How to get GuacamoleConfiguration from url?

[genesis <gg...@live.com>]

Hi, first of all I would like to congratulate the team for this amazing
product.

I would like to provide the GuacamoleConfiguration data from a encrypted
string in URL, without authentication, with multiple connections, for
example:

http://guacamoleclient:8090/#/{ENCRYPTED_TOKEN_1}

First thing I did is to replace the noauth extension method
getAuthorizedConfigurations to take the config from the encrypted token, and
it worked fine.

The problem im facing now is for multiple connections at the same time. If I
click on another URL with a different GuacamoleConfiguration of the first
one, a tab will open but with the same connection of the first URL.

Do you have some recipes or tips to resolve this problem? 
Thanks!



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: How to get GuacamoleConfiguration from url?

[Mike Jumper <mi...@guac-dev.org>]

On Mon, Dec 18, 2017 at 5:59 AM, genesis <gg...@live.com> wrote:

>
> I could not find some topics about the anonymous_identifier const, is there
> any example on how to use that?
>

The manual has an overview of the general authentication process, structure
of a Guacamole extension, and the nature of the key interfaces:

http://guacamole.apache.org/doc/gug/guacamole-ext.html#ext-auth-providers

The ANONYMOUS_IDENTIFIER is the value you will want to use for the
identifier of the AuthenticatedUser object returned by your
AuthenticationProvider implementation's authenticateUser() function. Doing
this tells Guacamole that the user is authenticated but that they have no
specific identity, and the Guacamole interface will adjust itself
accordingly.

My suggestion for going forward here would be to start by implementing
AuthenticationProvider and gradually filling in the gaps - implementing
authenticateUser(), implementing UserContext, implementing any applicable
Directory objects, etc., leveraging the Simple* versions of these where
helpful and applicable. There will likely be some point at which you can go
back to using the Simple* objects, but the Simple* objects which deal with
the main authentication process partly simplify things with the assumptions
that the user's session will not change while they're logged in and that
each user has a definite identity, which are incompatible with your
intended use.

Once you've started going through that implementation process, just come
back here if you encounter specific problems or need specific
clarification, and we can nudge you back on track.

- Mike

Re: How to get GuacamoleConfiguration from url?

[genesis <gg...@live.com>]

I could not find some topics about the anonymous_identifier const, is there
any example on how to use that? 

Thanks!



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: How to get GuacamoleConfiguration from url?

[genesis <gg...@live.com>]

Hi Mike, thanks for your response!

Actually I just need to simplify the process. 
I just want to show the client screen directly (without login, home page
menu, etc), after the user clicks on a url containing a single
GuacamoleConfiguration. The validation process i will do transparently for
the user, under the hood using the jwt token wich i get from the URL.


This anonymous_identifier const seems promising, but i could not find a way
on how to use it properly, do you know where i can find some example of how
to use it?

Thanks.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: How to get GuacamoleConfiguration from url?

[Mike Jumper <mi...@guac-dev.org>]

On Wed, Dec 13, 2017 at 9:59 AM, genesis <gg...@live.com> wrote:

> Hi Carl, I see.
> And what do you do with this cookie on the getAuthorizedConfiguration
> method? Do you decrypt it and map to a Map<String, GuacamoleConfiguration>
> object?
>
> My doubt is, how do you update the configs list when the user opens another
> tab, with another GuacamoleConfiguration on cookie? You must insert this
> new
> configuration in the configs object. One for the first url and one for the
> second url, to have multiple connections at the same time.
>
>
If the data available for the user will be changing with updated
credentials, you will need to avoid the SimpleAuthenticationProvider class
and instead implement AuthenticationProvider directly. The
AuthenticationProvider interface provides two functions for producing the
object representing the data available to the user:

1) getUserContext() - invoked upon successful authentication at the
beginning of the user's session
2) updateUserContext() - invoked for new requests within an existing
session, to allow for updating the UserContext based on new credentials

You can leverage these to continuously update the data available to the
user.

I would also recommend looking into using the ANONYMOUS_IDENTIFIER for the
AuthenticatedUser:

http://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticatedUser.html#ANONYMOUS_IDENTIFIER

An anonymous user has different semantics and is given a slightly different
interface. The menu which contains user-specific options in the upper-right
of most Guacamole screens is no longer shown, and the user's session is not
persisted. A successful authentication attempt for an anonymous user in one
tab will have no influence on tabs opened later; outside that tab, it will
be as if the user is not logged in at all, with each new tab getting its
own session. In this case, you wouldn't need to worry about updating the
UserContext at all, and would just need to be sure to provide the correct
data given a particular set of credentials.

- Mike

Re: How to get GuacamoleConfiguration from url?

[genesis <gg...@live.com>]

Hi Carl, I see. 
And what do you do with this cookie on the getAuthorizedConfiguration
method? Do you decrypt it and map to a Map<String, GuacamoleConfiguration>
object?

My doubt is, how do you update the configs list when the user opens another
tab, with another GuacamoleConfiguration on cookie? You must insert this new
configuration in the configs object. One for the first url and one for the
second url, to have multiple connections at the same time.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: How to get GuacamoleConfiguration from url?

[carl harris <ce...@gmail.com>]

> On Dec 13, 2017, at 6:44 AM, genesis <gg...@live.com> wrote:
> Did just substitute the GUAC_AUTH value with the encoded jwt?

No, we did not replace the GUAC_AUTH cookie. That's private state for Guacamole itself, so we didn't want to muck with it. We simply added our own cookie to the browser using a REST service running in the same domain, and evaluated that cookie in our custom auth provider when called in the getAuthorizedConfigurations(Credentials) method.

carl

Re: How to get GuacamoleConfiguration from url?

[genesis <gg...@live.com>]

Hi Carl, thanks for your reply.


/ >put a base64 encoded JWT into the URL as either a parameter or additional
URI path segment and using a simple extension to process the URL -- and we
had the same result/

So multiple connections didnt work for you with the GuacamoleConfiguration
on the URL either.


/ >Instead we put the JWT into the browser as a session cookie/

Did just substitute the GUAC_AUTH value with the encoded jwt?

Thanks.





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: How to get GuacamoleConfiguration from url?

[carl harris <ce...@gmail.com>]

> On Dec 12, 2017, at 3:21 PM, genesis <gg...@live.com> wrote:
> But after that, if I click on other url: 
> http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_2} with different
> GuacamoleConfiguration parameters, the browser will open another tab, but
> with the same connection of the first url, the same
> (/#/client/NzI0NwBjAG5vYXV0aA), this identifier should be different, because
> the id of the second connection is different.


In our application we tried doing something very similar -- put a base64 encoded JWT into the URL as either a parameter or additional URI path segment and using a simple extension to process the URL -- and we had the same result. Instead we put the JWT into the browser as a session cookie, and modified our extension to look for the cookie containing our token. This worked for us.

I feel I'd be remiss if I didn't point out, for those reading along who might be interested in doing something similar, it is really imperative with either of these approaches that you carefully validate the authenticity of the token. JWTs used in this way must be signed and signatures must be properly validated, and depending on what sorts of details you're including in connection parameters, should probably be encrypted as well. Also, the signing and encryption is worth nothing unless you're extremely careful about key management -- as an attacker, if I can get your key(s), I can almost certainly make tokens for myself that will let me access your resources via Guacamole.

carl

Re: How to get GuacamoleConfiguration from url?

[genesis <gg...@live.com>]

Hi, thanks for the quick reply.


Guacamole maps the GuacamoleConfiguration from the noauth-config.xml file.
In my scenario i would like to pass a single GuacamoleConfiguration through
the URL (and yes, all of the data - protocol, username, password, etc), then
map it to the Map<String, GuacamoleConfiguration> type, and its working fine
now for one connection.

When I click on a URL, i.e: 
http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_1}, the browser
opens a new tab with the guacamoleconfig_encrypted_1 connection (and
redirect to /#/client/NzI0NwBjAG5vYXV0aA) 

But after that, if I click on other url: 
http://guacamoleclient:8090/#/{guacamoleconfig_encrypted_2} with different
GuacamoleConfiguration parameters, the browser will open another tab, but
with the same connection of the first url, the same
(/#/client/NzI0NwBjAG5vYXV0aA), this identifier should be different, because
the id of the second connection is different.


If I understood correctly, I need to update the configs property in the 
updateAuthenticatedUser method of the SimpleAuthenticationProvider. So when
the user clicks on the second URL, this method will be called and I add the
new GuacamoleConfiguration(from the URL) to the existing configs property. 

But I am missing something, even after clicking on a second url and adding
the GuacamoleConfiguration object to the configs theres just one connection
on the angularjs side, on this piece of code exactly:

      var generateHomePage = function generateHomePage(rootGroups) {
         //..
         var connection      = connections[0];
       }

I dont know if its the right path to do that.






--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: How to get GuacamoleConfiguration from url?

[Nick Couchman <vn...@apache.org>]

On Tue, Dec 12, 2017 at 2:29 PM, genesis <gg...@live.com> wrote:

> Hi, first of all I would like to congratulate the team for this amazing
> product.
>
> I would like to provide the GuacamoleConfiguration data from a encrypted
> string in URL, without authentication, with multiple connections, for
> example:
>

I'm having a little trouble understanding what you're trying to do.  When
you say you would like to provide the "GuacamoleConfiguration" data from an
encrypted string in the URL, are you saying that you are providing all of
the data - hostname, protocol, port, username, password, etc., - encoded in
the URL?  Or you're providing a connection identifier in the URL and then
mapping that on the servlet side?  The later is the way Guacamole currently
works - I wouldn't call it in encrypted token, I'd called it encoded.


>
> http://guacamoleclient:8090/#/{ENCRYPTED_TOKEN_1}
>
> First thing I did is to replace the noauth extension method
> getAuthorizedConfigurations to take the config from the encrypted token,
> and
> it worked fine.
>

Please bear in mind that the noauth extension is deprecated and likely to
be removed from future versions.  Building an application upon this module
is not likely to be a good long-term move, unless you intend to maintain
the noauth module yourself in a separate repository from the main Guacamole
code.


>
> The problem im facing now is for multiple connections at the same time. If
> I
> click on another URL with a different GuacamoleConfiguration of the first
> one, a tab will open but with the same connection of the first URL.
>

Again, if you can clarify what you mean by GuacamoleConfiguration in the
token in the URL, that might help figure out where to go from here.

Regards,
Nick