WebAuth 4.3.0

The primary purpose of this release from a Stanford perspective is to add a way for the user information service to reject a login. We're going to use this to restrict users to only be able to go to a particular set of sites until they've completed security training, and to prevent them from going to other sites until they've finished prerequisites. This means changes to the protocol between the WebKDC and WebLogin server and between the user information service and the WebKDC, as well as new support in the templates for expressing the error.

The most user-visible change is that mod_webauth and WebLogin both set the HttpOnly flag on cookies by default. mod_webauth has a new directive to turn this off if one has to.

The biggest change in the package is that I've continued my library refactoring and rewritten the Kerberos functions to use APR. They also take a WebAuth context and do proper error handling, rather than just using com_err, which should radically increase the quality of the errors. I took advantage of the opportunity to finish the OO conversion of the WebAuth Perl API and to remove and combine various Kerberos functions that weren't being used. While cleaning up the Kerberos API, I fixed a few small bugs.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.