I'm looking to implement HTTP header authentication with Apache Guacamole 1.5 but I'm struggling to figure out how to make it secure.
From the doco: "All external requests must be properly sanitized if this extension is used. The chosen HTTP header must be stripped from untrusted requests, such that the authentication service is the only possible source of that header. If such sanitization is not performed, it will be trivial for malicious users to add this header manually, and thus gain unrestricted access."
Scenario is Server A running Apache2/PHP and Server B running Tomcat9/Guacamole
As I understand it, a user authenticates to server A, their username is passed in the header to server B and they are logged into Guacamole. So far so good. But unless there are some security checks anyone can pass a username in the header and get logged in.
I reckon I could do this pretty easily with PHP using a shared key and checking it exists in requests to server B.
But I'm not much with Java and really not sure how to do this.
I'd appreciate any insights.
