Release documentation

• Manual
• guacamole-common
• guacamole-common-js
• guacamole-ext
• libguac

Release notes

The 1.4.0 release features support for connection tiling, broadcasting keyboard events across multiple connections, and authentication with encrypted and signed JSON. Established support for single sign-on has been improved, multi-touch support for RDP has been added, and problems with audio input support for RDP have been corrected. For a full list of all changes in this release, please see the changelog.

The 1.4.0 release is compatible with older 1.x components. You should upgrade older components to 1.4.0 when possible, however things should continue to work correctly in the interim:

• Extensions written for older 1.x releases can be used by 1.4.0.
• Components written for the version of the Guacamole protocol used by older 1.x releases can be used with components of the 1.4.0 release.

Regardless of inter-component compatibility, there are changes in 1.4.0 which may affect downstream users of Guacamole’s APIs. Please see the deprecation / compatibility notes section for more information.

Connection tiling and keyboard broadcasting

Multiple connections can now be displayed simultaneously within the same browser tab, automatically arranged in an even, tiled layout:

The currently-focused connection is indicated by a blue border, and the user can choose to focus any number of these tiled connections at the same time. If multiple connections are focused, keyboard interaction is broadcast across each of those connections.

Major fixes to RDP audio input support

Depending on the application in use within the remote desktop, Guacamole’s audio input support for RDP suffered from quality issues related to variability in audio buffer behavior and size. If the audio backend used by the application could not adjust for occasional bursts of audio packets, any audio packets received by the remote desktop that exceeded the remaining buffer space would be dropped, resulting in audible clicks/pops and faster-than-expected playback.

This has now been corrected. Guacamole will automatically throttle the amount of data it sends to the remote desktop to avoid running out of remote buffer space, ensuring the audio received by applications within the remote desktop is identical to the audio received by Guacamole via the browser.

RDP support for passing through multi-touch events

In addition to Guacamole’s established support for emulating a mouse on touch devices, multi-touch events may now be passed through to the remote desktop server when supported and enabled.

RDP supports multi-touch through its “RDPEI” channel. If touch is enabled on a Guacamole RDP connection, touch interaction with the Guacamole display will directly affect touch-enabled applications within the remote desktop session rather than being turned into mouse events.

Support for secondary SSO providers

Guacamole’s support for single sign-on has historically been all-or-nothing, with either all users using SSO to authenticate or none at all. This is no longer the case: Guacamole may now be configured to allow normal username/password authentication in addition to SSO, and multiple SSO providers may be used at the same time.

Whether an SSO authentication extension automatically takes effect for all users depends on whether that extension has priority, which can now be defined using the extension-priority property. For example, to automatically require SAML for all users, you would give the SAML extension priority above all others:

extension-priority: saml

Or, to allow username/password authentication and simply provide the option for users to use SAML, you would ensure that other extensions have priority:

extension-priority: *, saml

More information on using the extension-priority property and controlling the behavior of the supported SSO extensions can be found in the Guacamole manual:

• CAS Authentication
• OpenID Connect Authentication
• SAML Authentication

Support for authentication with encrypted, signed JSON

The “guacamole-auth-json” authentication extension, formerly a third-party project maintained by Glyptodon, has now been brought into Apache Guacamole as one of the project’s own extensions.

guacamole-auth-json allows external software to automatically authenticate and authorize users with an encrypted and signed JSON document. As long as the received JSON has not expired and was encrypted and signed with the correct key, it is accepted as sufficient verification that the user is authorized to access the resources described by that JSON.

For more information, see the documentation covering guacamole-auth-json in the Guacamole manual.

Changelog

User interface / platform

• Control caching of extension JS/CSS (GUACAMOLE-275)
• Provide option for broadcasting input events across multiple connections (GUACAMOLE-724)
• Migrate away from including auth token within REST API URLs (GUACAMOLE-956)
• Users/groups with identifiers containing slashes cannot be modified (GUACAMOLE-1261)
• Automatically enforce request size limits independently of reverse proxy (GUACAMOLE-1298)
• Unexpected errors during session expiration may block further expirations (GUACAMOLE-1299)
• Connection-specific history sorted in wrong order (GUACAMOLE-1366)
• Login appears to succeed if the webapp is entirely down (GUACAMOLE-1384)

Docker images

• Run Tomcat as reduced-privilege user (GUACAMOLE-890)
• Add account auto-create options to Docker (GUACAMOLE-1128)
• Add OPENID_MAX_TOKEN_VALIDITY environment variable (GUACAMOLE-1284)
• Correct non-fatal error in handling of OpenID configuration (GUACAMOLE-1316)

Authentication, integration, and storage

• Ensure logout works as expected when using SSO (GUACAMOLE-680)
• Allow for clearing TOTP Data in admin interface (GUACAMOLE-770)
• Non-DN usernames can no longer be used for search bind DN (GUACAMOLE-944)
• Provide configuration for filtering LDAP groups (GUACAMOLE-996)
• Allow QuickConnect extension to block certain parameters (GUACAMOLE-1025)
• Ignore non-relevant attributes for objects returned by LDAP queries (GUACAMOLE-1130)
• User profile information cleared after TOTP enrollment (GUACAMOLE-1199)
• Move guacamole-auth-json into the main project (GUACAMOLE-1218)
• Allow NAS IP address to be configured (GUACAMOLE-1252)
• Allow login with standard username/password when SSO is enabled (GUACAMOLE-1364)
• Add user-mapping.xml support for simple hashing with SHA-256 (GUACAMOLE-1391)
• Automatically focus TOTP field (GUACAMOLE-1397)
• Automatically detect MariaDB / MySQL driver (GUACAMOLE-1407)

Protocol support / guacd

• RDP clipboard uses incorrect newline characters (GUACAMOLE-478)
• Notify connecting client on unrecognized connection ID (GUACAMOLE-1047)
• Support server control instructions during handshake (GUACAMOLE-1048)
• VNC fails to connect to macOS (GUACAMOLE-1133)
• Add support for connecting to Kubernetes pods using exec (GUACAMOLE-1174)
• guacd cannot bind to IPv6 addresses (GUACAMOLE-1190)
• Disable caches that FreeRDP no longer considers supported (GUACAMOLE-1191)
• RDP audio input samples are dropped (GUACAMOLE-1201)
• Add support for RDP touch events (RDPEI) (GUACAMOLE-1204)
• Backslash not properly escaped in server-generated JSON (GUACAMOLE-1215)
• Add configuration option to specify WOL port (GUACAMOLE-1245)
• Support libuuid (util-linux) in addition to OSSP UUID (GUACAMOLE-1254)
• Correct double-free when built against FreeRDP 2.0.0-rc4 (GUACAMOLE-1259)
• Double-free may occur upon VNC disconnect (GUACAMOLE-1263)
• RDP file uploads may (still) be truncated to 32 bits (GUACAMOLE-1276)
• Legacy RDP encryption may fail with ERRINFO_DECRYPT_FAILED (GUACAMOLE-1283)
• Add support for forcing lossless compression of graphics (GUACAMOLE-1302)
• leave_handler is not correctly set (GUACAMOLE-1350)
• Map “meta” (Windows) key for RDP connections (GUACAMOLE-1386)

Internationalization

• Update Russian on-screen keyboard to allow input of Latin characters (GUACAMOLE-1055)
• Add Norwegian keymap for RDP (GUACAMOLE-1064)
• Update/improve French translation (GUACAMOLE-1160)
• Add support for Portuguese language (GUACAMOLE-1207)
• Update/improve Japanese translation (GUACAMOLE-1265)
• Dash and underscore in fr-be-azerty layout are swapped (GUACAMOLE-1277)
• Add support for Korean language (GUACAMOLE-1291)
• ”/” key in pt-br-qwerty layout incorrectly recognized as right Shift (GUACAMOLE-1305)
• Translation key for pending OpenID Connect redirect is mismatched (GUACAMOLE-1334)
• Update/improve Spanish translation (GUACAMOLE-1339)

Documentation

• Document branding process (GUACAMOLE-747)
• Add non-nullable modifiers to JSDoc parameter/return types where appropriate (GUACAMOLE-986)
• Document configuration of client_max_body_size for Nginx (GUACAMOLE-1060)
• Typo in documentation of mimetype parameter (GUACAMOLE-1185)
• “Verifying” repeatedly misspelled in libguac documentation (GUACAMOLE-1225)
• Migrate guacamole-manual away from DocBook (GUACAMOLE-1347)
• Usage documentation of guacNotification directive is incorrect (GUACAMOLE-1396)

General housekeeping and cleanup

• Creation of source .tar.gz fails on platforms with large group IDs (GUACAMOLE-503)
• Update webapp dependencies to latest stable and compatible versions (GUACAMOLE-773)
• Build fails against libvncclient 0.9.7 (GUACAMOLE-1227)
• Implement VerifyCertificateEx rather than VerifyCertificate (FreeRDP 2.3.1) (GUACAMOLE-1307)
• guacamole-client build fails against newer versions of JDK (GUACAMOLE-1317)
• Translation files contain unnecessary trailing whitespace (GUACAMOLE-1337)

Deprecation / Compatibility notes

Each 1.x release of Apache Guacamole should be compatible with components of older 1.x releases. This compatibility is intended at the Guacamole protocol level and at the extension level, but not necessarily at the API level. This means:

• Extensions from older 1.x releases should still work in binary form, but may need code changes before their source will build against a newer version of guacamole-ext.
• Software which uses the Guacamole protocol of an older 1.x release should still work.
• Software which uses libguac from an older 1.x release should still work by continuing to use the libguac from that release, as newer versions of libguac may not be API/ABI compatible. In the case of third-party protocol support plugins for guacd, this means that the guacd from that release must also be used. Compatibility with respect to libguac is represented by the soname.
• You should update to newer versions where applicable and when possible.

As of 1.4.0, the following changes have been made which affect compatibility with past releases:

Java API (guacamole-common) changes

GuacamoleHTTPTunnelServlet sessions are now decoupled from the GuacamoleTunnel UUID

The GuacamoleHTTPTunnelServlet internals have been improved to entirely decouple the concept of the tunnel UUID (as returned by getUUID()) from the concept of the HTTP tunnel session. The HTTP tunnel now instead generates its own random session identifier that is independent of the UUID.

Internal, UUID-specific functions of GuacamoleHTTPTunnelServlet like registerTunnel() and deregisterTunnel() have been deprecated in favor of versions of these functions that do not assume the tunnel will be identified by its UUID. It is not common to use these functions in subclasses of GuacamoleHTTPTunnelServlet. Any such usages should continue to work, but should be migrated to the new versions of these functions when possible.

• GUACAMOLE-956 - Migrate away from including auth token within REST API URLs

Extension API (guacamole-ext) changes

Default LocalEnvironment constructor is now deprecated

To facilitate automatic retrieval of guacamole.properties values from key vaults, the Environment interface has been improved to allow arbitrary sources of properties to be added, and the LocalEnvironment implementation has been updated to be a singleton. New usages should invoke LocalEnvironment.getInstance() instead of manually creating new instances.

Old usages of the default constructor will still work as expected, but will produce a compile-time warning about deprecation. The old default constructor will still create a new LocalEnvironment instance, however this new instance will actually transparently delegate to the LocalEnvironment.getInstance() singleton.

Note that while completion of vault support has been bumped to the next release, this core API improvement is still present on 1.4.0.

• GUACAMOLE-641 - Support storage of sensitive data within key vaults

libguac API changes

touch_handler added to guac_user structure

To allow multi-touch events to be passed through from client to server where supported, an additional touch instruction has been defined within the Guacamole protocol to represent the state of an individual touch. A new handler, touch_handler, is now present within the guac_user structure to allow this instruction to be handled when received from the client. This change affects the in-memory size of the guac_user structure.

Downstream usages of libguac which make use of guac_user will need to be rebuilt to ensure that the structure sizes and memory offsets used are correct.

• GUACAMOLE-1204 - Add support for RDP touch events (RDPEI)

guac_wol_wake() now accepts a UDP port parameter

The guac_wol_wake() function now accepts an additional parameter defining the UDP port to be used for the magic packet. This change affects the formal arguments of guac_wol_wake().

Downstream usages of libguac which make use of guac_wol_wake() will need to be updated to include the port number and rebuilt. The UDP port used previously for all calls to guac_wol_wake() was 9, as defined by the GUAC_WOL_PORT constant.

• GUACAMOLE-1245 - Add configuration option to specify WOL port