0) and added the Tacacs jar and everything works fine. I think for some reason Guacamole version I had (1.4.0), had some errors.
-Gabriel
De: Gabriel Huerta Araujo
Enviado el: miércoles, 19 de abril de 2023 10:29 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
This is class which authenticates, there is just one method just like you estipulate:
public class TacacsAuthenticationProvider extends AbstractAuthenticationProvider {
private static final String MYSQLAuthenticationProviderString = "mysql";
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(TacacsAuthenticationProvider.class);
/**
* Injector which will manage the object graph of this authentication
* provider.
*/
private final Injector injector;
/**
* Creates a new TacacsAuthenticationProvider that authenticates users
* using Tacacs.
*
* @throws GuacamoleException
* If a required property is missing, or an error occurs while parsing
* a property.
*/
public TacacsAuthenticationProvider() throws GuacamoleException {
// Set up Guice injector.
injector = Guice.createInjector(
new TacacsAuthenticationProviderModule(this)
);
}
@Override
public String getIdentifier() {
return "tacacs";
}
@Override
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
// Pass credentials to authentication service.
AuthenticationProviderService authProviderService =
injector.getInstance(AuthenticationProviderService.class);
return authProviderService.authenticateUser(credentials);
}
}
And below is the class about how is authentication done in Tacacs
public class AuthenticationProviderService {
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
/**
* Guacamole's administrator user.
*/
private static final String GUACAMOLE_ADMINISTRATOR = "guacadmin";
/**
* Provider for AuthenticatedUser objects.
*/
@Inject
private Provider<AuthenticatedUser> authenticatedUserProvider;
/**
* Returns an AuthenticatedUser representing the user authenticated by the
* given credentials.
* @param credentials
* The credentials to use for authentication.
*
* @return
* An AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @throws GuacamoleException
* If an error occurs while authenticating the user, or if access is
* denied.
*/
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
if (credentials.getUsername() != null && credentials.getPassword() != null
&& credentials.getUsername().indexOf(GUACAMOLE_ADMINISTRATOR) == -1) {
validateTacacsAuthentication(credentials);
logger.debug("User:" + credentials.getUsername() + " [" + credentials.getPassword() + "]");
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
// Authentication not provided via Tacacs, yet, so we request it.
throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD);
}
private void validateTacacsAuthentication(Credentials credentials) throws GuacamoleException {
if (credentials.getUsername() != null
&& credentials.getUsername().indexOf(GUACAMOLE_ADMINISTRATOR) == -1) {
if (!AuthenticationTacacs.authenticate(credentials.getUsername(),
credentials.getPassword(),
credentials.getRemoteAddress())) {
logger.warn("Tacacs authentication attempt from {} for user \"{}\" failed.",
credentials.getRemoteAddress(), credentials.getUsername());
throw new GuacamoleInvalidCredentialsException(
"Tacacs authentication attempt from " + credentials.getRemoteAddress()
+ " for user \"" + credentials.getUsername() + "\" failed.",
CredentialsInfo.USERNAME_PASSWORD);
} else {
if (logger.isInfoEnabled())
logger.info("User \"{}\" successfully authenticated with Tacacs from {}.",
credentials.getUsername(),
Utils.getLoggableAddress(credentials.getRequest()));
}
}
}
}
And problem is Active Sessions are not shown,
Any idea, what is missing?
-Gabriel
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
This is class which authenticates, there is just one method just like you estipulate:
public class TacacsAuthenticationProvider extends AbstractAuthenticationProvider {
private static final String MYSQLAuthenticationProviderString = "mysql";
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(TacacsAuthenticationProvider.class);
/**
* Injector which will manage the object graph of this authentication
* provider.
*/
private final Injector injector;
/**
* Creates a new TacacsAuthenticationProvider that authenticates users
* using Tacacs.
*
* @throws GuacamoleException
* If a required property is missing, or an error occurs while parsing
* a property.
*/
public TacacsAuthenticationProvider() throws GuacamoleException {
// Set up Guice injector.
injector = Guice.createInjector(
new TacacsAuthenticationProviderModule(this)
);
}
@Override
public String getIdentifier() {
return "tacacs";
}
@Override
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
// Pass credentials to authentication service.
AuthenticationProviderService authProviderService =
injector.getInstance(AuthenticationProviderService.class);
return authProviderService.authenticateUser(credentials);
}
}
And below is the class about how is authentication done in Tacacs
public class AuthenticationProviderService {
/**
* Logger for this class.
*/
private static final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class);
/**
* Guacamole's administrator user.
*/
private static final String GUACAMOLE_ADMINISTRATOR = "guacadmin";
/**
* Provider for AuthenticatedUser objects.
*/
@Inject
private Provider<AuthenticatedUser> authenticatedUserProvider;
/**
* Returns an AuthenticatedUser representing the user authenticated by the
* given credentials.
* @param credentials
* The credentials to use for authentication.
*
* @return
* An AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @throws GuacamoleException
* If an error occurs while authenticating the user, or if access is
* denied.
*/
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
if (credentials.getUsername() != null && credentials.getPassword() != null
&& credentials.getUsername().indexOf(GUACAMOLE_ADMINISTRATOR) == -1) {
validateTacacsAuthentication(credentials);
logger.debug("User:" + credentials.getUsername() + " [" + credentials.getPassword() + "]");
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
// Authentication not provided via Tacacs, yet, so we request it.
throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD);
}
private void validateTacacsAuthentication(Credentials credentials) throws GuacamoleException {
if (credentials.getUsername() != null
&& credentials.getUsername().indexOf(GUACAMOLE_ADMINISTRATOR) == -1) {
if (!AuthenticationTacacs.authenticate(credentials.getUsername(),
credentials.getPassword(),
credentials.getRemoteAddress())) {
logger.warn("Tacacs authentication attempt from {} for user \"{}\" failed.",
credentials.getRemoteAddress(), credentials.getUsername());
throw new GuacamoleInvalidCredentialsException(
"Tacacs authentication attempt from " + credentials.getRemoteAddress()
+ " for user \"" + credentials.getUsername() + "\" failed.",
CredentialsInfo.USERNAME_PASSWORD);
} else {
if (logger.isInfoEnabled())
logger.info("User \"{}\" successfully authenticated with Tacacs from {}.",
credentials.getUsername(),
Utils.getLoggableAddress(credentials.getRequest()));
}
}
}
}
And problem is Active Sessions are not shown,
Any idea, what is missing?
-Gabriel
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
How can I get all AuthenticationProviders installed into Guacamole? To be consulted from Tacacs Authentication Provider code?
-Gabriel
De: Gabriel Huerta Araujo
Enviado el: miércoles, 19 de abril de 2023 08:56 a. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Ok Michael
With incorrect change, Active Sessions are shown. With correct implementation not are shown.
How can I solve this issue?
-Gabriel
De: Michael Jumper <mj...@apache.org>>
Enviado el: martes, 18 de abril de 2023 09:29 p. m.
Para: user@guacamole.apache.org<ma...@guacamole.apache.org>
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Tue, Apr 18, 2023, 6:23 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
...
It was like this
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return null;
}
This is correct for an extension that provides no data of its own.
With below modification, It works like a charm now.
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return authenticatedUser.getAuthenticationProvider().getUserContext(authenticatedUser);
}
Sorry, but the above is very incorrect. You are essentially performing the same call to getUserContext() that Guacamole itself would make, returning a second copy of a UserContext from a different AuthenticationProvider as if it came from this one. This may cause really odd behavior or break in unexpected ways.
What you had before was correct.
- Mike
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Ok Michael
With incorrect change, Active Sessions are shown. With correct implementation not are shown.
How can I solve this issue?
-Gabriel
De: Michael Jumper <mj...@apache.org>
Enviado el: martes, 18 de abril de 2023 09:29 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Tue, Apr 18, 2023, 6:23 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
...
It was like this
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return null;
}
This is correct for an extension that provides no data of its own.
With below modification, It works like a charm now.
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return authenticatedUser.getAuthenticationProvider().getUserContext(authenticatedUser);
}
Sorry, but the above is very incorrect. You are essentially performing the same call to getUserContext() that Guacamole itself would make, returning a second copy of a UserContext from a different AuthenticationProvider as if it came from this one. This may cause really odd behavior or break in unexpected ways.
What you had before was correct.
- Mike
Re: Change to the way of authenticating provided by Guacamole
Posted by Michael Jumper <mj...@apache.org>.
On Tue, Apr 18, 2023, 6:23 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
> ...
>
> It was like this
>
> @Override
>
> public UserContext getUserContext(AuthenticatedUser authenticatedUser)
>
> throws GuacamoleException {
>
> // No associated data whatsoever
>
> return null;
>
> }
>
This is correct for an extension that provides no data of its own.
With below modification, It works like a charm now.
>
> @Override
>
> public UserContext getUserContext(AuthenticatedUser authenticatedUser)
>
> throws GuacamoleException {
>
> // No associated data whatsoever
>
> return
> authenticatedUser.getAuthenticationProvider().getUserContext(authenticatedUser);
>
> }
>
Sorry, but the above is very incorrect. You are essentially performing the
same call to getUserContext() that Guacamole itself would make, returning a
second copy of a UserContext from a different AuthenticationProvider as if
it came from this one. This may cause really odd behavior or break in
unexpected ways.
What you had before was correct.
- Mike
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Thanks a lot Michael for your complete explanation.
This implementation to getUserContext method was missing
It was like this
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return null;
}
With below modification, It works like a charm now.
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return authenticatedUser.getAuthenticationProvider().getUserContext(authenticatedUser);
}
I am plenty grateful, Michael.
-Gabriel
De: Michael Jumper <mj...@apache.org>
Enviado el: lunes, 17 de abril de 2023 04:02 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
Guacamole will poll every installed AuthenticationProvider. I can't speak to how your extension is written, but there are three phases that Guacamole goes through when you visit the application and attempt to authenticate:
1. Authentication: All installed extensions are asked to attempt to identify the user. Guacamole does this by calling authenticateUser() for each extension, one at a time, until one succeeds or all have failed: https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#authenticateUser(org.apache.guacamole.net.auth.Credentials)
2. Authorization: The AuthenticatedUser from whichever extension authenticated the user is passed to all installed extensions to allow those extensions to provide data for the user. Guacamole does this by calling getUserContext() for each extension, one at a time, providing each with the AuthenticatedUser received from the successful authentication attempt. Each extension then can (but does not need to) provide a UserContext describing what the user can access within that extension: https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#getUserContext(org.apache.guacamole.net.auth.AuthenticatedUser)
3. Decoration: The UserContext from all extensions that provided one is passed to all installed extensions to allow those extensions to augment or decorate the data provided for the user. This allows extensions to enforce restrictions on top of objects that they do not otherwise maintain, to hook into function calls at a low level, etc. Guacamole does this by calling decorate(): https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#decorate(org.apache.guacamole.net.auth.UserContext,org.apache.guacamole.net.auth.AuthenticatedUser,org.apache.guacamole.net.auth.Credentials)
If you are writing an extension intended to authenticate users and _only_ authenticate users, with something like MySQL providing connection storage and tracking, then all you need to do is implement authenticateUser() however you see fit. Nothing needs to match except the username as all of the various database extensions for Guacamole will trust the authentication results of other extensions. You don't need to synchronize passwords (nor set an explicit password at all), you don't need to implement connection tracking, and you don't need to try to access the internals of the webapp or other extensions. You just need to implement authenticateUser() in your AuthenticationProvider and make sure your AuthenticationProvider is declared correctly in your extension's guac-manifest.json.
- Mike
On Mon, Apr 17, 2023 at 1:19 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
In fact web application goes through every Authentication provider, but it does not enter when arrives to Tacacs Authentication Provider (it is previous to MySql), just enter to MySql Authentication provider (which is last in Authentication Providers list).
Any idea how to force to enter into Tacacs Authentication Provider?
-Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: lunes, 17 de abril de 2023 09:00 a. m.
Para: user@guacamole.apache.org<ma...@guacamole.apache.org>
Asunto: RE: Change to the way of authenticating provided by Guacamole
Nick
How can I make Tacacs authentication be executed? Because as Tacacs and DB password is the same, application goes for DB authentication.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>>
Enviado el: domingo, 16 de abril de 2023 02:03 p. m.
Para: user@guacamole.apache.org<ma...@guacamole.apache.org>
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 9:17 PM Gabriel Huerta Araujo <hu...@globalhitss.com>.invalid> wrote:
>
> I did a test and It does not work
>
> I put mysql-auto-create-accounts (guacamole properties) with true value.
>
> In fact Tacacs user is same to DB user, but why when I enter with DB user and its password as is saved in this repository, I can see Active Sessions?
The likely explanation for why this works is because the database module gets evaluated, first, and, if the password is the same, the authentication to Guacamole is done by the database module and *not* by the TACACS module. I'd bet that, once the passwords are the same between DB and TACACS, the Guacamole logins will stop showing up in your TACACS system.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org<ma...@guacamole.apache.org>
For additional commands, e-mail: user-help@guacamole.apache.org<ma...@guacamole.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org<ma...@guacamole.apache.org>
For additional commands, e-mail: user-help@guacamole.apache.org<ma...@guacamole.apache.org>
Re: Change to the way of authenticating provided by Guacamole
Posted by Michael Jumper <mj...@apache.org>.
Guacamole will poll every installed AuthenticationProvider. I can't speak
to how your extension is written, but there are three phases that Guacamole
goes through when you visit the application and attempt to authenticate:
1. Authentication: All installed extensions are asked to attempt to
identify the user. Guacamole does this by calling authenticateUser() for
each extension, one at a time, until one succeeds or all have failed:
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#authenticateUser(org.apache.guacamole.net.auth.Credentials)
2. Authorization: The AuthenticatedUser from whichever extension
authenticated the user is passed to all installed extensions to allow those
extensions to provide data for the user. Guacamole does this by calling
getUserContext() for each extension, one at a time, providing each with the
AuthenticatedUser received from the successful authentication attempt. Each
extension then can (but does not need to) provide a UserContext describing
what the user can access within that extension:
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#getUserContext(org.apache.guacamole.net.auth.AuthenticatedUser)
3. Decoration: The UserContext from all extensions that provided one is
passed to all installed extensions to allow those extensions to augment or
decorate the data provided for the user. This allows extensions to enforce
restrictions on top of objects that they do not otherwise maintain, to hook
into function calls at a low level, etc. Guacamole does this by calling
decorate():
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#decorate(org.apache.guacamole.net.auth.UserContext,org.apache.guacamole.net.auth.AuthenticatedUser,org.apache.guacamole.net.auth.Credentials)
If you are writing an extension intended to authenticate users and _only_
authenticate users, with something like MySQL providing connection storage
and tracking, then all you need to do is implement authenticateUser()
however you see fit. Nothing needs to match except the username as all of
the various database extensions for Guacamole will trust the authentication
results of other extensions. You don't need to synchronize passwords (nor
set an explicit password at all), you don't need to implement connection
tracking, and you don't need to try to access the internals of the webapp
or other extensions. You just need to implement authenticateUser() in your
AuthenticationProvider and make sure your AuthenticationProvider is
declared correctly in your extension's guac-manifest.json.
- Mike
On Mon, Apr 17, 2023 at 1:19 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
> In fact web application goes through every Authentication provider, but it
> does not enter when arrives to Tacacs Authentication Provider (it is
> previous to MySql), just enter to MySql Authentication provider (which is
> last in Authentication Providers list).
>
> Any idea how to force to enter into Tacacs Authentication Provider?
>
> -Gabriel
>
> -----Mensaje original-----
> De: Gabriel Huerta Araujo
> Enviado el: lunes, 17 de abril de 2023 09:00 a. m.
> Para: user@guacamole.apache.org
> Asunto: RE: Change to the way of authenticating provided by Guacamole
>
> Nick
>
> How can I make Tacacs authentication be executed? Because as Tacacs and DB
> password is the same, application goes for DB authentication.
>
> -Gabriel
>
> -----Mensaje original-----
> De: Nick Couchman <vn...@apache.org>
> Enviado el: domingo, 16 de abril de 2023 02:03 p. m.
> Para: user@guacamole.apache.org
> Asunto: Re: Change to the way of authenticating provided by Guacamole
>
> On Sat, Apr 15, 2023 at 9:17 PM Gabriel Huerta Araujo <
> huertaga@globalhitss.com.invalid> wrote:
> >
> > I did a test and It does not work
> >
> > I put mysql-auto-create-accounts (guacamole properties) with true value.
> >
> > In fact Tacacs user is same to DB user, but why when I enter with DB
> user and its password as is saved in this repository, I can see Active
> Sessions?
>
> The likely explanation for why this works is because the database module
> gets evaluated, first, and, if the password is the same, the authentication
> to Guacamole is done by the database module and *not* by the TACACS module.
> I'd bet that, once the passwords are the same between DB and TACACS, the
> Guacamole logins will stop showing up in your TACACS system.
>
> -Nick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
In fact web application goes through every Authentication provider, but it does not enter when arrives to Tacacs Authentication Provider (it is previous to MySql), just enter to MySql Authentication provider (which is last in Authentication Providers list).
Any idea how to force to enter into Tacacs Authentication Provider?
-Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: lunes, 17 de abril de 2023 09:00 a. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Nick
How can I make Tacacs authentication be executed? Because as Tacacs and DB password is the same, application goes for DB authentication.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: domingo, 16 de abril de 2023 02:03 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 9:17 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I did a test and It does not work
>
> I put mysql-auto-create-accounts (guacamole properties) with true value.
>
> In fact Tacacs user is same to DB user, but why when I enter with DB user and its password as is saved in this repository, I can see Active Sessions?
The likely explanation for why this works is because the database module gets evaluated, first, and, if the password is the same, the authentication to Guacamole is done by the database module and *not* by the TACACS module. I'd bet that, once the passwords are the same between DB and TACACS, the Guacamole logins will stop showing up in your TACACS system.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Nick
How can I make Tacacs authentication be executed? Because as Tacacs and DB password is the same, application goes for DB authentication.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: domingo, 16 de abril de 2023 02:03 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 9:17 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I did a test and It does not work
>
> I put mysql-auto-create-accounts (guacamole properties) with true value.
>
> In fact Tacacs user is same to DB user, but why when I enter with DB user and its password as is saved in this repository, I can see Active Sessions?
The likely explanation for why this works is because the database module gets evaluated, first, and, if the password is the same, the authentication to Guacamole is done by the database module and *not* by the TACACS module. I'd bet that, once the passwords are the same between DB and TACACS, the Guacamole logins will stop showing up in your TACACS system.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Sat, Apr 15, 2023 at 9:17 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> I did a test and It does not work
>
> I put mysql-auto-create-accounts (guacamole properties) with true value.
>
> In fact Tacacs user is same to DB user, but why when I enter with DB user and its password as is saved in this repository, I can see Active Sessions?
The likely explanation for why this works is because the database
module gets evaluated, first, and, if the password is the same, the
authentication to Guacamole is done by the database module and *not*
by the TACACS module. I'd bet that, once the passwords are the same
between DB and TACACS, the Guacamole logins will stop showing up in
your TACACS system.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
I did a test and It does not work
I put mysql-auto-create-accounts (guacamole properties) with true value.
In fact Tacacs user is same to DB user, but why when I enter with DB user and its password as is saved in this repository, I can see Active Sessions?
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: sábado, 15 de abril de 2023 06:56 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 8:27 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Ok Nick
>
> Then what I need to do in order to see Active Sessions when I enter with Tacacs authentication?
There's nothing you need to do in your Java code to enable this. You only need to make sure that the user you're logging in as via TACACS is granted privileges in the JDBC module to see the active sessions.
The username in the JDBC module must match the TACACS username
*exactly* (including case sensitivity), but the password need not be synchronized.
You can also enable the JDBC user auto-creation feature, which will automatically create a JDBC user for any account that is successfully logged in via another module, and then grant those accounts the required privileges.
https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Sat, Apr 15, 2023 at 8:27 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> Ok Nick
>
> Then what I need to do in order to see Active Sessions when I enter with Tacacs authentication?
There's nothing you need to do in your Java code to enable this. You
only need to make sure that the user you're logging in as via TACACS
is granted privileges in the JDBC module to see the active sessions.
The username in the JDBC module must match the TACACS username
*exactly* (including case sensitivity), but the password need not be
synchronized.
You can also enable the JDBC user auto-creation feature, which will
automatically create a JDBC user for any account that is successfully
logged in via another module, and then grant those accounts the
required privileges.
https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Ok Nick
Then what I need to do in order to see Active Sessions when I enter with Tacacs authentication?
I have attached all Java files I have included into a new jar file.
Just to mention I do not add tacacs-auth-header parameter into guacamole.properties, because I do no think it is needed.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: viernes, 14 de abril de 2023 07:58 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Fri, Apr 14, 2023 at 9:38 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I hope to make my be understood.
>
> I want to validate Tacacs password into Guacamole application, just to meet this authentication, once this is done AuthenticatedUser variable be replaced with original password to be able to see Active Sessions, because they are not visualized with Tacacs credentials but with DB credentials.
You can have TACACS do authentication, and still have the connections stored in the JDBC module, and use Active Sessions, authentication tokens, etc., and there's no need to sync the TACACS password with the DB module. It works fine without this. I don't use TACACS, but I use LDAP for authentication (against Active Directory), I do not synchronize passwords, I store connections in the JDBC module, and active session tracking works fine.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Apr 14, 2023 at 9:38 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> I hope to make my be understood.
>
> I want to validate Tacacs password into Guacamole application, just to meet this authentication, once this is done AuthenticatedUser variable be replaced with original password to be able to see Active Sessions, because they are not visualized with Tacacs credentials but with DB credentials.
You can have TACACS do authentication, and still have the connections
stored in the JDBC module, and use Active Sessions, authentication
tokens, etc., and there's no need to sync the TACACS password with the
DB module. It works fine without this. I don't use TACACS, but I use
LDAP for authentication (against Active Directory), I do not
synchronize passwords, I store connections in the JDBC module, and
active session tracking works fine.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
I hope to make my be understood.
I want to validate Tacacs password into Guacamole application, just to meet this authentication, once this is done AuthenticatedUser variable be replaced with original password to be able to see Active Sessions, because they are not visualized with Tacacs credentials but with DB credentials.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: viernes, 14 de abril de 2023 06:51 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Fri, Apr 14, 2023 at 8:44 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> As an option, but I would prefer second option, read original DB password and when Tacacs password validation passes, update into UserAuthenticated, the DB password.
>
Yes, but I don't understand why you want the password stored in the database to validate against the TACACS system? I don't know of any reason why the password stored in the SQL database would need to match the TACACS one, when you're authenticating against TACACS, anyway?
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Apr 14, 2023 at 8:44 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> As an option, but I would prefer second option, read original DB password and when Tacacs password validation passes, update into UserAuthenticated, the DB password.
>
Yes, but I don't understand why you want the password stored in the
database to validate against the TACACS system? I don't know of any
reason why the password stored in the SQL database would need to match
the TACACS one, when you're authenticating against TACACS, anyway?
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
As an option, but I would prefer second option, read original DB password and when Tacacs password validation passes, update into UserAuthenticated, the DB password.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: viernes, 14 de abril de 2023 06:39 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Wed, Apr 12, 2023 at 6:14 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Nick:
>
> I think you have misunderstood me. I intended to update the Tacacs
> password once this is validated and after that be replaced in the
> MySQL database, previously validating that the Tacacs password has not
> been saved in the MySQL database. Or another possibility is getting
> user name, get its original password and once Tacacs password is
> validated, being replaced it with saved password in MySQL into
> AuthenticatedUser variable used by Java program
>
Why do you want to store the user's password in the database?
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Apr 12, 2023 at 6:14 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> Nick:
>
> I think you have misunderstood me. I intended to update the Tacacs password once this is validated and after that be replaced in the MySQL database, previously validating that the Tacacs password has not been saved in the MySQL database. Or another possibility is getting user name, get its original password and once Tacacs password is validated, being replaced it with saved password in MySQL into AuthenticatedUser variable used by Java program
>
Why do you want to store the user's password in the database?
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Or how can I get access to get method from MySQLInjectorProvider instance?
-Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: viernes, 14 de abril de 2023 05:52 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Hi all, i hope not disturbing.
I created some methods. I showed you part of AuthenticationProviderService class, in order to get some guide.
@Inject
private UserMapper userMapper;
@Inject
private Provider<ModeledUser> userProvider;
private ModeledUser getObjectInstance(ModeledAuthenticatedUser currentUser,
UserModel model) throws GuacamoleException {
boolean exposeRestrictedAttributes;
// Expose restricted attributes if the user does not yet exist
if (model.getObjectID() == null)
exposeRestrictedAttributes = true;
// Otherwise, if the user permissions are available, expose restricted
// attributes only if the user has ADMINISTER permission
else if (currentUser != null)
exposeRestrictedAttributes = hasObjectPermission(currentUser,
model.getIdentifier(), ObjectPermission.Type.ADMINISTER);
// If user permissions are not available, do not expose anything
else
exposeRestrictedAttributes = false;
// Produce ModeledUser exposing only those attributes for which the
// current user has permission
ModeledUser user = userProvider.get();
user.init(currentUser, model, exposeRestrictedAttributes);
return user;
}
private String getOriginalPassword(Credentials credentials) throws GuacamoleException {
// Get username and password
String username = credentials.getUsername();
String password = credentials.getPassword();
// Retrieve corresponding user model, if such a user exists
UserModel userModel = userMapper.selectOne(username);
if (userModel != null) {
// Create corresponding user object, set up cyclic reference
ModeledUser user = getObjectInstance(null, userModel);
byte[] hash = encryptionService.createPasswordHash(password, userModel.getPasswordSalt());
// Verify provided password is correct (return MySQL saved password)
if (username.indexOf(GUACAMOLE_ADMINISTRATOR) == -1
&& !Arrays.equals(hash, userModel.getPasswordHash())) {
return user.getPassword();
}
}
return null;
}
To retrieve MySQL saved password, once Tacacs password is validated to be replaced with the first one:
String originalPassword = getOriginalPassword(credentials);
if (originalPassword != null) {
credentials.setPassword(originalPassword);
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
All compiles fine, but when I run web application I get below error:
[2023-04-14 14:10:03] [info] 14:10:03.358 [http-nio-8080-exec-4] ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error: Guice configuration errors:
[2023-04-14 14:10:03] [info] 1) [Guice/MissingImplementation]: No implementation for GuacamoleTunnelService was bound.
[2023-04-14 14:10:03] [info] Requested by:
[2023-04-14 14:10:03] [info] 1 : ActiveConnectionPermissionService.tunnelService(ActiveConnectionPermissionService.java:44)
[2023-04-14 14:10:03] [info] \_ for field tunnelService
[2023-04-14 14:10:03] [info] at ModeledPermissions.activeConnectionPermissionService(ModeledPermissions.java:46)
[2023-04-14 14:10:03] [info] \_ for field activeConnectionPermissionService
[2023-04-14 14:10:03] [info] at AuthenticationProviderService.userProvider(AuthenticationProviderService.java:48)
[2023-04-14 14:10:03] [info] \_ for field userProvider
[2023-04-14 14:10:03] [info] while locating AuthenticationProviderService
[2023-04-14 14:10:03] [info] Learn more:
[2023-04-14 14:10:03] [info] https://github.com/google/guice/wiki/MISSING_IMPLEMENTATION
[2023-04-14 14:10:03] [info] 2) [Guice/MissingImplementation]: No implementation for EntityMapper was bound.
[2023-04-14 14:10:03] [info] Requested by:
[2023-04-14 14:10:03] [info] 1 : EntityService.entityMapper(EntityService.java:33)
[2023-04-14 14:10:03] [info] \_ for field entityMapper
[2023-04-14 14:10:03] [info] at ModeledPermissions.entityService(ModeledPermissions.java:46)
[2023-04-14 14:10:03] [info] \_ for field entityService
[2023-04-14 14:10:03] [info] at AuthenticationProviderService.userProvider(AuthenticationProviderService.java:48)
[2023-04-14 14:10:03] [info] \_ for field userProvider
[2023-04-14 14:10:03] [info] while locating AuthenticationProviderService
[2023-04-14 14:10:03] [info] 2 : UserService.entityMapper(UserService.java:66)
[2023-04-14 14:10:03] [info] \_ for field entityMapper
[2023-04-14 14:10:03] [info] at UserRecordSet.userService(UserRecordSet.java:39)
Any excelente guide for Guice? Or and example where I can use a SQL Select using mybatis
-Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: miércoles, 12 de abril de 2023 04:14 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Nick:
I think you have misunderstood me. I intended to update the Tacacs password once this is validated and after that be replaced in the MySQL database, previously validating that the Tacacs password has not been saved in the MySQL database. Or another possibility is getting user name, get its original password and once Tacacs password is validated, being replaced it with saved password in MySQL into AuthenticatedUser variable used by Java program
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: miércoles, 12 de abril de 2023 02:11 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Wed, Apr 12, 2023 at 4:08 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Hi all
>
> If I update MySQL password saved, replacing it by Tacacs password, is automatically application updated to see Active Sessions?
No - in fact, if you do this, you will likely be authenticated by the MySQL module and not the TACACS module at all, since Guacamole will succeed using the first module it comes to, and skip the rest.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Hi all, i hope not disturbing.
I created some methods. I showed you part of AuthenticationProviderService class, in order to get some guide.
@Inject
private UserMapper userMapper;
@Inject
private Provider<ModeledUser> userProvider;
private ModeledUser getObjectInstance(ModeledAuthenticatedUser currentUser,
UserModel model) throws GuacamoleException {
boolean exposeRestrictedAttributes;
// Expose restricted attributes if the user does not yet exist
if (model.getObjectID() == null)
exposeRestrictedAttributes = true;
// Otherwise, if the user permissions are available, expose restricted
// attributes only if the user has ADMINISTER permission
else if (currentUser != null)
exposeRestrictedAttributes = hasObjectPermission(currentUser,
model.getIdentifier(), ObjectPermission.Type.ADMINISTER);
// If user permissions are not available, do not expose anything
else
exposeRestrictedAttributes = false;
// Produce ModeledUser exposing only those attributes for which the
// current user has permission
ModeledUser user = userProvider.get();
user.init(currentUser, model, exposeRestrictedAttributes);
return user;
}
private String getOriginalPassword(Credentials credentials) throws GuacamoleException {
// Get username and password
String username = credentials.getUsername();
String password = credentials.getPassword();
// Retrieve corresponding user model, if such a user exists
UserModel userModel = userMapper.selectOne(username);
if (userModel != null) {
// Create corresponding user object, set up cyclic reference
ModeledUser user = getObjectInstance(null, userModel);
byte[] hash = encryptionService.createPasswordHash(password, userModel.getPasswordSalt());
// Verify provided password is correct (return MySQL saved password)
if (username.indexOf(GUACAMOLE_ADMINISTRATOR) == -1
&& !Arrays.equals(hash, userModel.getPasswordHash())) {
return user.getPassword();
}
}
return null;
}
To retrieve MySQL saved password, once Tacacs password is validated to be replaced with the first one:
String originalPassword = getOriginalPassword(credentials);
if (originalPassword != null) {
credentials.setPassword(originalPassword);
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
All compiles fine, but when I run web application I get below error:
[2023-04-14 14:10:03] [info] 14:10:03.358 [http-nio-8080-exec-4] ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error: Guice configuration errors:
[2023-04-14 14:10:03] [info] 1) [Guice/MissingImplementation]: No implementation for GuacamoleTunnelService was bound.
[2023-04-14 14:10:03] [info] Requested by:
[2023-04-14 14:10:03] [info] 1 : ActiveConnectionPermissionService.tunnelService(ActiveConnectionPermissionService.java:44)
[2023-04-14 14:10:03] [info] \_ for field tunnelService
[2023-04-14 14:10:03] [info] at ModeledPermissions.activeConnectionPermissionService(ModeledPermissions.java:46)
[2023-04-14 14:10:03] [info] \_ for field activeConnectionPermissionService
[2023-04-14 14:10:03] [info] at AuthenticationProviderService.userProvider(AuthenticationProviderService.java:48)
[2023-04-14 14:10:03] [info] \_ for field userProvider
[2023-04-14 14:10:03] [info] while locating AuthenticationProviderService
[2023-04-14 14:10:03] [info] Learn more:
[2023-04-14 14:10:03] [info] https://github.com/google/guice/wiki/MISSING_IMPLEMENTATION
[2023-04-14 14:10:03] [info] 2) [Guice/MissingImplementation]: No implementation for EntityMapper was bound.
[2023-04-14 14:10:03] [info] Requested by:
[2023-04-14 14:10:03] [info] 1 : EntityService.entityMapper(EntityService.java:33)
[2023-04-14 14:10:03] [info] \_ for field entityMapper
[2023-04-14 14:10:03] [info] at ModeledPermissions.entityService(ModeledPermissions.java:46)
[2023-04-14 14:10:03] [info] \_ for field entityService
[2023-04-14 14:10:03] [info] at AuthenticationProviderService.userProvider(AuthenticationProviderService.java:48)
[2023-04-14 14:10:03] [info] \_ for field userProvider
[2023-04-14 14:10:03] [info] while locating AuthenticationProviderService
[2023-04-14 14:10:03] [info] 2 : UserService.entityMapper(UserService.java:66)
[2023-04-14 14:10:03] [info] \_ for field entityMapper
[2023-04-14 14:10:03] [info] at UserRecordSet.userService(UserRecordSet.java:39)
Any excelente guide for Guice? Or and example where I can use a SQL Select using mybatis
-Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: miércoles, 12 de abril de 2023 04:14 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Nick:
I think you have misunderstood me. I intended to update the Tacacs password once this is validated and after that be replaced in the MySQL database, previously validating that the Tacacs password has not been saved in the MySQL database. Or another possibility is getting user name, get its original password and once Tacacs password is validated, being replaced it with saved password in MySQL into AuthenticatedUser variable used by Java program
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: miércoles, 12 de abril de 2023 02:11 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Wed, Apr 12, 2023 at 4:08 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Hi all
>
> If I update MySQL password saved, replacing it by Tacacs password, is automatically application updated to see Active Sessions?
No - in fact, if you do this, you will likely be authenticated by the MySQL module and not the TACACS module at all, since Guacamole will succeed using the first module it comes to, and skip the rest.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Nick:
I think you have misunderstood me. I intended to update the Tacacs password once this is validated and after that be replaced in the MySQL database, previously validating that the Tacacs password has not been saved in the MySQL database. Or another possibility is getting user name, get its original password and once Tacacs password is validated, being replaced it with saved password in MySQL into AuthenticatedUser variable used by Java program
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: miércoles, 12 de abril de 2023 02:11 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Wed, Apr 12, 2023 at 4:08 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Hi all
>
> If I update MySQL password saved, replacing it by Tacacs password, is automatically application updated to see Active Sessions?
No - in fact, if you do this, you will likely be authenticated by the MySQL module and not the TACACS module at all, since Guacamole will succeed using the first module it comes to, and skip the rest.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Apr 12, 2023 at 4:08 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> Hi all
>
> If I update MySQL password saved, replacing it by Tacacs password, is automatically application updated to see Active Sessions?
No - in fact, if you do this, you will likely be authenticated by the
MySQL module and not the TACACS module at all, since Guacamole will
succeed using the first module it comes to, and skip the rest.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Hi all
If I update MySQL password saved, replacing it by Tacacs password, is automatically application updated to see Active Sessions?
-Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: martes, 11 de abril de 2023 06:49 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
I didn´t realize a problem with new Tacacs authentication.
When I enter with a user registered into Tacacs, Active session tab is not presented with its active sessions (It just appears a gear working).
When I enter with a user registered into DB MySQL, Active session tab, presents its sessions.
What I need to do in order to see Active sessions with user accesed by Tacacs authentication?.
_Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: martes, 11 de abril de 2023 05:36 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Finally I found error related to Tacacs authentication provider. Thanks a lot for your valuable support, Nick. I appreciate it.
This is the solution to this matter (It is the condition that is commented)
/**
* Returns an AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @param credentials
* The credentials to use for authentication.
*
* @return
* An AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @throws GuacamoleException
* If an error occurs while authenticating the user, or if access is
* denied.
*/
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
validateTacacsAuthentication(credentials);
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
if (authenticatedUser != null && credentials.getUsername() != null) { // This line is solution to memory leak error.
logger.debug("User:" + credentials.getUsername() + " [" + credentials.getPassword() + "]");
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
// Authentication not provided via Tacacs, yet, so we request it.
throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD);
}
-
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: jueves, 6 de abril de 2023 08:34 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Thanks a lot Nick, I was not available. I will follow your suggestions.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: sábado, 1 de abril de 2023 01:14 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 1, 2023 at 3:01 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I am running guacamole in a Linux box. By an IDE with a debugger: ¿A reference to configure Guacamole into Windows?
>
There's no reason to switch to Windows - there are plenty of good IDEs with debuggers for Linux. Like NetBeans:
https://netbeans.apache.org/
>
> But how can I enable debug-level logging?
>
This is covered in the manual:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
If you do this you'll also want to make sure that you've put some debug logging into your custom extension, using org.slf4j.Logger and the "debug()" method. This is used extensively throughout the Guacamole Client code, so you should be able to find plenty of examples.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
I didn´t realize a problem with new Tacacs authentication.
When I enter with a user registered into Tacacs, Active session tab is not presented with its active sessions (It just appears a gear working).
When I enter with a user registered into DB MySQL, Active session tab, presents its sessions.
What I need to do in order to see Active sessions with user accesed by Tacacs authentication?.
_Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: martes, 11 de abril de 2023 05:36 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Finally I found error related to Tacacs authentication provider. Thanks a lot for your valuable support, Nick. I appreciate it.
This is the solution to this matter (It is the condition that is commented)
/**
* Returns an AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @param credentials
* The credentials to use for authentication.
*
* @return
* An AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @throws GuacamoleException
* If an error occurs while authenticating the user, or if access is
* denied.
*/
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
validateTacacsAuthentication(credentials);
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
if (authenticatedUser != null && credentials.getUsername() != null) { // This line is solution to memory leak error.
logger.debug("User:" + credentials.getUsername() + " [" + credentials.getPassword() + "]");
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
// Authentication not provided via Tacacs, yet, so we request it.
throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD);
}
-
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: jueves, 6 de abril de 2023 08:34 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Thanks a lot Nick, I was not available. I will follow your suggestions.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: sábado, 1 de abril de 2023 01:14 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 1, 2023 at 3:01 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I am running guacamole in a Linux box. By an IDE with a debugger: ¿A reference to configure Guacamole into Windows?
>
There's no reason to switch to Windows - there are plenty of good IDEs with debuggers for Linux. Like NetBeans:
https://netbeans.apache.org/
>
> But how can I enable debug-level logging?
>
This is covered in the manual:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
If you do this you'll also want to make sure that you've put some debug logging into your custom extension, using org.slf4j.Logger and the "debug()" method. This is used extensively throughout the Guacamole Client code, so you should be able to find plenty of examples.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Finally I found error related to Tacacs authentication provider. Thanks a lot for your valuable support, Nick. I appreciate it.
This is the solution to this matter (It is the condition that is commented)
/**
* Returns an AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @param credentials
* The credentials to use for authentication.
*
* @return
* An AuthenticatedUser representing the user authenticated by the
* given credentials.
*
* @throws GuacamoleException
* If an error occurs while authenticating the user, or if access is
* denied.
*/
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
validateTacacsAuthentication(credentials);
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
if (authenticatedUser != null && credentials.getUsername() != null) { // This line is solution to memory leak error.
logger.debug("User:" + credentials.getUsername() + " [" + credentials.getPassword() + "]");
authenticatedUser.init(credentials.getUsername(), credentials);
return authenticatedUser;
}
// Authentication not provided via Tacacs, yet, so we request it.
throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD);
}
-
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: jueves, 6 de abril de 2023 08:34 p. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Thanks a lot Nick, I was not available. I will follow your suggestions.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: sábado, 1 de abril de 2023 01:14 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 1, 2023 at 3:01 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I am running guacamole in a Linux box. By an IDE with a debugger: ¿A reference to configure Guacamole into Windows?
>
There's no reason to switch to Windows - there are plenty of good IDEs with debuggers for Linux. Like NetBeans:
https://netbeans.apache.org/
>
> But how can I enable debug-level logging?
>
This is covered in the manual:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
If you do this you'll also want to make sure that you've put some debug logging into your custom extension, using org.slf4j.Logger and the "debug()" method. This is used extensively throughout the Guacamole Client code, so you should be able to find plenty of examples.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Thanks a lot Nick, I was not available. I will follow your suggestions.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: sábado, 1 de abril de 2023 01:14 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 1, 2023 at 3:01 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> I am running guacamole in a Linux box. By an IDE with a debugger: ¿A reference to configure Guacamole into Windows?
>
There's no reason to switch to Windows - there are plenty of good IDEs with debuggers for Linux. Like NetBeans:
https://netbeans.apache.org/
>
> But how can I enable debug-level logging?
>
This is covered in the manual:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
If you do this you'll also want to make sure that you've put some debug logging into your custom extension, using org.slf4j.Logger and the "debug()" method. This is used extensively throughout the Guacamole Client code, so you should be able to find plenty of examples.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Sat, Apr 1, 2023 at 3:01 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> I am running guacamole in a Linux box. By an IDE with a debugger: ¿A reference to configure Guacamole into Windows?
>
There's no reason to switch to Windows - there are plenty of good IDEs
with debuggers for Linux. Like NetBeans:
https://netbeans.apache.org/
>
> But how can I enable debug-level logging?
>
This is covered in the manual:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
If you do this you'll also want to make sure that you've put some
debug logging into your custom extension, using org.slf4j.Logger and
the "debug()" method. This is used extensively throughout the
Guacamole Client code, so you should be able to find plenty of
examples.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
I am running guacamole in a Linux box. By an IDE with a debugger: ¿A reference to configure Guacamole into Windows?
-Gabriel
De: Gabriel Huerta Araujo
Enviado el: sábado, 1 de abril de 2023 11:45 a. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Ok, Michael:
But how can I enable debug-level logging?
I did below changes to logging properties (I uncommented all FINE commented) and I do not see any error which guides me to a solution.
# cat /etc/tomcat9/logging.properties
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
1catalina.org.apache.juli.AsyncFileHandler.maxDays = 90
2localhost.org.apache.juli.AsyncFileHandler.level = FINE
2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost.
2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler
# For example, set the org.apache.catalina.util.LifecycleBase logger to log
# each component that extends LifecycleBase changing state:
org.apache.catalina.util.LifecycleBase.level = FINE
# To see debug messages in TldLocationsCache, uncomment the following line:
org.apache.jasper.compiler.TldLocationsCache.level = FINE
# To see debug messages for HTTP/2 handling, uncomment the following line:
org.apache.coyote.http2.level = FINE
# To see debug messages for WebSocket handling, uncomment the following line:
org.apache.tomcat.websocket.level = FINE
-Gabriel
De: Michael Jumper <mj...@apache.org>>
Enviado el: sábado, 1 de abril de 2023 09:58 a. m.
Para: user@guacamole.apache.org<ma...@guacamole.apache.org>
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 1, 2023, 12:21 AM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
I did what log told me to do: “set "skip-if-unavailable: tacacs" within your guacamole.properties”
And now when I enter to give my credentials, it works. But how can I do to eliminate “The "tacacs" authentication provider has been skipped due to an internal error. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging: null” message?
[2023-04-01 01:13:56] [info] 01:13:56.357 [http-nio-8080-exec-4] WARN o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has been skipped due to an internal error. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging: null
You should not set "skip-if-unavailable" unless you know the cause of an underlying error and are expecting it to occasionally occur. Setting that property tells Guacamole to ignore the error in the extension; it does not solve the error.
You should instead enable debug-level logging and investigate what is failing inside your extension. Debug-level logging will give you additional error details and stack traces that may help you figure out how to fix your extension. Using an IDE with a debugger may help, as well.
- Mike
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Ok, Michael:
But how can I enable debug-level logging?
I did below changes to logging properties (I uncommented all FINE commented) and I do not see any error which guides me to a solution.
# cat /etc/tomcat9/logging.properties
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.AsyncFileHandler, 2localhost.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.AsyncFileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.AsyncFileHandler.level = FINE
1catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
1catalina.org.apache.juli.AsyncFileHandler.maxDays = 90
2localhost.org.apache.juli.AsyncFileHandler.level = FINE
2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost.
2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
java.util.logging.ConsoleHandler.level = FINE
java.util.logging.ConsoleHandler.formatter = org.apache.juli.SystemdFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler
# For example, set the org.apache.catalina.util.LifecycleBase logger to log
# each component that extends LifecycleBase changing state:
org.apache.catalina.util.LifecycleBase.level = FINE
# To see debug messages in TldLocationsCache, uncomment the following line:
org.apache.jasper.compiler.TldLocationsCache.level = FINE
# To see debug messages for HTTP/2 handling, uncomment the following line:
org.apache.coyote.http2.level = FINE
# To see debug messages for WebSocket handling, uncomment the following line:
org.apache.tomcat.websocket.level = FINE
-Gabriel
De: Michael Jumper <mj...@apache.org>
Enviado el: sábado, 1 de abril de 2023 09:58 a. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 1, 2023, 12:21 AM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
I did what log told me to do: “set "skip-if-unavailable: tacacs" within your guacamole.properties”
And now when I enter to give my credentials, it works. But how can I do to eliminate “The "tacacs" authentication provider has been skipped due to an internal error. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging: null” message?
[2023-04-01 01:13:56] [info] 01:13:56.357 [http-nio-8080-exec-4] WARN o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has been skipped due to an internal error. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging: null
You should not set "skip-if-unavailable" unless you know the cause of an underlying error and are expecting it to occasionally occur. Setting that property tells Guacamole to ignore the error in the extension; it does not solve the error.
You should instead enable debug-level logging and investigate what is failing inside your extension. Debug-level logging will give you additional error details and stack traces that may help you figure out how to fix your extension. Using an IDE with a debugger may help, as well.
- Mike
Re: Change to the way of authenticating provided by Guacamole
Posted by Michael Jumper <mj...@apache.org>.
On Sat, Apr 1, 2023, 12:21 AM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
> I did what log told me to do: “*set "skip-if-unavailable: tacacs" within
> your guacamole.properties”*
>
>
>
> And now when I enter to give my credentials, it works. But how can I do to
> eliminate “The "tacacs" authentication provider has been skipped due to
> an internal error. If this is unexpected or you are the developer of this
> authentication provider, you may wish to enable debug-level logging: null”
> message?
>
>
>
> [2023-04-01 01:13:56] [info] 01:13:56.357 [http-nio-8080-exec-4] WARN
> o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider
> has been skipped due to an internal error. If this is unexpected or you are
> the developer of this authentication provider, you may wish to enable
> debug-level logging: null
>
You should not set "skip-if-unavailable" unless you know the cause of an
underlying error and are expecting it to occasionally occur. Setting that
property tells Guacamole to ignore the error in the extension; it does not
solve the error.
You should instead enable debug-level logging and investigate what is
failing inside your extension. Debug-level logging will give you additional
error details and stack traces that may help you figure out how to fix your
extension. Using an IDE with a debugger may help, as well.
- Mike
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
I did what log told me to do: “set "skip-if-unavailable: tacacs" within your guacamole.properties”
And now when I enter to give my credentials, it works. But how can I do to eliminate “The "tacacs" authentication provider has been skipped due to an internal error. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging: null” message?
[2023-04-01 01:13:56] [info] 01:13:56.357 [http-nio-8080-exec-4] WARN o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has been skipped due to an internal error. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging: null
[2023-04-01 01:14:20] [info] 01:14:20.392 [http-nio-8080-exec-3] INFO o.a.g.a.t.AuthenticationProviderService - User "gabriel" successfully authenticated with Tacacs from XX.XXX.XX.XX.
[2023-04-01 01:14:20] [info] 01:14:20.395 [http-nio-8080-exec-3] INFO o.a.g.r.auth.AuthenticationService - User "gabriel" successfully authenticated from XX.XXX.XX.XX.
-Gabriel
De: Gabriel Huerta Araujo
Enviado el: sábado, 1 de abril de 2023 01:13 a. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole
Hi Nick, sorry for not appearing by this place... I was busy with other projects.
I have included the jar to validate Tacacs authentication:
[2023-04-01 01:05:59] [info] 01:05:59.560 [main] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" (mysql) loaded.
[2023-04-01 01:05:59] [info] 01:05:59.730 [main] INFO o.a.g.extension.ExtensionModule - Extension "Tacacs Authentication Extension" (guac-tacacs) loaded.
But when I restarted Tomcat, and this new Authentication provider is loaded, an error appears.
This is the error:
[2023-04-01 01:09:33] [info] 01:09:33.810 [http-nio-8080-exec-6] WARN o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: tacacs" within your guacamole.properties.
[2023-04-01 01:09:33] [info] 01:09:33.821 [http-nio-8080-exec-6] ERROR o.a.g.rest.RESTExceptionMapper - An internal error occurred, but did not contain an error message. Enable debug-level logging for details.
Into extensions directory are two jars: One required to Tacacs Authentication and other for retrieving connections groups information (MySQL)
ls -ltr /etc/guacamole/extensions
total 6704
-rw-rw-r-- 1 1001 1001 6102374 dic 29 2021 guacamole-auth-jdbc-mysql-1.4.0.jar
-rw-r--r-- 1 root root 758237 abr 1 00:43 guacamole-auth-tacacs-1.4.0.jar
What seems to be the trouble?
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>>
Enviado el: miércoles, 15 de marzo de 2023 08:49 a. m.
Para: user@guacamole.apache.org<ma...@guacamole.apache.org>
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Tue, Mar 14, 2023 at 7:36 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
>
> I found class SharedAuthenticationProviderService, which has below method(authenticateUser). It receives credentials of Credentials type. Below is its definition:
>
> @Override
> public AuthenticatedUser authenticateUser(AuthenticationProvider authenticationProvider,
> Credentials credentials) throws GuacamoleException {
>
> // Check whether user is authenticating with a valid sharing key
> AuthenticatedUser user = sharingService.retrieveSharedConnectionUser(authenticationProvider, credentials);
> if (user != null)
> return user;
>
> // Otherwise, unauthorized
> throw new GuacamoleInvalidCredentialsException("Invalid
> login", CredentialsInfo.USERNAME_PASSWORD);
>
> }
>
> By above code, I think I have to make call to Perl invocation before retrieving authenticated user, and then compare with it. If their credentials are diferents, to update credentials with Tacacs value using updateUserContext function.
>
> How do you see my implementation proposal?
A couple of things:
* I would not look at the ShareAuthenticationProviderService as an example of this - it is fairly complex in creating temporary tokens and authenticating users temporarily. The simplest module out there is probably the guacamole-auth-header module, and it might be a better starting point for you to create a simple authentication extension that will call the Perl script.
* It would be better to avoid trying to change an existing authentication module, you should take the time to fully implement a new one. You can use the header extension as a starting point, but you should take the time to name the classes properly, set up any logging you feel is necessary, etc. Even if you copy the existing header extension and make changes, make sure you rename the classes, remove items that aren't required, etc. It'll help you out in the long run.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org<ma...@guacamole.apache.org>
For additional commands, e-mail: user-help@guacamole.apache.org<ma...@guacamole.apache.org>
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Hi Nick, sorry for not appearing by this place... I was busy with other projects.
I have included the jar to validate Tacacs authentication:
[2023-04-01 01:05:59] [info] 01:05:59.560 [main] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" (mysql) loaded.
[2023-04-01 01:05:59] [info] 01:05:59.730 [main] INFO o.a.g.extension.ExtensionModule - Extension "Tacacs Authentication Extension" (guac-tacacs) loaded.
But when I restarted Tomcat, and this new Authentication provider is loaded, an error appears.
This is the error:
[2023-04-01 01:09:33] [info] 01:09:33.810 [http-nio-8080-exec-6] WARN o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: tacacs" within your guacamole.properties.
[2023-04-01 01:09:33] [info] 01:09:33.821 [http-nio-8080-exec-6] ERROR o.a.g.rest.RESTExceptionMapper - An internal error occurred, but did not contain an error message. Enable debug-level logging for details.
Into extensions directory are two jars: One required to Tacacs Authentication and other for retrieving connections groups information (MySQL)
ls -ltr /etc/guacamole/extensions
total 6704
-rw-rw-r-- 1 1001 1001 6102374 dic 29 2021 guacamole-auth-jdbc-mysql-1.4.0.jar
-rw-r--r-- 1 root root 758237 abr 1 00:43 guacamole-auth-tacacs-1.4.0.jar
What seems to be the trouble?
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: miércoles, 15 de marzo de 2023 08:49 a. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Tue, Mar 14, 2023 at 7:36 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
>
> I found class SharedAuthenticationProviderService, which has below method(authenticateUser). It receives credentials of Credentials type. Below is its definition:
>
> @Override
> public AuthenticatedUser authenticateUser(AuthenticationProvider authenticationProvider,
> Credentials credentials) throws GuacamoleException {
>
> // Check whether user is authenticating with a valid sharing key
> AuthenticatedUser user = sharingService.retrieveSharedConnectionUser(authenticationProvider, credentials);
> if (user != null)
> return user;
>
> // Otherwise, unauthorized
> throw new GuacamoleInvalidCredentialsException("Invalid
> login", CredentialsInfo.USERNAME_PASSWORD);
>
> }
>
> By above code, I think I have to make call to Perl invocation before retrieving authenticated user, and then compare with it. If their credentials are diferents, to update credentials with Tacacs value using updateUserContext function.
>
> How do you see my implementation proposal?
A couple of things:
* I would not look at the ShareAuthenticationProviderService as an example of this - it is fairly complex in creating temporary tokens and authenticating users temporarily. The simplest module out there is probably the guacamole-auth-header module, and it might be a better starting point for you to create a simple authentication extension that will call the Perl script.
* It would be better to avoid trying to change an existing authentication module, you should take the time to fully implement a new one. You can use the header extension as a starting point, but you should take the time to name the classes properly, set up any logging you feel is necessary, etc. Even if you copy the existing header extension and make changes, make sure you rename the classes, remove items that aren't required, etc. It'll help you out in the long run.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org<ma...@guacamole.apache.org>
For additional commands, e-mail: user-help@guacamole.apache.org<ma...@guacamole.apache.org>
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Mar 14, 2023 at 7:36 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> I found class SharedAuthenticationProviderService, which has below method(authenticateUser). It receives credentials of Credentials type. Below is its definition:
>
> @Override
> public AuthenticatedUser authenticateUser(AuthenticationProvider authenticationProvider,
> Credentials credentials) throws GuacamoleException {
>
> // Check whether user is authenticating with a valid sharing key
> AuthenticatedUser user = sharingService.retrieveSharedConnectionUser(authenticationProvider, credentials);
> if (user != null)
> return user;
>
> // Otherwise, unauthorized
> throw new GuacamoleInvalidCredentialsException("Invalid login", CredentialsInfo.USERNAME_PASSWORD);
>
> }
>
> By above code, I think I have to make call to Perl invocation before retrieving authenticated user, and then compare with it. If their credentials are diferents, to update credentials with Tacacs value using updateUserContext function.
>
> How do you see my implementation proposal?
A couple of things:
* I would not look at the ShareAuthenticationProviderService as an
example of this - it is fairly complex in creating temporary tokens
and authenticating users temporarily. The simplest module out there is
probably the guacamole-auth-header module, and it might be a better
starting point for you to create a simple authentication extension
that will call the Perl script.
* It would be better to avoid trying to change an existing
authentication module, you should take the time to fully implement a
new one. You can use the header extension as a starting point, but you
should take the time to name the classes properly, set up any logging
you feel is necessary, etc. Even if you copy the existing header
extension and make changes, make sure you rename the classes, remove
items that aren't required, etc. It'll help you out in the long run.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
I found class SharedAuthenticationProviderService, which has below method(authenticateUser). It receives credentials of Credentials type. Below is its definition:
@Override
public AuthenticatedUser authenticateUser(AuthenticationProvider authenticationProvider,
Credentials credentials) throws GuacamoleException {
// Check whether user is authenticating with a valid sharing key
AuthenticatedUser user = sharingService.retrieveSharedConnectionUser(authenticationProvider, credentials);
if (user != null)
return user;
// Otherwise, unauthorized
throw new GuacamoleInvalidCredentialsException("Invalid login", CredentialsInfo.USERNAME_PASSWORD);
}
By above code, I think I have to make call to Perl invocation before retrieving authenticated user, and then compare with it. If their credentials are diferents, to update credentials with Tacacs value using updateUserContext function.
How do you see my implementation proposal?
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: martes, 14 de marzo de 2023 02:21 p. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Tue, Mar 14, 2023 at 4:04 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Here me again.
>
> One question:
>
> How can I have a fully functional authentication provider instead of parsing the guacamole.properties configuration file, and taking such information from a database (MySQL) and only the authentication can be done with the invocation of the Tacacs script through Perl?
You can use both the database and your custom authentication module together. Guacamole "stacks" the authentication modules, relying on the equivalence of the username to map users between the modules. The most common scenario for this is using LDAP + JDBC (MySQL, PostgreSQL, etc.), so that you can log in users via LDAP but store connection information and permissions in a database. However, this should work between any sets of modules - so, if you write a custom module that calls the Perl script, you can still store connections, permissions, group membership, etc., in the JDBC module using one of the three supported databases.
If you have more specific questions, feel free to post those.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Mar 14, 2023 at 4:04 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> Here me again.
>
> One question:
>
> How can I have a fully functional authentication provider instead of parsing the guacamole.properties configuration file, and taking such information from a database (MySQL) and only the authentication can be done with the invocation of the Tacacs script through Perl?
You can use both the database and your custom authentication module
together. Guacamole "stacks" the authentication modules, relying on
the equivalence of the username to map users between the modules. The
most common scenario for this is using LDAP + JDBC (MySQL,
PostgreSQL, etc.), so that you can log in users via LDAP but store
connection information and permissions in a database. However, this
should work between any sets of modules - so, if you write a custom
module that calls the Perl script, you can still store connections,
permissions, group membership, etc., in the JDBC module using one of
the three supported databases.
If you have more specific questions, feel free to post those.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Here me again.
One question:
How can I have a fully functional authentication provider instead of parsing the guacamole.properties configuration file, and taking such information from a database (MySQL) and only the authentication can be done with the invocation of the Tacacs script through Perl?
Beforehand thanks a lot for your valuable help.
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: martes, 14 de marzo de 2023 11:18 a. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Mon, Mar 13, 2023 at 1:26 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Hi Michael
>
>
>
> Organization uses a Perl script which uses Tacacs as a way to be authenticaded. This tool is used to measure user productivity, each time they attend a problem accesing to a server through Guacamole. And the way Guacamole authenticates is different.
>
You probably want to start with this page in the user guide:
https://guacamole.apache.org/doc/gug/custom-auth.html
It describes the process of creating a custom authentication module and provides detailed examples. You'll just have to adapt your implementation to call the Perl script, passing the required information to the script, and then handling the response and exit code of the Perl script to process the login.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Nick, thanks a lot for your valuable answer. I apreciate it. I will check it.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <vn...@apache.org>
Enviado el: martes, 14 de marzo de 2023 11:18 a. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Mon, Mar 13, 2023 at 1:26 PM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid> wrote:
>
> Hi Michael
>
>
>
> Organization uses a Perl script which uses Tacacs as a way to be authenticaded. This tool is used to measure user productivity, each time they attend a problem accesing to a server through Guacamole. And the way Guacamole authenticates is different.
>
You probably want to start with this page in the user guide:
https://guacamole.apache.org/doc/gug/custom-auth.html
It describes the process of creating a custom authentication module and provides detailed examples. You'll just have to adapt your implementation to call the Perl script, passing the required information to the script, and then handling the response and exit code of the Perl script to process the login.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Change to the way of authenticating provided by Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Mar 13, 2023 at 1:26 PM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
>
> Hi Michael
>
>
>
> Organization uses a Perl script which uses Tacacs as a way to be authenticaded. This tool is used to measure user productivity, each time they attend a problem accesing to a server through Guacamole. And the way Guacamole authenticates is different.
>
You probably want to start with this page in the user guide:
https://guacamole.apache.org/doc/gug/custom-auth.html
It describes the process of creating a custom authentication module
and provides detailed examples. You'll just have to adapt your
implementation to call the Perl script, passing the required
information to the script, and then handling the response and exit
code of the Perl script to process the login.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Hi Michael
Organization uses a Perl script which uses Tacacs as a way to be authenticaded. This tool is used to measure user productivity, each time they attend a problem accesing to a server through Guacamole. And the way Guacamole authenticates is different.
I hope I have made myself understand
De: Michael Jumper <mj...@apache.org>
Enviado el: lunes, 13 de marzo de 2023 11:20 a. m.
Para: user@guacamole.apache.org
Asunto: Re: Change to the way of authenticating provided by Guacamole
What do you mean by "the [authentication] proposed by the Guacamole solution" and "the authentication process ... used by the organization"?
- Mike
On Mon, Mar 13, 2023, 10:17 AM Gabriel Huerta Araujo <hu...@globalhitss.com.invalid>> wrote:
Hi all
I have a request
Which components (java, js, html files) should I check for the implementation of authentication by means other than the one proposed by the Guacamole solution? Just to know what is the impact of adapting the authentication process by means used by the organization.
Thanks,
Gabriel
Re: Change to the way of authenticating provided by Guacamole
Posted by Michael Jumper <mj...@apache.org>.
What do you mean by "the [authentication] proposed by the Guacamole
solution" and "the authentication process ... used by the organization"?
- Mike
On Mon, Mar 13, 2023, 10:17 AM Gabriel Huerta Araujo
<hu...@globalhitss.com.invalid> wrote:
> Hi all
>
>
>
> I have a request
>
> Which components (java, js, html files) should I check for the
> implementation of authentication by means other than the one proposed by
> the Guacamole solution? Just to know what is the impact of adapting the
> authentication process by means used by the organization.
>
>
>
> Thanks,
>
> Gabriel
>
Change to the way of authenticating provided by Guacamole
Posted by Gabriel Huerta Araujo <hu...@globalhitss.com.INVALID>.
Hi all
I have a request
Which components (java, js, html files) should I check for the implementation of authentication by means other than the one proposed by the Guacamole solution? Just to know what is the impact of adapting the authentication process by means used by the organization.
Thanks,
Gabriel
Re: Guacamole 1.4.0 Error
Posted by Michael Jumper <mj...@apache.org>.
The error you're seeing is occurring because Tomcat 10 switched from the
"javax.*" package to "jakarta.*" for Java EE classes, which is incompatible
with applications using the original package names. From
https://tomcat.apache.org/download-10.cgi:
"Users of Tomcat 10 onwards should be aware that, as a result of the move
from Java EE to Jakarta EE as part of the transfer of Java EE to the
Eclipse Foundation, the primary package for all implemented APIs has
changed from javax.* to jakarta.*. This will almost certainly require code
changes to enable applications to migrate from Tomcat 9 and earlier to
Tomcat 10 and later."
See: https://issues.apache.org/jira/browse/GUACAMOLE-1325
If you use Tomcat 9.x or 8.5.x instead, things should be fine.
- Mike
On Wed, Mar 1, 2023 at 1:23 PM Brian Snyder <
brian.snyder@beavercreek.k12.oh.us> wrote:
>
> Server version: Apache Tomcat/10.0.27
> Server number: 10.0.27.0
> OS Name: Linux
> OS Version: 4.18.0-425.10.1.el8_7.x86_64
> Architecture: amd64
> JVM Version: 11.0.18+10-LTS
> JVM Vendor: Red Hat, Inc.
>
> Thanks,
> Brian
>
Re: Guacamole 1.4.0 Error
Posted by Brian Snyder <br...@beavercreek.k12.oh.us>.
Server version: Apache Tomcat/10.0.27
Server number: 10.0.27.0
OS Name: Linux
OS Version: 4.18.0-425.10.1.el8_7.x86_64
Architecture: amd64
JVM Version: 11.0.18+10-LTS
JVM Vendor: Red Hat, Inc.
Thanks,
Brian
Re: Guacamole 1.4.0 Error
Posted by Michael Jumper <mj...@apache.org>.
What version of Tomcat are you using?
- Mike
On Wed, Mar 1, 2023, 1:01 PM Brian Snyder <
brian.snyder@beavercreek.k12.oh.us> wrote:
> Hello All,
>
> I am running into an error. Can someone point me in the right direction?
> I am getting the "An error has occurred and this action cant be completed"
> Errors in Tomcat are:
>
> 23:13:23.599 [https-openssl-nio-10.10.18.30-443-exec-5] WARN
> o.a.g.e.AuthenticationProviderFacade - The "mysql-shared" authentication
> provider has been skipped due to an internal error. If this is unexpected
> or you are the developer of this authentication provider, you may wish to
> enable debug-level logging: 'javax.servlet.http.HttpServletRequest
> org.apache.guacamole.net.auth.Credentials.getRequest()'
> 23:13:31.144 [https-openssl-nio-10.10.18.30-443-exec-6] INFO
> o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully
> authenticated from 10.10.170.134.
> 23:13:31.168 [https-openssl-nio-10.10.18.30-443-exec-8] ERROR
> o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
> 'javax.servlet.http.HttpServletRequest
> org.apache.guacamole.net.auth.Credentials.getRequest()'
>
> Has anyone seen this? Works as expected if I use authentication other than
> mysql. As soon as I add the connector extension it does not work.
>
> Thanks,
> Brian
>
>