WebAuth 4.5.4

WebAuth is the site-wide centralized web authentication system that we use at Stanford. This release is a bug-fix release for the central login server, mostly focused on multifactor authentication but also featuring a wide variety of random bug fixes. Going into this release, I filtered the Apache error logs on all of our production servers for a period of a month and then set out to fix every log anomaly or odd behavior pattern that I detected.

The most significant bug fix is to support for requiring non-password session factors. The code handled this entirely incorrectly, resulting in the user being stuck at the password authentication prompt and never able to proceed. It also cleans up several corner cases involving REMOTE_USER authentication to sites that require a Kerberos authenticator (such as for delegated credentials).

This release downgrades a mismatch of login credentials and a webkdc-proxy token (single sign-on credentials) to a log warning rather than a fatal error and just discards the non-matching single sign-on credentials. This case ideally shouldn't happen, but sometimes users share devices, and if they hit a site with forced login or session factors, it's easy for this case to arise.

WebLogin now retries the WebKDC POST once and ignores SIGPIPE errors to work around problems with signals from the FastCGI process manager. It also rewrites non-ASCII characters in XML from the WebKDC to work around XML validation errors created by non-ASCII characters in Kerberos error messages, pending a better fix on the WebKDC side. Password changes no longer go through the replay detection logic, which should not apply to them. Several error messages in WebLogin are now clearer.

The WebKDC now requires that the return URL in a WebAuth request be an absolute URL and not contain any non-ASCII characters.

A bug in the way that errors during the authentication process were reported has been fixed and should produce better error output for the user.

There are also a few other, more minor bug fixes, particularly to logging and error reporting.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

Posted: 2013-08-16 19:27 — Why no comments?

Last spun 2013-08-29 from thread modified 2013-08-17