WebAuth 4.1.0

One of the drawbacks of our rollout of support for multifactor authentication at Stanford was that, due to various features that we wanted to support, every login through the central WebLogin servers required doing a user information query. Those queries are currently all going to a single server that hosts the relevant database, and therefore introduced a single point of failure into our carefully-designed robust system. I have long-term plans to move that database to a PostgreSQL cluster so that it can be distributed across redundant machines, but in the meantime we've had a few production outages when it was overwhelmed.

The first problem that had to be fixed was that the remctl client libraries didn't support timeouts. Release 3.1 of remctl addressed that problem, and this version of WebAuth now has a configuration directive to set a timeout (and defaults to the conservative timeout of thirty seconds).

The problem remains, though, since the default (and intended) behavior of the WebKDC is to fail the login if the user information service cannot be contacted. This is the only safe approch, since the user information service may indicate that the user must use multifactor regardless of the destination site preference, and without that information we may let them incorrectly proceed. However, in the current Stanford deployment, falling back on allowing just password when the user information service is down and the remote site hasn't expressed a preference makes more sense for right now, so there's now an Apache configuration directive to enable that behavior.

Those changes required an ABI break in the shared library, so I also cleaned up a few other things while I was there (although this is not yet the long-awaited refactoring of the library).

Finally, there are a few WebLogin error handling bug fixes, a fix to make use of new libremctl features to not leak small amounts of memory when making user information service queries, and new mod_webauth manual documentation of a bad security interaction between Apache and Tomcat URL parsing that affects all Apache security methods.

You can get the latest release from the official WebAuth site or from my WebAuth release page.

Posted: 2012-03-15 16:54 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-01-04