safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 05:07:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-2052: Maintain independent copy of request details in Credentials.

Browse Source
This commit is contained in:
Michael Jumper
2025-04-12 11:50:48 -07:00
parent 7d4009f91b
commit 4670ad0b90
17 changed files with 697 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java
View File

@@ -21,7 +21,6 @@ package org.apache.guacamole.auth.duo;
import com.google.inject.Guice;
import com.google.inject.Injector;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.AbstractAuthenticationProvider;
import org.apache.guacamole.net.auth.AuthenticatedUser;
@@ -86,8 +85,7 @@ public class DuoAuthenticationProvider extends AbstractAuthenticationProvider {
// Ignore requests with no corresponding authentication session ID, as
// there are no credentials to reconstitute if the user has not yet
// attempted to authenticate
HttpServletRequest request = credentials.getRequest();
String duoState = request.getParameter(UserVerificationService.DUO_STATE_PARAMETER_NAME);
String duoState = credentials.getParameter(UserVerificationService.DUO_STATE_PARAMETER_NAME);
if (duoState == null)
return credentials;
@@ -99,7 +97,7 @@ public class DuoAuthenticationProvider extends AbstractAuthenticationProvider {
// Reconstitute the originally-provided credentials from the users
// authentication attempt prior to being redirected to Duo
Credentials previousCredentials = session.getCredentials();
previousCredentials.setRequest(request);
previousCredentials.setRequestDetails(credentials.getRequestDetails());
return previousCredentials;
}

8
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
View File

@@ -30,7 +30,6 @@ import java.net.URISyntaxException;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.auth.duo.conf.ConfigurationService;
@@ -113,8 +112,7 @@ public class UserVerificationService {
// Pull the original HTTP request used to authenticate
Credentials credentials = authenticatedUser.getCredentials();
HttpServletRequest request = credentials.getRequest();
IPAddress clientAddr = new IPAddressString(request.getRemoteAddr()).getAddress();
IPAddress clientAddr = new IPAddressString(credentials.getRemoteAddress()).getAddress();
// Ignore anonymous users
String username = authenticatedUser.getIdentifier();
@@ -176,8 +174,8 @@ public class UserVerificationService {
// Retrieve signed Duo authentication code and session state from the
// request (these will be absent if this is an initial authentication
// attempt and not a redirect back from Duo)
String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME);
String duoState = request.getParameter(DUO_STATE_PARAMETER_NAME);
String duoCode = credentials.getParameter(DUO_CODE_PARAMETER_NAME);
String duoState = credentials.getParameter(DUO_STATE_PARAMETER_NAME);
// Redirect to Duo to obtain an authentication code if that redirect
// has not yet occurred

21
extensions/guacamole-auth-header/src/main/java/org/apache/guacamole/auth/header/AuthenticationProviderService.java
View File

@@ -21,13 +21,11 @@ package org.apache.guacamole.auth.header;
import com.google.inject.Inject;
import com.google.inject.Provider;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
import org.apache.guacamole.auth.header.user.AuthenticatedUser;
import java.security.Principal;
/**
* Service providing convenience functions for the HTTP Header
@@ -65,19 +63,12 @@ public class AuthenticationProviderService {
public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
// Pull HTTP header from request if present
HttpServletRequest request = credentials.getRequest();
if (request != null) {
// Get the username from the header configured in guacamole.properties
String username = request.getHeader(confService.getHttpAuthHeader());
if (username != null) {
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(username, credentials);
return authenticatedUser;
}
// Get the username from the header configured in guacamole.properties
String username = credentials.getHeader(confService.getHttpAuthHeader());
if (username != null) {
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(username, credentials);
return authenticatedUser;
}
// Authentication not provided via header, yet, so we request it.

8
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/sharing/ConnectionSharingService.java
View File

@@ -22,7 +22,6 @@ package org.apache.guacamole.auth.jdbc.sharing;
import com.google.inject.Inject;
import java.util.Collections;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
@@ -175,13 +174,8 @@ public class ConnectionSharingService {
*/
public String getShareKey(Credentials credentials) {
// Pull associated HTTP request
HttpServletRequest request = credentials.getRequest();
if (request == null)
return null;
// Retrieve the share key from the request
return request.getParameter(SHARE_KEY_NAME);
return credentials.getParameter(SHARE_KEY_NAME);
}

6
extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
View File

@@ -26,7 +26,6 @@ import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleClientException;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleUnsupportedException;
@@ -522,9 +521,8 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
String username = user.getIdentifier();
// Pull new password from HTTP request
HttpServletRequest request = credentials.getRequest();
String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
String newPassword = credentials.getParameter(NEW_PASSWORD_PARAMETER);
String confirmNewPassword = credentials.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
// Require new password if account is expired
if (newPassword == null || confirmNewPassword == null) {

25
extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/RequestValidationService.java
View File

@@ -21,10 +21,9 @@ package org.apache.guacamole.auth.json;
import com.google.inject.Inject;
import inet.ipaddr.IPAddressString;
import java.util.ArrayList;
import java.util.Collection;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.net.auth.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -59,17 +58,17 @@ public class RequestValidationService {
}
/**
* Returns whether the given request can be used for authentication, taking
* into account restrictions specified within guacamole.properties.
* Returns whether the given credentials can be used for authentication,
* taking into account restrictions specified within guacamole.properties.
*
* @param request
* The HTTP request to test.
* @param credentials
* The credentials of the authentication request to test.
*
* @return
* true if the given request comes from a trusted source and can be
* true if the given credentials come from a trusted source and can be
* used for authentication, false otherwise.
*/
public boolean isAuthenticationAllowed(HttpServletRequest request) {
public boolean isAuthenticationAllowed(Credentials credentials) {
// Pull list of all trusted networks
Collection<String> trustedNetworks;
@@ -79,14 +78,14 @@ public class RequestValidationService {
// Deny all requests if restrictions cannot be parsed
catch (GuacamoleException e) {
logger.warn("Authentication request from \"{}\" is DENIED due to parse error: {}", request.getRemoteAddr(), e.getMessage());
logger.warn("Authentication request from \"{}\" is DENIED due to parse error: {}", credentials.getRemoteAddress(), e.getMessage());
logger.debug("Error parsing authentication request restrictions from guacamole.properties.", e);
return false;
}
// All requests are allowed if no restrictions are defined
if (trustedNetworks.isEmpty()) {
logger.debug("Authentication request from \"{}\" is ALLOWED (no restrictions).", request.getRemoteAddr());
logger.debug("Authentication request from \"{}\" is ALLOWED (no restrictions).", credentials.getRemoteAddress());
return true;
}
@@ -94,15 +93,15 @@ public class RequestValidationService {
for (String network : trustedNetworks) {
// Request is allowed if any subnet matches
if (new IPAddressString(network).contains(new IPAddressString(request.getRemoteAddr()))) {
logger.debug("Authentication request from \"{}\" is ALLOWED (matched subnet).", request.getRemoteAddr());
if (new IPAddressString(network).contains(new IPAddressString(credentials.getRemoteAddress()))) {
logger.debug("Authentication request from \"{}\" is ALLOWED (matched subnet).", credentials.getRemoteAddress());
return true;
}
}
// Otherwise request is denied - no subnets matched
logger.debug("Authentication request from \"{}\" is DENIED (did not match subnet).", request.getRemoteAddr());
logger.debug("Authentication request from \"{}\" is DENIED (did not match subnet).", credentials.getRemoteAddress());
return false;
}

10
extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/user/UserDataService.java
View File

@@ -31,7 +31,6 @@ import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.json.ConfigurationService;
import org.apache.guacamole.auth.json.CryptoService;
@@ -121,18 +120,13 @@ public class UserDataService {
String json;
byte[] correctSignature;
// Pull HTTP request, if available
HttpServletRequest request = credentials.getRequest();
if (request == null)
return null;
// Abort if the request itself is not allowed
if (!requestService.isAuthenticationAllowed(request))
if (!requestService.isAuthenticationAllowed(credentials))
return null;
// Pull base64-encoded, encrypted JSON data from HTTP request, if any
// such data is present
String base64 = request.getParameter(ENCRYPTED_DATA_PARAMETER);
String base64 = credentials.getParameter(ENCRYPTED_DATA_PARAMETER);
if (base64 == null)
return null;

67
extensions/guacamole-auth-json/src/test/java/org/apache/guacamole/auth/json/RequestValidationServiceTest.java
View File

@@ -33,6 +33,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.servlet.ServletInputStream;
import javax.servlet.RequestDispatcher;
import org.apache.guacamole.net.auth.Credentials;
import org.junit.Test;
import static org.junit.Assert.*;
@@ -375,13 +376,13 @@ public class RequestValidationServiceTest {
requestService = new RequestValidationService(new MockConfigurationService(null));
try {
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("1.1.1.1")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("10.10.10.10")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("100.100.100.100")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("1:1:1:1:1:1:1:1")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("10:10:10:10:10:10:10:10")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("100:100:100:100:100:100:100:100")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("1000:1000:1000:1000:1000:1000:1000:1000")));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("1.1.1.1"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("10.10.10.10"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("100.100.100.100"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("1:1:1:1:1:1:1:1"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("10:10:10:10:10:10:10:10"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("100:100:100:100:100:100:100:100"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("1000:1000:1000:1000:1000:1000:1000:1000"))));
}
catch (AssertionError e) {
fail("A network was denied to authenticate even though no trusted networks were specified.");
@@ -399,18 +400,18 @@ public class RequestValidationServiceTest {
requestService = new RequestValidationService(new MockConfigurationService("10.0.0.0/8,127.0.0.0/8,172.16.0.0/12,192.168.0.0/16,1.2.3.4/32,::1/128,fc00::/7"));
try {
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("10.0.0.0")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("10.255.255.255")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("127.0.0.0")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("127.255.255.255")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("172.16.0.0")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("172.31.255.255")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("192.168.0.0")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("192.168.255.255")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("1.2.3.4")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("::1")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("fc00::")));
assertTrue(requestService.isAuthenticationAllowed(mockHttpServletRequest("fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("10.0.0.0"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("10.255.255.255"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("127.0.0.0"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("127.255.255.255"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("172.16.0.0"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("172.31.255.255"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("192.168.0.0"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("192.168.255.255"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("1.2.3.4"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("::1"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("fc00::"))));
assertTrue(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"))));
}
catch (AssertionError e) {
fail("A trusted network was denied to authenticate.");
@@ -428,20 +429,20 @@ public class RequestValidationServiceTest {
requestService = new RequestValidationService(new MockConfigurationService("10.0.0.0/8,127.0.0.0/8,172.16.0.0/12,192.168.0.0/16,1.2.3.4/32,::1/128,fc00::/7"));
try {
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("9.255.255.255")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("11.0.0.0")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("126.255.255.255")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("128.0.0.0")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("172.15.255.255")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("172.32.0.0")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("192.167.255.255")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("192.169.0.0")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("1.2.3.3")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("1.2.3.5")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("::0")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("::2")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")));
assertFalse(requestService.isAuthenticationAllowed(mockHttpServletRequest("fe00::")));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("9.255.255.255"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("11.0.0.0"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("126.255.255.255"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("128.0.0.0"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("172.15.255.255"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("172.32.0.0"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("192.167.255.255"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("192.169.0.0"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("1.2.3.3"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("1.2.3.5"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("::0"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("::2"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"))));
assertFalse(requestService.isAuthenticationAllowed(new Credentials(null, null, mockHttpServletRequest("fe00::"))));
}
catch (AssertionError e) {
fail("An untrusted network was allowed to authenticate.");

6
extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java
View File

@@ -23,7 +23,6 @@ import com.google.common.io.BaseEncoding;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Arrays;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.auth.radius.user.AuthenticatedUser;
import org.apache.guacamole.auth.radius.form.GuacamoleRadiusChallenge;
import org.apache.guacamole.auth.radius.form.RadiusStateField;
@@ -148,8 +147,7 @@ public class AuthenticationProviderService {
return null;
// Grab HTTP request object and a response to a challenge.
HttpServletRequest request = credentials.getRequest();
String challengeResponse = request.getParameter(CHALLENGE_RESPONSE_PARAM);
String challengeResponse = credentials.getParameter(CHALLENGE_RESPONSE_PARAM);
// RadiusPacket object to store response from server.
RadiusPacket radPack;
@@ -173,7 +171,7 @@ public class AuthenticationProviderService {
// This is a response to a previous challenge, authenticate with that.
else {
try {
String stateString = request.getParameter(RadiusStateField.PARAMETER_NAME);
String stateString = credentials.getParameter(RadiusStateField.PARAMETER_NAME);
if (stateString == null) {
logger.warn("Expected state parameter was not present in challenge/response.");
throw new GuacamoleInvalidCredentialsException("Authentication error.", CredentialsInfo.USERNAME_PASSWORD);

10
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-cas/src/main/java/org/apache/guacamole/auth/cas/AuthenticationProviderService.java
View File

@@ -23,7 +23,6 @@ import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.net.URI;
import java.util.Arrays;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.UriBuilder;
import org.apache.guacamole.form.Field;
import org.apache.guacamole.GuacamoleException;
@@ -70,12 +69,9 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
throws GuacamoleException {
// Pull CAS ticket from request if present
HttpServletRequest request = credentials.getRequest();
if (request != null) {
String ticket = request.getParameter(TICKET_PARAMETER_NAME);
if (ticket != null) {
return ticketService.validateTicket(ticket, credentials);
}
String ticket = credentials.getParameter(TICKET_PARAMETER_NAME);
if (ticket != null) {
return ticketService.validateTicket(ticket, credentials);
}
// Request CAS ticket (will automatically redirect the user to the

18
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java
View File

@@ -27,7 +27,6 @@ import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.UriBuilder;
import org.apache.guacamole.auth.openid.conf.ConfigurationService;
import org.apache.guacamole.auth.openid.token.TokenValidationService;
@@ -88,16 +87,13 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
Map<String,String> tokens = Collections.emptyMap();
// Validate OpenID token in request, if present, and derive username
HttpServletRequest request = credentials.getRequest();
if (request != null) {
String token = request.getParameter(TOKEN_PARAMETER_NAME);
if (token != null) {
JwtClaims claims = tokenService.validateToken(token);
if (claims != null) {
username = tokenService.processUsername(claims);
groups = tokenService.processGroups(claims);
tokens = tokenService.processAttributes(claims);
}
String token = credentials.getParameter(TOKEN_PARAMETER_NAME);
if (token != null) {
JwtClaims claims = tokenService.validateToken(token);
if (claims != null) {
username = tokenService.processUsername(claims);
groups = tokenService.processGroups(claims);
tokens = tokenService.processAttributes(claims);
}
}

11
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java
View File

@@ -24,7 +24,6 @@ import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.net.URI;
import java.util.Arrays;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.auth.saml.user.SAMLAuthenticatedUser;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.auth.saml.acs.AssertedIdentity;
@@ -85,21 +84,13 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
// Return the session identifier from the request params, if set, or
// null otherwise
return credentials != null && credentials.getRequest() != null
? credentials.getRequest().getParameter(AUTH_SESSION_QUERY_PARAM)
: null;
return credentials != null ? credentials.getParameter(AUTH_SESSION_QUERY_PARAM) : null;
}
@Override
public SAMLAuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException {
// No authentication can be attempted without a corresponding HTTP
// request
HttpServletRequest request = credentials.getRequest();
if (request == null)
return null;
// Use established SAML identity if already provided by the SAML IdP
AssertedIdentity identity = sessionManager.getIdentity(
getSessionIdentifier(credentials));

13
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/AuthenticationProviderService.java
View File

@@ -25,7 +25,6 @@ import com.google.inject.Singleton;
import java.net.URI;
import java.util.Arrays;
import java.util.Collections;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.auth.ssl.conf.ConfigurationService;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleResourceNotFoundException;
@@ -89,9 +88,7 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
// Return the session identifier from the request params, if set, or
// null otherwise
return credentials != null && credentials.getRequest() != null
? credentials.getRequest().getParameter(AUTH_SESSION_PARAMETER_NAME)
: null;
return credentials != null ? credentials.getParameter(AUTH_SESSION_PARAMETER_NAME) : null;
}
/**
@@ -154,15 +151,9 @@ public class AuthenticationProviderService implements SSOAuthenticationProviderS
// was signed by the expected CA.
//
// We can't authenticate using SSL/TLS client auth unless there's an
// associated HTTP request
HttpServletRequest request = credentials.getRequest();
if (request == null)
return null;
// We MUST have the domain associated with the request to ensure we
// always get fresh SSL sessions when validating client certificates
String host = request.getHeader("Host");
String host = credentials.getHeader("Host");
if (host == null)
return null;

6
extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java
View File

@@ -30,7 +30,6 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.GuacamoleUnsupportedException;
@@ -317,10 +316,9 @@ public class UserVerificationService {
// Pull the original HTTP request used to authenticate
Credentials credentials = authenticatedUser.getCredentials();
HttpServletRequest request = credentials.getRequest();
// Get the current client address
IPAddress clientAddr = new IPAddressString(request.getRemoteAddr()).getAddress();
IPAddress clientAddr = new IPAddressString(credentials.getRemoteAddress()).getAddress();
// Ignore anonymous users
if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
@@ -369,7 +367,7 @@ public class UserVerificationService {
return;
// Retrieve TOTP from request
String code = request.getParameter(AuthenticationCodeField.PARAMETER_NAME);
String code = credentials.getParameter(AuthenticationCodeField.PARAMETER_NAME);
// If no TOTP provided, request one
if (code == null) {