From 08e5938493e50abdfa54bbbe1c6a944d96db6cf8 Mon Sep 17 00:00:00 2001 From: Michael Jumper Date: Tue, 28 Mar 2023 13:09:05 -0700 Subject: [PATCH] GUACAMOLE-839: Redirect user to proper URI for SSL/TLS client auth (rather than just refuse). --- .../src/main/resources/translations/en.json | 1 + .../ssl/AuthenticationProviderService.java | 21 +++++++++++++------ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/resources/translations/en.json b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/resources/translations/en.json index 902b7aff1..085414b94 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/resources/translations/en.json +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/resources/translations/en.json @@ -21,6 +21,7 @@ "FIELD_HEADER_STATE" : "", "FIELD_HEADER_TICKET" : "", "INFO_IDP_REDIRECT_PENDING" : "Please wait, redirecting to identity provider...", + "INFO_REDIRECT_PENDING" : "Please wait while you are redirected...", "NAME_IDP_CAS" : "CAS", "NAME_IDP_OPENID" : "OpenID", "NAME_IDP_SAML" : "SAML", diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/AuthenticationProviderService.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/AuthenticationProviderService.java index bc311de47..807df0cae 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/AuthenticationProviderService.java @@ -23,15 +23,20 @@ import com.google.inject.Inject; import com.google.inject.Provider; import com.google.inject.Singleton; import java.net.URI; +import java.util.Arrays; import java.util.Collections; import javax.servlet.http.HttpServletRequest; -import org.apache.guacamole.GuacamoleClientException; import org.apache.guacamole.auth.ssl.conf.ConfigurationService; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleResourceNotFoundException; import org.apache.guacamole.auth.sso.SSOAuthenticationProviderService; import org.apache.guacamole.auth.sso.user.SSOAuthenticatedUser; +import org.apache.guacamole.form.Field; +import org.apache.guacamole.form.RedirectField; +import org.apache.guacamole.language.TranslatableMessage; import org.apache.guacamole.net.auth.Credentials; +import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; /** * Service that authenticates Guacamole users using SSL/TLS authentication @@ -150,11 +155,15 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS if (confService.isPrimaryHostname(host)) return processIdentity(credentials, request); - // All other requests are not allowed - refuse to authenticate - throw new GuacamoleClientException("Direct authentication against " - + "this endpoint is not valid without first requesting to " - + "authenticate at the primary URL of this Guacamole " - + "instance."); + // All other requests are not allowed - redirect to proper hostname + throw new GuacamoleInvalidCredentialsException("Authentication is " + + "only allowed against the primary URL of this Guacamole " + + "instance.", + new CredentialsInfo(Arrays.asList(new Field[] { + new RedirectField("primaryURI", confService.getPrimaryURI(), + new TranslatableMessage("LOGIN.INFO_REDIRECT_PENDING")) + })) + ); }