GUACAMOLE-189: Merge per-connection guacd functionality.

2025-09-06 13:17:41 +00:00 · 2017-05-10 20:38:05 -07:00
parent ea5c8c546a 31b1b42ba6
commit d9b888e99a
12 changed files with 616 additions and 81 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionModel.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionModel.java
@@ -22,6 +22,7 @@ package org.apache.guacamole.auth.jdbc.connection;
 import java.util.HashSet;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.base.ChildObjectModel;
+import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration.EncryptionMethod;

 /**
 * Object representation of a Guacamole connection, as represented in the
@@ -59,6 +60,24 @@ public class ConnectionModel extends ChildObjectModel {
     */
    private Set<String> sharingProfileIdentifiers = new HashSet<String>();

+    /**
+     * The hostname of the guacd instance to use, or null if the hostname of the
+     * default guacd instance should be used.
+     */
+    private String proxyHostname;
+
+    /**
+     * The port of the guacd instance to use, or null if the port of the default
+     * guacd instance should be used.
+     */
+    private Integer proxyPort;
+
+    /**
+     * The encryption method required by the desired guacd instance, or null if
+     * the encryption method of the default guacd instance should be used.
+     */
+    private EncryptionMethod proxyEncryptionMethod;
+
    /**
     * Creates a new, empty connection.
     */
@@ -158,6 +177,79 @@ public class ConnectionModel extends ChildObjectModel {
        this.maxConnectionsPerUser = maxConnectionsPerUser;
    }

+    /**
+     * Returns the hostname of the guacd instance to use. If the hostname of the
+     * default guacd instance should be used instead, null is returned.
+     *
+     * @return
+     *     The hostname of the guacd instance to use, or null if the hostname
+     *     of the default guacd instance should be used.
+     */
+    public String getProxyHostname() {
+        return proxyHostname;
+    }
+
+    /**
+     * Sets the hostname of the guacd instance to use.
+     *
+     * @param proxyHostname
+     *     The hostname of the guacd instance to use, or null if the hostname
+     *     of the default guacd instance should be used.
+     */
+    public void setProxyHostname(String proxyHostname) {
+        this.proxyHostname = proxyHostname;
+    }
+
+    /**
+     * Returns the port of the guacd instance to use. If the port of the default
+     * guacd instance should be used instead, null is returned.
+     *
+     * @return
+     *     The port of the guacd instance to use, or null if the port of the
+     *     default guacd instance should be used.
+     */
+    public Integer getProxyPort() {
+        return proxyPort;
+    }
+
+    /**
+     * Sets the port of the guacd instance to use.
+     *
+     * @param proxyPort
+     *     The port of the guacd instance to use, or null if the port of the
+     *     default guacd instance should be used.
+     */
+    public void setProxyPort(Integer proxyPort) {
+        this.proxyPort = proxyPort;
+    }
+
+    /**
+     * Returns the type of encryption required by the desired guacd instance.
+     * If the encryption method of the default guacd instance should be used
+     * instead, null is returned.
+     *
+     * @return
+     *     The type of encryption required by the desired guacd instance, or
+     *     null if the encryption method of the default guacd instance should
+     *     be used.
+     */
+    public EncryptionMethod getProxyEncryptionMethod() {
+        return proxyEncryptionMethod;
+    }
+
+    /**
+     * Sets the type of encryption which should be used when connecting to
+     * guacd, if any.
+     *
+     * @param proxyEncryptionMethod
+     *     The type of encryption required by the desired guacd instance, or
+     *     null if the encryption method of the default guacd instance should
+     *     be used.
+     */
+    public void setProxyEncryptionMethod(EncryptionMethod proxyEncryptionMethod) {
+        this.proxyEncryptionMethod = proxyEncryptionMethod;
+    }
+
    /**
     * Returns the identifiers of all readable sharing profiles associated with
     * this connection. This is set only when the connection is queried, and has
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ModeledConnection.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ModeledConnection.java
@@ -32,12 +32,16 @@ import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
 import org.apache.guacamole.auth.jdbc.base.ModeledChildDirectoryObject;
+import org.apache.guacamole.form.EnumField;
 import org.apache.guacamole.form.Field;
 import org.apache.guacamole.form.Form;
 import org.apache.guacamole.form.NumericField;
+import org.apache.guacamole.form.TextField;
 import org.apache.guacamole.net.GuacamoleTunnel;
 import org.apache.guacamole.net.auth.Connection;
 import org.apache.guacamole.net.auth.ConnectionRecord;
+import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration;
+import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration.EncryptionMethod;
 import org.apache.guacamole.protocol.GuacamoleClientInformation;
 import org.apache.guacamole.protocol.GuacamoleConfiguration;
 import org.slf4j.Logger;
@@ -55,6 +59,51 @@ public class ModeledConnection extends ModeledChildDirectoryObject<ConnectionMod
     */
    private static final Logger logger = LoggerFactory.getLogger(ModeledConnection.class);

+    /**
+     * The name of the attribute which overrides the hostname used to connect
+     * to guacd for this connection.
+     */
+    public static final String GUACD_HOSTNAME_NAME = "guacd-hostname";
+
+    /**
+     * The name of the attribute which overrides the port used to connect to
+     * guacd for this connection.
+     */
+    public static final String GUACD_PORT_NAME = "guacd-port";
+
+    /**
+     * The name of the attribute which overrides the encryption method used to
+     * connect to guacd for this connection.
+     */
+    public static final String GUACD_ENCRYPTION_NAME = "guacd-encryption";
+
+    /**
+     * The value specified for the "guacd-encryption" attribute if encryption
+     * should not be used to connect to guacd.
+     */
+    public static final String GUACD_ENCRYPTION_VALUE_NONE = "none";
+
+    /**
+     * The value specified for the "guacd-encryption" attribute if SSL/TLS
+     * encryption should be used to connect to guacd.
+     */
+    public static final String GUACD_ENCRYPTION_VALUE_SSL = "ssl";
+
+    /**
+     * All attributes which describe the configuration of the guacd instance
+     * which will be used to connect to the remote desktop described by this
+     * connection.
+     */
+    public static final Form GUACD_PARAMETERS = new Form("guacd", Arrays.<Field>asList(
+        new TextField(GUACD_HOSTNAME_NAME),
+        new NumericField(GUACD_PORT_NAME),
+        new EnumField(GUACD_ENCRYPTION_NAME, Arrays.asList(
+            "",
+            GUACD_ENCRYPTION_VALUE_NONE,
+            GUACD_ENCRYPTION_VALUE_SSL
+        ))
+    ));
+
    /**
     * The name of the attribute which controls the maximum number of
     * concurrent connections.
@@ -81,7 +130,8 @@ public class ModeledConnection extends ModeledChildDirectoryObject<ConnectionMod
     * logical forms.
     */
    public static final Collection<Form> ATTRIBUTES = Collections.unmodifiableCollection(Arrays.asList(
-        CONCURRENCY_LIMITS
+        CONCURRENCY_LIMITS,
+        GUACD_PARAMETERS
    ));

    /**
@@ -186,6 +236,35 @@ public class ModeledConnection extends ModeledChildDirectoryObject<ConnectionMod
        // Set per-user connection limit attribute
        attributes.put(MAX_CONNECTIONS_PER_USER_NAME, NumericField.format(getModel().getMaxConnectionsPerUser()));

+        // Set guacd (proxy) hostname and port
+        attributes.put(GUACD_HOSTNAME_NAME, getModel().getProxyHostname());
+        attributes.put(GUACD_PORT_NAME, NumericField.format(getModel().getProxyPort()));
+
+        // Set guacd (proxy) encryption method
+        EncryptionMethod encryptionMethod = getModel().getProxyEncryptionMethod();
+        if (encryptionMethod == null)
+            attributes.put(GUACD_ENCRYPTION_NAME, null);
+
+        else {
+            switch (encryptionMethod) {
+
+                // Unencrypted
+                case NONE:
+                    attributes.put(GUACD_ENCRYPTION_NAME, GUACD_ENCRYPTION_VALUE_NONE);
+                    break;
+
+                // SSL / TLS encryption
+                case SSL:
+                    attributes.put(GUACD_ENCRYPTION_NAME, GUACD_ENCRYPTION_VALUE_SSL);
+                    break;
+
+                // Unimplemented / unspecified
+                default:
+                    attributes.put(GUACD_ENCRYPTION_NAME, null);
+
+            }
+        }
+
        return attributes;
    }

@@ -206,6 +285,31 @@ public class ModeledConnection extends ModeledChildDirectoryObject<ConnectionMod
            logger.debug("Unable to parse numeric attribute.", e);
        }

+        // Set guacd hostname (no translation necessary)
+        getModel().setProxyHostname(attributes.get(GUACD_HOSTNAME_NAME));
+
+        // Translate guacd port
+        try { getModel().setProxyPort(NumericField.parse(attributes.get(GUACD_PORT_NAME))); }
+        catch (NumberFormatException e) {
+            logger.warn("Not setting guacd port: {}", e.getMessage());
+            logger.debug("Unable to parse numeric attribute.", e);
+        }
+
+        // Translate guacd encryption method
+        String encryptionMethod = attributes.get(GUACD_ENCRYPTION_NAME);
+
+        // Unencrypted
+        if (GUACD_ENCRYPTION_VALUE_NONE.equals(encryptionMethod))
+            getModel().setProxyEncryptionMethod(EncryptionMethod.NONE);
+
+        // SSL / TLS
+        else if (GUACD_ENCRYPTION_VALUE_SSL.equals(encryptionMethod))
+            getModel().setProxyEncryptionMethod(EncryptionMethod.SSL);
+
+        // Unimplemented / unspecified
+        else
+            getModel().setProxyEncryptionMethod(null);
+
    }

    /**
@@ -257,4 +361,39 @@ public class ModeledConnection extends ModeledChildDirectoryObject<ConnectionMod

    }

+    /**
+     * Returns the connection information which should be used to connect to
+     * guacd when establishing a connection to the remote desktop described by
+     * this connection. If no such information is defined for this specific
+     * remote desktop connection, the default guacd connection information will
+     * be used instead, as defined by JDBCEnvironment.
+     *
+     * @return
+     *     The connection information which should be used to connect to guacd
+     *     when establishing a connection to the remote desktop described by
+     *     this connection.
+     *
+     * @throws GuacamoleException
+     *     If the connection information for guacd cannot be parsed.
+     */
+    public GuacamoleProxyConfiguration getGuacamoleProxyConfiguration()
+            throws GuacamoleException {
+
+        // Retrieve default proxy configuration from environment
+        GuacamoleProxyConfiguration defaultConfig = environment.getDefaultGuacamoleProxyConfiguration();
+
+        // Retrieve proxy configuration overrides from model
+        String hostname = getModel().getProxyHostname();
+        Integer port = getModel().getProxyPort();
+        EncryptionMethod encryptionMethod = getModel().getProxyEncryptionMethod();
+
+        // Produce new proxy configuration from model, using defaults where unspecified
+        return new GuacamoleProxyConfiguration(
+            hostname         != null ? hostname         : defaultConfig.getHostname(),
+            port             != null ? port             : defaultConfig.getPort(),
+            encryptionMethod != null ? encryptionMethod : defaultConfig.getEncryptionMethod()
+        );
+
+    }
+
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
@@ -42,10 +42,10 @@ import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleResourceConflictException;
 import org.apache.guacamole.GuacamoleResourceNotFoundException;
 import org.apache.guacamole.GuacamoleSecurityException;
+import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.GuacamoleUpstreamException;
 import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
 import org.apache.guacamole.auth.jdbc.connection.ConnectionMapper;
-import org.apache.guacamole.environment.Environment;
 import org.apache.guacamole.net.GuacamoleSocket;
 import org.apache.guacamole.net.GuacamoleTunnel;
 import org.apache.guacamole.net.auth.Connection;
@@ -62,6 +62,7 @@ import org.apache.guacamole.auth.jdbc.sharingprofile.ModeledSharingProfile;
 import org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterMapper;
 import org.apache.guacamole.auth.jdbc.sharingprofile.SharingProfileParameterModel;
 import org.apache.guacamole.auth.jdbc.user.RemoteAuthenticatedUser;
+import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration;
 import org.apache.guacamole.protocol.FailoverGuacamoleSocket;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -79,12 +80,6 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
     */
    private final Logger logger = LoggerFactory.getLogger(AbstractGuacamoleTunnelService.class);

-    /**
-     * The environment of the Guacamole server.
-     */
-    @Inject
-    private JDBCEnvironment environment;
- 
    /**
     * Mapper for accessing connections.
     */
@@ -121,18 +116,6 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
    @Inject
    private Provider<ActiveConnectionRecord> activeConnectionRecordProvider;

-    /**
-     * The hostname to use when connecting to guacd if no hostname is provided
-     * within guacamole.properties.
-     */
-    private static final String DEFAULT_GUACD_HOSTNAME = "localhost";
-
-    /**
-     * The port to use when connecting to guacd if no port is provided within
-     * guacamole.properties.
-     */
-    private static final int DEFAULT_GUACD_PORT = 4822;
-
    /**
     * All active connections through the tunnel having a given UUID.
     */
@@ -333,6 +316,13 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
     * Returns an unconfigured GuacamoleSocket that is already connected to
     * guacd as specified in guacamole.properties, using SSL if necessary.
     *
+     * @param proxyConfig
+     *     The configuration information to use when connecting to guacd.
+     *
+     * @param socketClosedCallback
+     *     The callback which should be invoked whenever the returned socket
+     *     closes.
+     *
     * @return
     *     An unconfigured GuacamoleSocket, already connected to guacd.
     *
@@ -340,23 +330,33 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
     *     If an error occurs while connecting to guacd, or while parsing
     *     guacd-related properties.
     */
-    private GuacamoleSocket getUnconfiguredGuacamoleSocket(Runnable socketClosedCallback)
-        throws GuacamoleException {
+    private GuacamoleSocket getUnconfiguredGuacamoleSocket(
+            GuacamoleProxyConfiguration proxyConfig,
+            Runnable socketClosedCallback) throws GuacamoleException {

-        // Use SSL if requested
-        if (environment.getProperty(Environment.GUACD_SSL, false))
-            return new ManagedSSLGuacamoleSocket(
-                environment.getProperty(Environment.GUACD_HOSTNAME, DEFAULT_GUACD_HOSTNAME),
-                environment.getProperty(Environment.GUACD_PORT,     DEFAULT_GUACD_PORT),
-                socketClosedCallback
-            );
+        // Select socket type depending on desired encryption
+        switch (proxyConfig.getEncryptionMethod()) {

-        // Otherwise, just use straight TCP
-        return new ManagedInetGuacamoleSocket(
-            environment.getProperty(Environment.GUACD_HOSTNAME, DEFAULT_GUACD_HOSTNAME),
-            environment.getProperty(Environment.GUACD_PORT,     DEFAULT_GUACD_PORT),
-            socketClosedCallback
-        );
+            // Use SSL if requested
+            case SSL:
+                return new ManagedSSLGuacamoleSocket(
+                    proxyConfig.getHostname(),
+                    proxyConfig.getPort(),
+                    socketClosedCallback
+                );
+
+            // Use straight TCP if unencrypted
+            case NONE:
+                return new ManagedInetGuacamoleSocket(
+                    proxyConfig.getHostname(),
+                    proxyConfig.getPort(),
+                    socketClosedCallback
+                );
+
+        }
+
+        // Bail out if encryption method is unknown
+        throw new GuacamoleServerException("Unimplemented encryption method.");

    }

@@ -472,10 +472,12 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS

            GuacamoleConfiguration config;

+            // Retrieve connection information associated with given connection record
+            ModeledConnection connection = activeConnection.getConnection();
+
            // Pull configuration directly from the connection if we are not
            // joining an active connection
            if (activeConnection.isPrimaryConnection()) {
-                ModeledConnection connection = activeConnection.getConnection();
                activeConnections.put(connection.getIdentifier(), activeConnection);
                activeConnectionGroups.put(connection.getParentIdentifier(), activeConnection);
                config = getGuacamoleConfiguration(activeConnection.getUser(), connection);
@@ -499,7 +501,8 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS

            // Obtain socket which will automatically run the cleanup task
            ConfiguredGuacamoleSocket socket = new ConfiguredGuacamoleSocket(
-                getUnconfiguredGuacamoleSocket(cleanupTask), config, info);
+                getUnconfiguredGuacamoleSocket(connection.getGuacamoleProxyConfiguration(),
+                        cleanupTask), config, info);

            // Assign and return new tunnel
            if (interceptErrors)
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/resources/translations/en.json
@@ -20,7 +20,16 @@
        "FIELD_HEADER_MAX_CONNECTIONS"          : "Maximum number of connections:",
        "FIELD_HEADER_MAX_CONNECTIONS_PER_USER" : "Maximum number of connections per user:",

-        "SECTION_HEADER_CONCURRENCY" : "Concurrency Limits"
+        "FIELD_HEADER_GUACD_HOSTNAME"   : "Hostname:",
+        "FIELD_HEADER_GUACD_ENCRYPTION" : "Encryption:",
+        "FIELD_HEADER_GUACD_PORT"       : "Port:",
+
+        "FIELD_OPTION_GUACD_ENCRYPTION_EMPTY" : "",
+        "FIELD_OPTION_GUACD_ENCRYPTION_NONE"  : "None (unencrypted)",
+        "FIELD_OPTION_GUACD_ENCRYPTION_SSL"   : "SSL / TLS",
+
+        "SECTION_HEADER_CONCURRENCY" : "Concurrency Limits",
+        "SECTION_HEADER_GUACD"       : "Guacamole Proxy Parameters (guacd)"

    },

--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-0.9.13.sql
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/upgrade/upgrade-pre-0.9.13.sql
@@ -0,0 +1,30 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+--
+
+--
+-- Add guacd per-connection override columns
+--
+
+ALTER TABLE guacamole_connection ADD COLUMN proxy_port INT(11);
+ALTER TABLE guacamole_connection ADD COLUMN proxy_hostname VARCHAR(512);
+
+ALTER TABLE guacamole_connection ADD COLUMN proxy_encryption_method ENUM(
+    'NONE',
+    'SSL'
+);
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
@@ -33,6 +33,10 @@
        <result column="protocol"                 property="protocol"              jdbcType="VARCHAR"/>
        <result column="max_connections"          property="maxConnections"        jdbcType="INTEGER"/>
        <result column="max_connections_per_user" property="maxConnectionsPerUser" jdbcType="INTEGER"/>
+        <result column="proxy_hostname"           property="proxyHostname"         jdbcType="VARCHAR"/>
+        <result column="proxy_port"               property="proxyPort"             jdbcType="INTEGER"/>
+        <result column="proxy_encryption_method"  property="proxyEncryptionMethod" jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.GuacamoleProxyConfiguration$EncryptionMethod"/>

        <!-- Associated sharing profiles -->
        <collection property="sharingProfileIdentifiers" resultSet="sharingProfiles" ofType="java.lang.String"
@@ -88,7 +92,10 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        FROM guacamole_connection
        WHERE connection_id IN
            <foreach collection="identifiers" item="identifier"
@@ -116,7 +123,10 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        FROM guacamole_connection
        JOIN guacamole_connection_permission ON guacamole_connection_permission.connection_id = guacamole_connection.connection_id
        WHERE guacamole_connection.connection_id IN
@@ -149,7 +159,10 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        FROM guacamole_connection
        WHERE 
            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=VARCHAR}</if>
@@ -173,14 +186,20 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        )
        VALUES (
            #{object.name,jdbcType=VARCHAR},
            #{object.parentIdentifier,jdbcType=VARCHAR},
            #{object.protocol,jdbcType=VARCHAR},
            #{object.maxConnections,jdbcType=INTEGER},
-            #{object.maxConnectionsPerUser,jdbcType=INTEGER}
+            #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            #{object.proxyHostname,jdbcType=VARCHAR},
+            #{object.proxyPort,jdbcType=INTEGER},
+            #{object.proxyEncryptionMethod,jdbcType=VARCHAR}
        )

    </insert>
@@ -192,8 +211,11 @@
            parent_id                = #{object.parentIdentifier,jdbcType=VARCHAR},
            protocol                 = #{object.protocol,jdbcType=VARCHAR},
            max_connections          = #{object.maxConnections,jdbcType=INTEGER},
-            max_connections_per_user = #{object.maxConnectionsPerUser,jdbcType=INTEGER}
+            max_connections_per_user = #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            proxy_hostname           = #{object.proxyHostname,jdbcType=VARCHAR},
+            proxy_port               = #{object.proxyPort,jdbcType=INTEGER},
+            proxy_encryption_method  = #{object.proxyEncryptionMethod,jdbcType=VARCHAR}
        WHERE connection_id = #{object.objectID,jdbcType=INTEGER}
    </update>

-</mapper>
+</mapper>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/upgrade/upgrade-pre-0.9.13.sql
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/schema/upgrade/upgrade-pre-0.9.13.sql
@@ -0,0 +1,35 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one
+-- or more contributor license agreements.  See the NOTICE file
+-- distributed with this work for additional information
+-- regarding copyright ownership.  The ASF licenses this file
+-- to you under the Apache License, Version 2.0 (the
+-- "License"); you may not use this file except in compliance
+-- with the License.  You may obtain a copy of the License at
+--
+--   http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+-- KIND, either express or implied.  See the License for the
+-- specific language governing permissions and limitations
+-- under the License.
+--
+
+--
+-- Add new guacd encryption method type
+--
+
+CREATE TYPE guacamole_proxy_encryption_method AS ENUM(
+    'NONE',
+    'SSL'
+);
+
+--
+-- Add guacd per-connection override columns
+--
+
+ALTER TABLE guacamole_connection ADD COLUMN proxy_port integer;
+ALTER TABLE guacamole_connection ADD COLUMN proxy_hostname varchar(512);
+ALTER TABLE guacamole_connection ADD COLUMN proxy_encryption_method guacamole_proxy_encryption_method;
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
@@ -33,6 +33,10 @@
        <result column="protocol"                 property="protocol"              jdbcType="VARCHAR"/>
        <result column="max_connections"          property="maxConnections"        jdbcType="INTEGER"/>
        <result column="max_connections_per_user" property="maxConnectionsPerUser" jdbcType="INTEGER"/>
+        <result column="proxy_hostname"           property="proxyHostname"         jdbcType="VARCHAR"/>
+        <result column="proxy_port"               property="proxyPort"             jdbcType="INTEGER"/>
+        <result column="proxy_encryption_method"  property="proxyEncryptionMethod" jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.GuacamoleProxyConfiguration$EncryptionMethod"/>

        <!-- Associated sharing profiles -->
        <collection property="sharingProfileIdentifiers" resultSet="sharingProfiles" ofType="java.lang.String"
@@ -88,7 +92,10 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        FROM guacamole_connection
        WHERE connection_id IN
            <foreach collection="identifiers" item="identifier"
@@ -116,7 +123,10 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        FROM guacamole_connection
        JOIN guacamole_connection_permission ON guacamole_connection_permission.connection_id = guacamole_connection.connection_id
        WHERE guacamole_connection.connection_id IN
@@ -149,7 +159,10 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        FROM guacamole_connection
        WHERE 
            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}::integer</if>
@@ -173,14 +186,20 @@
            parent_id,
            protocol,
            max_connections,
-            max_connections_per_user
+            max_connections_per_user,
+            proxy_hostname,
+            proxy_port,
+            proxy_encryption_method
        )
        VALUES (
            #{object.name,jdbcType=VARCHAR},
            #{object.parentIdentifier,jdbcType=INTEGER}::integer,
            #{object.protocol,jdbcType=VARCHAR},
            #{object.maxConnections,jdbcType=INTEGER},
-            #{object.maxConnectionsPerUser,jdbcType=INTEGER}
+            #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            #{object.proxyHostname,jdbcType=VARCHAR},
+            #{object.proxyPort,jdbcType=INTEGER},
+            #{object.proxyEncryptionMethod,jdbcType=VARCHAR}::guacamole_proxy_encryption_method
        )

    </insert>
@@ -192,8 +211,11 @@
            parent_id                = #{object.parentIdentifier,jdbcType=INTEGER}::integer,
            protocol                 = #{object.protocol,jdbcType=VARCHAR},
            max_connections          = #{object.maxConnections,jdbcType=INTEGER},
-            max_connections_per_user = #{object.maxConnectionsPerUser,jdbcType=INTEGER}
+            max_connections_per_user = #{object.maxConnectionsPerUser,jdbcType=INTEGER},
+            proxy_hostname           = #{object.proxyHostname,jdbcType=VARCHAR},
+            proxy_port               = #{object.proxyPort,jdbcType=INTEGER},
+            proxy_encryption_method  = #{object.proxyEncryptionMethod,jdbcType=VARCHAR}::guacamole_proxy_encryption_method
        WHERE connection_id = #{object.objectID,jdbcType=INTEGER}::integer
    </update>

-</mapper>
+</mapper>
--- a/guacamole-ext/src/main/java/org/apache/guacamole/environment/Environment.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/environment/Environment.java
@@ -22,6 +22,7 @@ package org.apache.guacamole.environment;
 import java.io.File;
 import java.util.Map;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration;
 import org.apache.guacamole.properties.BooleanGuacamoleProperty;
 import org.apache.guacamole.properties.GuacamoleProperty;
 import org.apache.guacamole.properties.IntegerGuacamoleProperty;
@@ -146,4 +147,19 @@ public interface Environment {
    public <Type> Type getRequiredProperty(GuacamoleProperty<Type> property)
            throws GuacamoleException;

+    /**
+     * Returns the connection information which should be used, by default, to
+     * connect to guacd when establishing a remote desktop connection.
+     *
+     * @return
+     *     The connection information which should be used, by default, to
+     *     connect to guacd.
+     *
+     * @throws GuacamoleException
+     *     If the the connection information for guacd cannot be
+     *     retrieved.
+     */
+    public GuacamoleProxyConfiguration getDefaultGuacamoleProxyConfiguration()
+            throws GuacamoleException;
+
 }
--- a/guacamole-ext/src/main/java/org/apache/guacamole/environment/LocalEnvironment.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/environment/LocalEnvironment.java
@@ -30,6 +30,7 @@ import java.util.Properties;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleServerException;
+import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration;
 import org.apache.guacamole.properties.GuacamoleProperty;
 import org.apache.guacamole.protocols.ProtocolInfo;
 import org.slf4j.Logger;
@@ -53,6 +54,24 @@ public class LocalEnvironment implements Environment {
    private static final String[] KNOWN_PROTOCOLS = new String[]{
        "vnc", "rdp", "ssh", "telnet"};

+    /**
+     * The hostname to use when connecting to guacd if no hostname is provided
+     * within guacamole.properties.
+     */
+    private static final String DEFAULT_GUACD_HOSTNAME = "localhost";
+
+    /**
+     * The port to use when connecting to guacd if no port is provided within
+     * guacamole.properties.
+     */
+    private static final int DEFAULT_GUACD_PORT = 4822;
+
+    /**
+     * Whether SSL/TLS is enabled for connections to guacd if not specified
+     * within guacamole.properties.
+     */
+    private static final boolean DEFAULT_GUACD_SSL = false;
+
    /**
     * All properties read from guacamole.properties.
     */
@@ -313,4 +332,17 @@ public class LocalEnvironment implements Environment {
        return availableProtocols.get(name);
    }

+    @Override
+    public GuacamoleProxyConfiguration getDefaultGuacamoleProxyConfiguration()
+            throws GuacamoleException {
+
+        // Parse guacd hostname/port/ssl properties
+        return new GuacamoleProxyConfiguration(
+            getProperty(Environment.GUACD_HOSTNAME, DEFAULT_GUACD_HOSTNAME),
+            getProperty(Environment.GUACD_PORT, DEFAULT_GUACD_PORT),
+            getProperty(Environment.GUACD_SSL, DEFAULT_GUACD_SSL)
+        );
+
+    }
+
 }
--- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/GuacamoleProxyConfiguration.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/GuacamoleProxyConfiguration.java
@@ -0,0 +1,132 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.net.auth;
+
+/**
+ * Information which describes how the connection to guacd should be
+ * established. This includes the hostname and port which guacd is listening on,
+ * as well as the type of encryption required, if any.
+ *
+ * @author Michael Jumper
+ */
+public class GuacamoleProxyConfiguration {
+
+    /**
+     * All possible types of encryption used by guacd.
+     */
+    public enum EncryptionMethod {
+
+        /**
+         * Unencrypted (plaintext).
+         */
+        NONE,
+
+        /**
+         * Encrypted with SSL or TLS.
+         */
+        SSL
+        
+    }
+
+    /**
+     * The hostname or address of the machine where guacd is running.
+     */
+    private final String hostname;
+
+    /**
+     * The port that guacd is listening on.
+     */
+    private final int port;
+
+    /**
+     * The type of encryption required by guacd.
+     */
+    private final EncryptionMethod encryptionMethod;
+
+    /**
+     * Creates a new GuacamoleProxyConfiguration having the given hostname,
+     * port, and encryption method.
+     *
+     * @param hostname
+     *     The hostname or address of the machine where guacd is running.
+     *
+     * @param port
+     *     The port that guacd is listening on.
+     *
+     * @param encryptionMethod
+     *     The type of encryption required by the instance of guacd running at
+     *     the given hostname and port.
+     */
+    public GuacamoleProxyConfiguration(String hostname, int port,
+            EncryptionMethod encryptionMethod) {
+        this.hostname = hostname;
+        this.port = port;
+        this.encryptionMethod = encryptionMethod;
+    }
+
+    /**
+     * Creates a new GuacamoleProxyConfiguration having the given hostname and
+     * port, with encryption method being restricted to either NONE or SSL.
+     *
+     * @param hostname
+     *     The hostname or address of the machine where guacd is running.
+     *
+     * @param port
+     *     The port that guacd is listening on.
+     *
+     * @param ssl
+     *     true if guacd requires SSL/TLS encryption, false if communication
+     *     with guacd should be unencrypted.
+     */
+    public GuacamoleProxyConfiguration(String hostname, int port, boolean ssl) {
+        this(hostname, port, ssl ? EncryptionMethod.SSL : EncryptionMethod.NONE);
+    }
+
+    /**
+     * Returns the hostname or address of the machine where guacd is running.
+     *
+     * @return
+     *     The hostname or address of the machine where guacd is running.
+     */
+    public String getHostname() {
+        return hostname;
+    }
+
+    /**
+     * Returns the port that guacd is listening on.
+     *
+     * @return
+     *     The port that guacd is listening on.
+     */
+    public int getPort() {
+        return port;
+    }
+
+    /**
+     * Returns the type of encryption required by guacd.
+     *
+     * @return
+     *     The type of encryption required by guacd.
+     */
+    public EncryptionMethod getEncryptionMethod() {
+        return encryptionMethod;
+    }
+
+}
--- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleConnection.java
+++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleConnection.java
@@ -23,6 +23,7 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.environment.Environment;
 import org.apache.guacamole.environment.LocalEnvironment;
 import org.apache.guacamole.net.GuacamoleSocket;
@@ -32,6 +33,7 @@ import org.apache.guacamole.net.SSLGuacamoleSocket;
 import org.apache.guacamole.net.SimpleGuacamoleTunnel;
 import org.apache.guacamole.net.auth.AbstractConnection;
 import org.apache.guacamole.net.auth.ConnectionRecord;
+import org.apache.guacamole.net.auth.GuacamoleProxyConfiguration;
 import org.apache.guacamole.protocol.ConfiguredGuacamoleSocket;
 import org.apache.guacamole.protocol.GuacamoleClientInformation;
 import org.apache.guacamole.protocol.GuacamoleConfiguration;
@@ -41,18 +43,6 @@ import org.apache.guacamole.protocol.GuacamoleConfiguration;
 */
 public class SimpleConnection extends AbstractConnection {

-    /**
-     * The hostname to use when connecting to guacd if no hostname is provided
-     * within guacamole.properties.
-     */
-    private static final String DEFAULT_GUACD_HOSTNAME = "localhost";
-
-    /**
-     * The port to use when connecting to guacd if no port is provided within
-     * guacamole.properties.
-     */
-    private static final int DEFAULT_GUACD_PORT = 4822;
-
    /**
     * Backing configuration, containing all sensitive information.
     */
@@ -107,27 +97,40 @@ public class SimpleConnection extends AbstractConnection {
    public GuacamoleTunnel connect(GuacamoleClientInformation info)
            throws GuacamoleException {

-        Environment env = new LocalEnvironment();
-        
+        // Retrieve proxy configuration from environment
+        Environment environment = new LocalEnvironment();
+        GuacamoleProxyConfiguration proxyConfig = environment.getDefaultGuacamoleProxyConfiguration();
+
        // Get guacd connection parameters
-        String hostname = env.getProperty(Environment.GUACD_HOSTNAME, DEFAULT_GUACD_HOSTNAME);
-        int port = env.getProperty(Environment.GUACD_PORT, DEFAULT_GUACD_PORT);
+        String hostname = proxyConfig.getHostname();
+        int port = proxyConfig.getPort();

        GuacamoleSocket socket;
-        
-        // If guacd requires SSL, use it
-        if (env.getProperty(Environment.GUACD_SSL, false))
-            socket = new ConfiguredGuacamoleSocket(
-                new SSLGuacamoleSocket(hostname, port),
-                config, info
-            );

-        // Otherwise, just connect directly via TCP
-        else
-            socket = new ConfiguredGuacamoleSocket(
-                new InetGuacamoleSocket(hostname, port),
-                config, info
-            );
+        // Determine socket type based on required encryption method
+        switch (proxyConfig.getEncryptionMethod()) {
+
+            // If guacd requires SSL, use it
+            case SSL:
+                socket = new ConfiguredGuacamoleSocket(
+                    new SSLGuacamoleSocket(hostname, port),
+                    config, info
+                );
+                break;
+
+            // Connect directly via TCP if encryption is not enabled
+            case NONE:
+                socket = new ConfiguredGuacamoleSocket(
+                    new InetGuacamoleSocket(hostname, port),
+                    config, info
+                );
+                break;
+
+            // Abort if encryption method is unknown
+            default:
+                throw new GuacamoleServerException("Unimplemented encryption method.");
+
+        }

        return new SimpleGuacamoleTunnel(socket);