WebAuth 4.4.3

WebAuth is the site-wide web authentication system that we use at Stanford. After a lot of time focusing on things at work other than coding, it's been my primary job for the past nine months or so, which has been a lovely change.

I wasn't planning on doing another 4.4 release and instead focusing on 4.5.0 (which is well underway and adds significant new features to multifactor support), but I kept finding bugs, including several that were quite embarassing. So this is another bug-fix release, and hopefully the last one before 4.5.0.

WebAuthTrustAuthzIdentity enabled WebAuthDoLogout in the same scope (ever since it was added in 4.4.0). It's horribly embarassing to have been writing C for more than 20 years and still manage to omit a break in a switch statement.

Benjamin Coddington found another bug in authorization identity handling where if the user changed their authorization identity to match their authentication identity, their authentication would be rejected. We now detect that case and just discard the authorization identity if it's the same as the authentication identity.

There are multiple fixes in the mod_webauth logging of bad app tokens: expired app tokens are now logged with a proper message (and at info level rather than error), empty app tokens (created internally and therefore seen by subqueries before fixup to delete expired app tokens) are now just ignored, and invalid app tokens don't result in spewing binary strings into the Apache error log.

mod_webauthldap has, since the beginning, refused to add more than 127 values of a multivalued LDAP attribute to the environment. We ran into that limit with entitlements, so it's now been removed. This runs the risk of overflowing the environnment, but I did some calculations, and it looks like you're going to have to try really hard and have impressively large multivalued attributes to create that problem. If it actually becomes a problem for someone, I'll add a configuration option.

There's also a syntax fix to the default WebLogin error template and a variety of minor bug fixes, mostly around error handling conditions, to correct problems caught by clang --analyze. (The current master branch gets a completely clean bill of health from clang --analyze using clang 3.0.)

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

Posted: 2013-03-12 19:41 — Why no comments?

Last spun 2013-07-01 from thread modified 2013-03-13