necouchman commented on PR #1028: URL: https://github.com/apache/guacamole-client/pull/1028#issuecomment-2418168816
> The current approach with the various `*-case-sensitive-usernames` properties is that the property dictates how the relevant extension handles username comparisons, regardless of how the authenticating extension may handle username comparisons. I think the only way to be consistent with that logic would be for `HistoryTrackingConnection` to honor only the value from the `*-case-sensitive-usernames` property of the extension that defines that instance of `HistoryTrackingConnection`. > So, if I'm understanding what you're saying correctly, given the current way these properties are interpreted, `HistoryTrackingConnection` should pull the value from the `JDBCEnvironment`? > I also think it would make sense to allow the authenticating extension to dictate how the identifiers it presents should be compared (`isCaseSensitive()`), but that would be different semantics from what we currently have here. > > To switch over to that approach, the other cases where case sensitivity is handled would need to be updated to honor `isCaseSensitive()` instead of relying purely on the configuration property, and care would need to be taken to make sure a case-insensitive authentication provider can't be used to escalate privileges (for example: by creating an unprivileged `GuAcAdMiN` user in some case-insensitive auth system, logging in as that user, and inheriting the permissions of `guacadmin`). > > The current approach is less automatic, but I think that's a Good Thing, since any change from the default, strict behavior must be explicitly requested by the admin. Yeah, seems like this might be a future enhancement with a lot more thought and effort putting into doing it safely and with as little surprise as possible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
