WebAuth 4.0.0

This is the culmination of most of my work over the past three months, as well as quite a bit of work by other people here at Stanford. This is the first version of WebAuth to support multifactor authentication, and also contains a significant reworking of the WebLogin code to use more modern programming techniques.

This should be considered a beta-quality release. There will be at least one more release before we deploy this version in production for the WebKDC and WebLogin server at Stanford. The changes to add multifactor involved significant changes throughout the code base, and my recommendation would be to wait a while as we shake out any bugs and deploy the next release or the release after that.

The primary change, as mentioned, is addition of support for multifactor authentication, including conveying initial login and session authentication factors to the WebAuth Application Servers and from there into the environment for use by applications. WebAuth-protected sites can require particular authentication factors, or can require a (site-defined) level of assurance. This code depends on a user information service component that is specified in the documentation that comes with WebAuth, but for which we do not yet have a public implementation. We hope to add a simple version of this application as a separate software release in the near future.

The WebLogin code has been rewritten to use Template Toolkit (instead of HTML::Template) and to use CGI::Application. This will require many new Perl modules be installed on the WebLogin server, and will require rewriting all of one's local templates to use the Template Toolkit syntax, but allows for much more powerful templating.

Both the libwebauth C library and the Perl libraries are halfway through a rewrite in this version and will be changing substantially in the future, particularly in making much better use of APR throughout the C library.

There are some other, more minor changes. See the release notes for all the details.

You can get the latest version from the official WebAuth distribution pages or from my WebAuth distribution page.