You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Toine <gu...@placi.de> on 2023/02/13 14:08:24 UTC
guacamole-auth-json & simultaneous independent connections
Dear Guacamole ML,
I'm regularly using the guacamole-auth-json extension to temporary allow
a user to access remote hosts.
When the user requests the access to <connection_A> at <TIMESTAMP_A>, my
API creates the connection using the above extension, and generates an
HTTPS link pointing directly to the newly created connection object, on
Guacamole UI.
=> This works.
The user sometimes requests an access to another host <connection_B>
later on, at <TIMESTAMP_B>, my API generates the link the same way.
=> This also works... except that it also disconnects user from
connection_A, if the user still had a tab open in their browser.
In other words, with this scenario, my user can only access one host at
a time, and that is a problem.
The cause of this disconnection is that the Guacamole JS client sets the
GUAC_AUTH key into the LocalStorage of the browser. So that it can only
make user of one auth key for the whole browser.
As a workaround, I can of course use another browser profile/private
mode or disable LocalStorage globally, use one domain per connection(!),
etc..., but all of this is quite overkill.
Shouldn't this very scenario make use of SessionStorage instead of
LocalStorage?
Or did I misunderstand something else?
(didn't find a GUACAMOLE issue referencing it)
Have a good day,
Toine
#######
{
"username" : "arbitraryUsername",
"expires" : TIMESTAMP_A,
"connections" : {
"connection_A" : {
"protocol" : "rdp",
"parameters" : {...}
},
}
}
{
"username" : "arbitraryUsername",
"expires" : TIMESTAMP_B,
"connections" : {
"connection_B" : {
"protocol" : "rdp",
"parameters" : {...}
},
}
}
######
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Posted by Michael Jumper <mj...@apache.org>.
On Wed, Feb 22, 2023 at 2:17 PM Antoine G. <gu...@placi.de> wrote:
>
> Le 22/02/2023 à 20:37, Michael Jumper - mjumper@apache.org a écrit :
> > No, you understood correctly. The error you're seeing is from the
> > database auth extension refusing to create/update a user with an empty
> > username. Do you have "postgresql-auto-create-accounts" set?
>
> Good catch, Mike!
> I have this option set indeed (in the failing environment).
>
> Is there some extensions ordering to be done or are these two scenarios
> technically incompatible ?
>
They are technically incompatible. We'd need to provide some option
for the database auth to ignore "*-auto-create-accounts" when a user
successfully authenticates anonymously.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Posted by "Antoine G." <gu...@placi.de>.
Le 22/02/2023 à 20:37, Michael Jumper - mjumper@apache.org a écrit :
> No, you understood correctly. The error you're seeing is from the
> database auth extension refusing to create/update a user with an empty
> username. Do you have "postgresql-auto-create-accounts" set?
Good catch, Mike!
I have this option set indeed (in the failing environment).
Is there some extensions ordering to be done or are these two scenarios
technically incompatible ?
Toine
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Posted by Michael Jumper <mj...@apache.org>.
On Wed, Feb 22, 2023 at 8:07 AM Antoine G. <gu...@placi.de> wrote:
>
> On 22/02/2023 17:02, Nick Couchman - vnick@apache.org wrote:
> > Yes, I think you need to provide a non-blank username. That's what the
> > error indicates, anyway.
>
> Well I'm now confused :)
> You suggested ealier to 'set the username to "" (empty string)' and now
> you suggest to 'to provide a non-blank username'.
> Did I understand your first suggestion the wrong way ?
>
No, you understood correctly. The error you're seeing is from the
database auth extension refusing to create/update a user with an empty
username. Do you have "postgresql-auto-create-accounts" set?
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Posted by "Antoine G." <gu...@placi.de>.
On 22/02/2023 17:02, Nick Couchman - vnick@apache.org wrote:
> Yes, I think you need to provide a non-blank username. That's what the
> error indicates, anyway.
Well I'm now confused :)
You suggested ealier to 'set the username to "" (empty string)' and now
you suggest to 'to provide a non-blank username'.
Did I understand your first suggestion the wrong way ?
Antoine
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Feb 22, 2023 at 8:42 AM Antoine G. <gu...@placi.de> wrote:
>
> Thanks Mike, I think you are heading me to the right way.
>
> It actually works in one of my environments but in another one, I get
> the following HTTP 400 error message when POSTing to /guacamole/api/tokens.
>
> Client side: {"message":"The username must not be
> blank.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"The
> username must not be
> blank."}},"statusCode":null,"expected":null,"type":"BAD_REQUEST" }
> Server side: DEBUG o.a.g.rest.RESTExceptionMapper - Client request
> rejected: The username must not be blank.
>
> Config: guacamole-client 1.4.0 with:
> - guacamole-auth-header-1.4.0.jar
> - guacamole-auth-jdbc-postgresql-1.4.0.jar
> - guacamole-auth-json-1.4.0.jar
>
> Any idea where that could come from?
>
> (of course, in that latter environment, guacamole-auth-json works as
> planned, with a non-blank username)
Yes, I think you need to provide a non-blank username. That's what the
error indicates, anyway.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Posted by "Antoine G." <gu...@placi.de>.
Thanks Mike, I think you are heading me to the right way.
It actually works in one of my environments but in another one, I get
the following HTTP 400 error message when POSTing to /guacamole/api/tokens.
Client side: {"message":"The username must not be
blank.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"The
username must not be
blank."}},"statusCode":null,"expected":null,"type":"BAD_REQUEST" }
Server side: DEBUG o.a.g.rest.RESTExceptionMapper - Client request
rejected: The username must not be blank.
Config: guacamole-client 1.4.0 with:
- guacamole-auth-header-1.4.0.jar
- guacamole-auth-jdbc-postgresql-1.4.0.jar
- guacamole-auth-json-1.4.0.jar
Any idea where that could come from?
(of course, in that latter environment, guacamole-auth-json works as
planned, with a non-blank username)
Using your tip, I now submit it this kind of JSON:
#######
{
"username" : "",
"expires" : TIMESTAMP_A,
"connections" : {
"connection_A" : {
"protocol" : "rdp",
"parameters" : {...}
},
}
}
{
"username" : "",
"expires" : TIMESTAMP_B,
"connections" : {
"connection_B" : {
"protocol" : "rdp",
"parameters" : {...}
},
}
}
######
Le 13/02/2023 à 22:11, Michael Jumper - mjumper@apache.org a écrit :
> No, but if you want that behaviour, you should set the username to ""
> (empty string), which represents an anonymous user. The tokens for
> anonymous users are stored only in memory, not in LocalStorage.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Posted by Michael Jumper <mj...@apache.org>.
No, but if you want that behaviour, you should set the username to ""
(empty string), which represents an anonymous user. The tokens for
anonymous users are stored only in memory, not in LocalStorage.
- Mike
On Mon, Feb 13, 2023, 6:08 AM Toine <gu...@placi.de> wrote:
> Dear Guacamole ML,
>
> I'm regularly using the guacamole-auth-json extension to temporary allow
> a user to access remote hosts.
> When the user requests the access to <connection_A> at <TIMESTAMP_A>, my
> API creates the connection using the above extension, and generates an
> HTTPS link pointing directly to the newly created connection object, on
> Guacamole UI.
> => This works.
>
> The user sometimes requests an access to another host <connection_B>
> later on, at <TIMESTAMP_B>, my API generates the link the same way.
> => This also works... except that it also disconnects user from
> connection_A, if the user still had a tab open in their browser.
>
> In other words, with this scenario, my user can only access one host at
> a time, and that is a problem.
>
> The cause of this disconnection is that the Guacamole JS client sets the
> GUAC_AUTH key into the LocalStorage of the browser. So that it can only
> make user of one auth key for the whole browser.
> As a workaround, I can of course use another browser profile/private
> mode or disable LocalStorage globally, use one domain per connection(!),
> etc..., but all of this is quite overkill.
>
> Shouldn't this very scenario make use of SessionStorage instead of
> LocalStorage?
> Or did I misunderstand something else?
>
> (didn't find a GUACAMOLE issue referencing it)
>
> Have a good day,
> Toine
>
> #######
>
> {
>
> "username" : "arbitraryUsername",
> "expires" : TIMESTAMP_A,
> "connections" : {
> "connection_A" : {
> "protocol" : "rdp",
> "parameters" : {...}
> },
> }
> }
>
> {
>
> "username" : "arbitraryUsername",
> "expires" : TIMESTAMP_B,
> "connections" : {
> "connection_B" : {
> "protocol" : "rdp",
> "parameters" : {...}
> },
> }
> }
>
> ######
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>