-
Notifications
You must be signed in to change notification settings - Fork 681
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GUACAMOLE-956: Leverage HTTP header instead of query parameter for auth/session tokens. #649
Conversation
… parameter when invoking REST API from client.
…n that does not specify the token within the URL.
d948c55
to
0597358
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty clean to me, just one minor wording issue in one of the comments.
guacamole/src/main/java/org/apache/guacamole/rest/RESTExceptionMapper.java
Outdated
Show resolved
Hide resolved
…st that resulted in an exception.
@mike-jumper how to implement this. i want to open the URL in a new tab with token in headers. |
@iota-008: Please do not use merged pull requests as a discussion forum. This code was merged into version 1.4.0 - as long as you're running Guacamole Client 1.4.0 or later there is nothing you need to do to implement this. |
@necouchman sorry! but where can I ask a question? |
@iota-008 : On the mailing lists: |
@necouchman: I asked on the mailing list, but didn't receive any reply. I just have one question regarding this Guacamole-Token. Currently, I am just changing the URL to {guacServerUrl}/#/client/{connectionId}?{authToken}, passing the token in the query param, which directly connects to the VM. How to pass the token in header, I tried XMLHTTP get request but it is not working. |
@iota-008 Yes, your post made it to the list, you'll jut have to wait on someone to reply, there. |
This change refactors the REST API to alternatively accept the authentication token via a
Guacamole-Token
header, and updates the JavaScript side of things to use that header instead of the oldtoken
parameter. Thetoken
parameter remains usable as an alternative means of submitting the token.With the HTTP tunnel using the tunnel UUID as its own sort of session token (to allow the communication for the tunnel to span multiple HTTP requests), these changes also refactor the HTTP tunnel to decouple its internal concept of a session from the tunnel UUID, effectively removing the HTTP tunnel's token from the URL, as well.
The WebSocket tunnel has not been touched here. Part of the reason for this is that WebSocket does not provide for any means of submitting arbitrary headers along with the handshake, thus we must either continue to use the URL or use WebSocket messages. Arguably, continuing to use the WebSocket URL in this way is perfectly fine:
If we decide to change this, as well, I suggest we let that be a separate pull request.