Restrict user by IP

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Restrict user by IP

Suncatcher16
I wanna restrict certain users of Guacamole by IP-address. In particular, I want guacadmin (user with admin privileges) can access Guacamole (settings) only from LAN, whilst other users (with standard privileges) can access from Internet too.
I didn't find appropriate setting in config. Is this possible on Guacamole-level? Or should I set up this in Tomcat?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restrict user by IP

Mike Jumper
On Sun, Jun 18, 2017 at 11:49 PM, Suncatcher16 <[hidden email]> wrote:
I wanna restrict certain users of Guacamole by IP-address. In particular, I
want *guacadmin* (user with admin privileges) can access Guacamole
(settings) only from LAN, whilst other users (with standard privileges) can
access from Internet too.
I didn't find appropriate setting in config. Is this possible on
Guacamole-level? Or should I set up this in Tomcat?


There is no setting for this, but you can write an extension which provides such behavior.

If you implement an AuthenticationProvider which does not attempt to authenticate users (returns null for authenticateUser()), you can leverage getUserContext() to veto the authentication result of other extensions. Any exception thrown within getUserContext() will result in the entire authentication process being canceled and the user auth attempt rejected. From within getUserContext(), you can check the IP address of the request using the Credentials object associated with the AuthenticatedUser.

- Mike

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restrict user by IP

Suncatcher16
Mike Jumper wrote
There is no setting for this, but you can write an extension which provides
such behavior.

 Mike
You mean Tomcat extension?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restrict user by IP

Mike Jumper


On Jun 21, 2017 09:55, "Suncatcher16" <[hidden email]> wrote:
Mike Jumper wrote
> There is no setting for this, but you can write an extension which
> provides
> such behavior.
>
>  Mike

You mean Tomcat extension?

No, a Guacamole extension.

Tomcat will only be aware of the address of the request, not the fact that the request is meant for authentication, nor the username associated with that request. Only Guacamole will be aware of the full context.

- Mike

Loading...