You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Will Payne <wi...@mugwump.net> on 2019/04/03 12:44:53 UTC

HTTP header auth with groups

I'm assuming groups should work with users authenticated via HTTP 
headers?

If I put a user in a group and allow that group access to a connection, 
the user cannot see the connection.

Is this a bug?


I also noticed that if a user is granted access to a connection both in 
their user settings and via a group, attempting to use the connection 
throws a connection error and the following appears in the log :

03-Apr-2019 12:37:02.215 SEVERE [http-nio-8080-exec-5] 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Error 
reading request, ignored
  org.apache.ibatis.exceptions.TooManyResultsException: Expected one 
result (or null) to be returned by selectOne(), but found: 2
     at 
org.apache.ibatis.session.defaults.DefaultSqlSession.selectOne(DefaultSqlSession.java:81)
     at sun.reflect.GeneratedMethodAccessor69.invoke(Unknown Source)
     at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at 
org.apache.ibatis.session.SqlSessionManager$SqlSessionInterceptor.invoke(SqlSessionManager.java:357)
     at com.sun.proxy.$Proxy33.selectOne(Unknown Source)
     at 
org.apache.ibatis.session.SqlSessionManager.selectOne(SqlSessionManager.java:166)
     at 
org.apache.ibatis.binding.MapperMethod.execute(MapperMethod.java:83)
     at org.apache.ibatis.binding.MapperProxy.invoke(MapperProxy.java:59)
     at com.sun.proxy.$Proxy114.selectOne(Unknown Source)
     at 
org.apache.guacamole.auth.jdbc.permission.ModeledObjectPermissionService.hasPermission(ModeledObjectPermissionService.java:171)
     at 
org.apache.guacamole.auth.jdbc.permission.ObjectPermissionSet.hasPermission(ObjectPermissionSet.java:103)
     at 
org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectService.hasObjectPermission(ModeledDirectoryObjectService.java:175)
     at 
org.apache.guacamole.auth.jdbc.connection.ConnectionService.connect(ConnectionService.java:514)
     at 
org.apache.guacamole.auth.jdbc.connection.ModeledConnection.connect(ModeledConnection.java:263)
     at 
org.apache.guacamole.tunnel.TunnelRequestService.createConnectedTunnel(TunnelRequestService.java:219)
     at 
org.apache.guacamole.tunnel.TunnelRequestService.createTunnel(TunnelRequestService.java:393)
     at 
org.apache.guacamole.tunnel.websocket.RestrictedGuacamoleWebSocketTunnelEndpoint.createTunnel(RestrictedGuacamoleWebSocketTunnelEndpoint.java:113)
     at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.onOpen(GuacamoleWebSocketTunnelEndpoint.java:200)
     at 
org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.init(WsHttpUpgradeHandler.java:133)
     at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:852)
     at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
     at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
     at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
     at java.lang.Thread.run(Thread.java:748)

(This is the 1.0.0 docker image)

W

Re: HTTP header auth with groups

Posted by Nick Couchman <vn...@apache.org>.

On Wed, Apr 3, 2019 at 8:45 AM Will Payne <wi...@mugwump.net> wrote:

>
> I'm assuming groups should work with users authenticated via HTTP
> headers?
>
> If I put a user in a group and allow that group access to a connection,
> the user cannot see the connection.
>
> Is this a bug?
>

Not really a bug, no, but it is something we are looking at changing.  The
issue is described, here:

https://issues.apache.org/jira/browse/GUACAMOLE-696

Basically, the way it was (intentionally) implemented in 1.0.0, group
membership is *only* factored in from the module which logs the user in.
Since the header module does not actually process or support groups, users
logged in with the header module will not inherit any group membership or
permissions based on the groups.

This is slated to be addressed in 1.1.0 - I have a pull request out for it,
and hopefully the behavior will get a tweak to work a little more as people
seem to expect it to.

-Nick