User-Visible WebAuth Changes

WebAuth 4.7.0 (2014-12-10)

Recognize KRB5_BAD_ENCTYPE, KRB5_GET_IN_TKT_LOOP, KRB5_PREAUTH_FAILED, and KRB5KRB_AP_ERR_MODIFIED as additional synonyms for a failed login error code. Various combinations of recent MIT and Heimdal with different KDCs return these error codes if the password is incorrect.

Added new fields to the userinfo service parsing and the WebLogin handling. These allow for a more complicated multifactor configuration to be passed along from the user information service, with multiple possible multifactor devices and one default.

Give a validation remctl command its own timeout error, so that a failure to respond to validation is handled differently than any other timeout failure. This is done so that we can handle out-of-band multifactor methods, such as a phone call. Previously that would show up in WebLogin as a generic WK_ERR_UNRECOVERABLE_ERROR.

Ability to use JSON rather than XML for the user information service's return values. This is activated with the WebKdcUserInfoJSON configuration directive.

Refactored the userinfo code to separate remctl support, XML parsing, and JSON parsing into separate source files for readability.

WebAuth 4.6.1 (2014-07-23)

Support for AuthType StanfordAuth (for backward compatibility with WebAuth 2.5) was broken in WebAuth 4.6.0, causing mod_webauth to reject all accesses to resources protected with that AuthType. This has been fixed in this release.

Add a new configuration directive, WebKdcFastArmorCache, for mod_webkdc. If set, this specifies the path to a Kerberos ticket cache that can (and must) be used for FAST (Flexible Authentication Secure Tunneling) protection of Kerberos password authentications. The Kerberos KDC must also support FAST in order to safely enable this option. Based on a patch by Jakob Uhd Jepsen ( A/S).

Fix parsing of the WebKdcKerberosFactors configuration directive.

Add a new webauth_krb5_set_fast_armor_path interface to libwebauth that allows configuring a path to a FAST armor ticket cache before authenticating with a password.

Show the expiring password warning in WebLogin if the browser request was a POST. Previously, it was skipped if the user had a REMOTE_USER preference or if the browser presented a single sign-on cookie. This was too conservative, not warning in cases when REMOTE_USER failed, when the browser presented an expired single sign-on cookie (systems that are suspended rather than shut down, for example), and when the user has to do multifactor authentication. Checking for a POST is a closer match for when we can force a confirmation screen without too much user disruption.

When translating Kerberos errors, treat KRB5_KDC_UNREACH (cannot contact any KDC for realm) as a user rejected error instead of a Kerberos error. This avoids returning an internal error from WebLogin and instead tells the user the username is invalid. This is not always correct, since the unreachable KDC could be the local KDC, but it's better than the previous behavior of throwing internal errors when users enter email addresses as their username.

Translate an EINVAL error from the Kerberos libraries during password authentication to an incorrect password error code. Older versions of MIT Kerberos returned EINVAL for excessively long passwords.

In WebLogin, verify that the username form field was sent before attempting to do multifactor operations and return an error if it isn't, avoiding undefined variable warnings and other errors deeper in the WebLogin code.

Allow newlines, carriage returns, and tabs in the XML sent from the WebKDC to the WebLogin server rather than replacing them with periods. This fixes the display of <user-message> elements that contain newlines.

If a user may switch to a different authorization identity, force display of the confirmation page in WebLogin even if this is normally disabled. Otherwise, there is no opportunity for the user to change identities.

Diagnose empty RT or ST parameters to WebLogin and return the same error as when those parameters are missing entirely.

Fix compilation when remctl support is not enabled.

Add new factors mp (mobile push) and v (voice), which count as separate classes for determining multifactor. This means the combination of those factors with any other factor class will result in a synthensized multifactor factor.

Warn in the mod_webauth documentation that, when using credential delegation to a load-balanced pool, all members of that pool must have the same Kerberos identity.

Update to rra-c-util 5.5:

Update to C TAP Harness 3.1:

WebAuth 4.6.0 (2014-03-18)

WARNING: When upgrading to this release, you will need to change the ownership of the mod_webauth keyring file (named in the WebAuthKeyring Apache directive) to the user and group the Apache child processes run as. (This is controlled by the User and Group Apache directives and is often something like www-data.) Previous versions would create this file readable only by root, but, as of this release, it must be readable and writable by the Apache child processes.

mod_webauth supports a new configuration directive, WebAuthCookiePath, which scopes all cookies set by mod_webauth to the given path. This allows separate sections of the same virtual host to be treated as independent for authentication purposes. This can be useful when controlling factor restrictions via the user information service. When using this directive with a logout link, be sure that the logout configuration (WebAuthDoLogout) is subject to the same WebAuthCookiePath directive or it will not work properly. Be aware that the current version of mod_webauth does not correctly handle receiving multiple cookies with the same name from the browser. When using this directive, ensure that all WebAuth-protected portions of the site use this directive and none of the scopes are overlapping.

WebAuthOptional should now work properly with Apache 2.4. Thanks to Benjamin Coddington for the patches.

Don't delete notes in mod_webauth after using them for authentication in case the authentication is happening in a subrequest and the parent request has not yet completed. Deleting the note could cause two redirects to WebLogin due to an ordering issue when processing notes and subrequests. Patch from Benjamin Coddington.

mod_webauth and mod_webkdc now maintain separate in-memory keyrings per virtual host, and the WebAuthKeyring, WebKdcKeyring, and related directives are now correctly honored in the virtual host configuration and can be meaningfully set to different values. This allows the modules to work properly with the ITK MPM with separate keyrings owned by different users for each virtual host so that proper privilege separation between virtual hosts is maintained. When using the modules in this configuration, configure each virtual host with WebAuthKeyring or WebKdcKeyring directives pointing to separate keyring files writable by the user that virtual host will use. Thanks to Vegard Edvardsen for the patch.

Be even more thorough in telling browsers not to cache responses from WebLogin, redirects and logout pages from mod_webauth, and any page marked with WebAuthDontCache. Add private and max-age=0 to the existing Cache-Control headers, add Vary: *, and (for WebLogin pages) set an expiration time in the past.

webauth_keyring_write and webauth_keyring_auto_update now lock the keyring, using a separate lock file named by appending ".lock" to the name of the keyring. This applies to the keyrings used by mod_webauth, mod_webkdc, and the wa_keyring utility and ensures that only one process attempts to update a keyring at the same time. These functions continue to use atomic replacement on all writes, and no locks are used for reading the keyring.

WebAuth keyring updates via either mod_webauth's and mod_webkdc's auto-update support or via wa_keyring now preserve the keyring ownership and permissions where possible, with the exception that the permissions are not preserved if the old permissions included group access and the group ownership could not be preserved.

Use the authenticated identity returned by the WebKDC as the username for multifactor authentication in WebLogin rather than preserving what the user originally typed. The WebKDC may have done Kerberos canonicalization and aname to localname mapping.

The WebAuth Kerberos API now supports Kerberos password change via the remctl protocol, which is more robust than the kpasswd protocol when password changes can take some time. This can be configured via the new webauth_krb5_change_config function. The remote remctl server must provide a command and subcommand that takes a single argument, the new password, and changes the password for the authenticated principal that sent the command.

The WebAuth::Krb5 change_password function now takes an optional args parameter that can be used to set the same configuration that can be set with webauth_krb5_change_config.

WebLogin now supports using the remctl-based password change protocol instead of kpasswd. This is controlled by setting $PASSWORD_CHANGE_HOST and several other variables in the WebLogin configuration. See docs/weblogin-config for more information.

Set the correct template variable when the code field is left blank on the WebLogin multifactor form.

Map unknown realm and invalid principal errors during Kerberos authentication in mod_webkdc to WA_PEC_USER_REJECTED instead of a generic Kerberos error. This will display a more accurate error message to the user of WebLogin instead of a generic internal error message.

Correct a bug in the workaround for parsing of invalid XML from the WebKDC in WebLogin that caused it to not be effective.

Log a more detailed error message on WebAuth exceptions during WebLogin password change.

Fix configure probes for OpenSSL on platforms without transitive shared library dependencies.

Update to rra-c-util 5.3:

Update to C TAP Harness 3.0:

WebAuth 4.5.5 (2013-08-28)

Fix replay detection in WebLogin to use the same memcached object naming convention when registering authentications and when checking for a previous authentication.

If the login is rejected by the user information service, WebLogin now displays a more specific error instead of the generic "something went wrong" error page.

If a multifactor authentication is rejected by the validation service, the user is now returned to the multifactor authentication screen and the error message is provided to the template, rather than taking the user to a dead-end error page with a generic error.

If enabled, rate limiting and replay detection are also applied to the multifactor login page in addition to the password login page.

Support remembering that the user has been sent an SMS message already when redisplaying the multifactor login page after an error. For this to work properly, local templates will have to be updated to set the form parameter multifactor_sentauth if an SMS message has already been sent. See the sample multifactor.tmpl file for an example.

WebAuth 4.5.4 (2013-08-16)

If the user presents a login token for one user and a webkdc-proxy token for a different user, or, more generally, mismatched webkdc-proxy tokens, ignore and log the mismatched webkdc-proxy token rather than rejecting the authentication with a fatal error. While this case ideally should not happen, in practice it's not uncommon for users sharing devices to attempt authentication (due to session factor requirements or forced login) while still possessing webkdc-proxy tokens for another user, and rejecting the authentication instead of replacing the older webkdc-proxy token does nothing to improve the situation.

Fix handling of non-password session factors. Requiring any session factor other than password, for users using password authentication, resulted in the user being repeatedly presented with the password login page because mod_webkdc did not notice the password session factor and continue to asking for a multifactor authentication. The logic is still not entirely correct for users who use non-password initial authentication factors; that will be fixed in a subsequent release.

Improve handling of required initial factors when users have a way to establish initial credentials that don't include password. mod_webkdc now returns a forced login error instead of multifactor required if the user's initial factors don't satisfy the request and don't contain a password factor.

If a password authentication is required in order to obtain a Kerberos authenticator, return that error in preference to a multifactor required error. This ensures that the password authentication page happens first, preserving expected user page flow, and fixes various errors and loops caused by detecting this problem after the successful second factor authentication.

If the WebLogin post to the WebKDC fails, retry once. It's common for the POST to be interrupted by a signal from the FastCGI process manager trying to shut down the login.fcgi process, in which case retrying will succeed and allow completion of the request before shutting down.

Produce more succinct and hopefully still useful error messages when WebLogin cannot POST to the WebKDC.

Ignore SIGPIPE signals in the WebLogin scripts, fixing unexpected failures and subsequent FastCGI problems when run under mod_fastcgi.

mod_webkdc now requires that the return URL in a request token be absolute URL and not contain any non-ASCII characters. The latter check avoids error messages and later problems with WebLogin template processing.

Fix the WebLogin replay detection logic to not attempt to trigger during password changes, which do not have request tokens.

Work around problems with WebLogin parsing of the XML returned from the WebKDC when a user attempts an authentication using a non-ASCII principal name. This results in invalid XML that XML::Parser cannot parse. The proper fix is to catch this on the WebKDC side, but, as an interim measure, replace non-ASCII characters in the WebKDC reply with periods so that reply processing can continue.

Improve error reporting of unparsable XML received by the WebLogin server from the WebKDC.

Fix logging of mod_webkdc <requestTokenRequest> failures.

Fix the webauth/webkdc.h header prototype for webauth_user_validate to correctly allow the user state parameter to be NULL.

Log (at the info level) whenever mod_webkdc ignores expired webkdc-factor or webkdc-proxy tokens passed to <requestTokenRequest>.

Display more correct errors after less common failures during the second step of a multifactor login.

Correctly diagnose a missing service token in a WebLogin request and return the correct error page rather than an internal error.

All Perl modules now have a version that matches the release of WebAuth from which they came, with zeroes added so that the version numbers will sort properly. For example, the version number of each Perl module included in WebAuth 4.5.4 is 4.0504.

Update to rra-c-util 4.9:

Update to C TAP Harness 2.2:

WebAuth 4.5.3 (2013-05-15)

SECURITY: Reset all header contents between WebLogin requests, fixing problems introduced in WebAuth 4.4.1 when WebLogin began using a persistent CGI::Application object with FastCGI. WebLogin installations that used FastCGI and the $REMUSER_REDIRECT setting in webkdc.conf could fail with infinite redirect loops or leak security information, such as single sign-on cookies, from one authenticated user to another. (CVE-2013-2106)

WebAuth 4.5.2 (2013-05-14)

WebLogin now supports preserving the remember_login setting on the login page after a failed authentication, instead of resetting the checkbox to the default. Taking advantage of this support requires local template changes. See the sample login.tmpl file for an example of how to write the template.

Fix clearing of account authentication attempts (for lockout) following a successful authentication.

Fix setting cookies on the WebLogin error page so that single sign-on cookies are still correctly created.

WebLogin no longer erroneously clears single sign-on and persistent factor cookies when redirecting the user to test for session cookie support.

WebAuth 4.5.1 (2013-05-01)

Fix bugs in the remember_login feature introduced in WebAuth 4.5.0 that would cause WebLogin to discard all single sign-on cookies in the default configuration and many other common situations. WebLogin should now reliably respect the value sent by the form, and should retain single sign-on and persistent factor cookies in situations where there is no opportunity for local templates to send a default setting.

Sites that wish to add the new UI element to the login page that allows the user to control whether single sign-on cookies are created will need to preserve the remember_login setting as a hidden form variable in any local confirm, multifactor, and pwchange templates. See the sample templates for examples.

The remember_login setting is now preserved through a forced password change due to an expired password. This, as with all the remember_login changes, requires updates to any local templates.

WebLogin now passes any user information message returned by the user information service to the confirm template as well as the multifactor authentication template. This allows the <userinfo> element in the user information service reply to be used to pass arbitrary information to the end user through the WebKDC and WebLogin components.

Avoid re-creating WebAuth cookies other than single sign-on cookies during WebLogin cookie processing, which fixes some corner-case bugs when the WebLogin server and WAS are on the same host.

Fix a few minor bugs in the installable mod_webauth test suite.

WebAuth 4.5.0 (2013-04-26)

The change in interpretation of WebAuthForceLogin introduced in 4.4.0 has been reverted, and WebAuthForceLogin once again requires that the user perform an authentication that results in a login token (either password or OTP). This seems more generally useful than making this directive largely redundant with WebAuthRequireSessionFactor. Add a caution in the documentation explaining that this will not work well with authorization identities in most environments.

WebLogin now supports login form templates that allow the user (or the template) to indicate whether single sign-on cookies (and any persistent factor cookies) should be retained after authentication. The fallback, if the HTML form doesn't send a value, is controlled by the new $REMEMBER_FALLBACK configuration option. The default is to not do single sign-on, but the default login template sets the form parameter to enable single sign-on. This will require template updates when upgrading. If configured not to set single sign-on cookies, WebLogin will only retain single sign-on cookies and persistent factor cookies long enough to complete the login process and will then discard them, reducing the risk of theft of authentication tokens when someone walks away from an untrusted computer.

Fix password change handling in WebLogin, which has been broken since 4.4.0 due to code changes for handling account lockout. Also fix reporting of the reason for a rejected password change, which has been broken since WebAuth 4.3.0.

Apache 2.4 error logging has been fixed for all modules to properly indicate the module name originating the message.

mod_webauth and mod_webkdc will now produce significantly better Apache error log messages with more context and details about the failure.

Initial multifactor no longer satisfies a random session multifactor requirement, correcting a long-standing bug in random multifactor handling.

mod_webauthldap supports a new WebAuthLdapOperationalAttribute directive that is the same as WebAuthLdapAttribute but searches the directory for operational attributes and adds them to the environment. Patch from William Orr.

WebLogin no longer supports obtaining the password expiration from a kadmin-remctl backend with a direct remctl call. Instead, it uses the password expiration time returned by the WebKDC, which in turn gets it from the user information service.

A new WebAuth confirmation page template variable is available, expire_timestamp, which includes the timestamp (in seconds since UNIX epoch) when the password will expire. This should be used instead of the old (and now deprecated) expire_date variable since it allows the time information to be localized. See the example confirm.tmpl file to see how to format this using Perl's Time::Duration module.

The WebKDC and WebLogin now support persistent cookies that add additional authentication factors to a successful authentication. This can be used to require multifactor authentication only from browsers that have not previously completed a multifactor authentication (similar to "remember this device" in various web services). The additional factors are stored in a new webkdc-factor token type and a new webauth_wft cookie. A persistent factor cookie is created when the user information service validation call for an OTP authentication returns a list of persistent factors. The validation service can indicate the lifetime of the cookie. The cookies will be re-encrypted in the current WebKDC private key on each interaction with WebLogin to prevent them from becoming invalid due to key rotation (although this does mean that they will become invalid over long periods of inactivity).

The user information service can invalidate all persistent factor tokens created before a particular timestamp by including an <valid-threshold> element in the userinfo reply.

WebLogin supports optionally warning the user when persistent factor tokens are about to expire. See the generic confirmation page template for an example of how to do this. The warning threshold can be configured in /etc/webkdc/webkdc.conf.

When the WebKDC calls the user information service, it now provides, as an additional parameter, the current initial authentication factors for the user. This can be used by the user information service to decide whether or not to require a multifactor authentication. This is most useful in combination with persistent factors; for example, the user information service can require multifactor authentication if the user didn't present a persistent factor token for the "d" (device) factor, indicating that device had previously authenticated with multifactor.

In addition to requiring a multifactor authentication, the user information service can now add a specific list of factors that will be required for this authentication. The user will be required to provide the union of this list and the list of factors requested by the WebAuth Application Server. Contributed by Benjamin Coddington.

The user information service can return a message to WebLogin for display in the multifactor authentication page. One possible use is for the user information service to tell the user why a multifactor authentication is required. Contributed by Benjamin Coddington.

The user information service (with both the userinfo and validate calls) can return an opaque login state string, which is passed to WebLogin and from there to the multifactor login template. The template can set the login state as a form variable and pass it back to the user information service validate function. This allows for multistep multifactor authentication using serialized data, allowing implementation of (for example) resynchronization of a hardware token. Contributed by Benjamin Coddington.

The user information service can now add factors to the user's authentication if the user successfully completed an interactive authentication (defined as one that involved WebLogin sending a login token, which in practice means an OTP or password authentication). The new "h" (human verification) factor has been added to the factor list for this purpose and counts as an additional factor for the purposes of satisfying multifactor. The intended use of this feature is to allow a local support desk to verify someone's identity out of band and then bless their authentications for a certain length of time as satisfying multifactor even if they've forgotten their second factor.

WebLogin and the multifactor authentication template now receive a list of which factors the user must provide but has not already provided, rather than a complete list of required factors. This is used to provide a better value for the factor_type template parameter for the multifactor login template. Contributed by Benjamin Coddington.

WebLogin can now tell the WebKDC what type of OTP was used for a multifactor authentication, if it knows, and the WebKDC will pass that information to the user information service validate call. Contributed by Benjamin Coddington.

The user information service can now indicate the expiration time of a webkdc-proxy token created via an OTP authentication by including an <expiration> element in its reply.

Errors contacting the user information service are now logged to the Apache error log by mod_webkdc even if it is configured to ignore those errors and continue as if no user information service is availabe.

webauth_factors is now a private data structure with a much richer C API for manipulating sets of factors. Several other internal APIs, particularly the ones related to the WebKDC login process or the user information service, take opaque webauth_factors structs instead of APR lists of factors.

mod_webkdc no longer supports obtaining proxy tokens with <getTokenRequest>. This was never used by WebAuth code and is conceptually useless.

The WebKDC login API now expects encrypted token strings rather than decrypted token structs as input and returns the error code, whether a protocol error or an internal error, rather than using a separate field in the response struct.

Diagnose undef arguments to various Perl WebAuth module functions implemented in XS and throw exceptions rather than segfaulting from a NULL pointer dereference.

Fix compilation error with Heimdal Kerberos libraries, introduced in WebAuth 4.4.0.

Update to C TAP Harness 2.1:

WebAuth 4.4.3 (2013-03-12)

Fix a coding error in the WebAuthTrustAuthzIdentity directive parsing that also enabled WebAuthDoLogout for the same scope.

If the user asserts an authorization identity equal to their authentication identity, discard the authorization identity in the WebKDC login process and continue as if they did not choose an authorization identity. This fixes a previously fatal error when the user selects their default identity in WebLogin (if, for example, they are trying to undo a previous choice of authorization identity). Thanks to Benjamin Coddington for the report.

Remove an arbitrary limit in mod_webauthldap on the number of values from a multivalued LDAP attribute that are put in the environment. Previous versions would only add the first 127 values, but there are some cases where one may want to see more values than that. This opens the possibility of overflowing the allowed size of the environment, but the maximum environment size is quite large on most modern operating systems.

Fix syntax error in the replay condition in the default WebLogin error template.

Ignore empty app cookies rather than logging an error saying they cannot be parsed. These are created internally by mod_webauth to remove expired cookies and may be seen by subqueries.

Log a more informative message in mod_webauth when the user's app cookie has expired instead of a generic parse error and downgrade it to the info level from error.

Stop logging the raw binary app token in mod_webauth when it cannot be decoded. This was old debugging code left over from fixing a problem in a much earlier version of WebAuth.

WebAuth 4.4.2 (2013-02-05)

Fix an occasional WebKDC crash (introduced in 4.4.0) when attempting to determine if an authentication is interactive.

Fix out-of-tree builds with --enable-webkdc. Some of the logic to ensure the Perl modules could build when the build directory was not the source directory had not been tested for a while.

WebAuth 4.4.1 (2013-01-31)

Add a new authenticate callback to the WebLogin configuration. If this function is present in webkdc.conf, it will be called for every user visit to WebLogin and may return the user's authentication information or an empty list to defer to normal handling. This can be used to extract authentication information from the full WebLogin environment; for example, it could map information about a successful client-side certificate authentication to an authentication identity.

When run under FastCGI, the WebLogin scripts now use a persistent CGI::Application object instead of recreating it for each query. This avoids reinitializing the Template Toolkit and reopening memcached connections for each query.

WebLogin and the WebAuth Perl bindings are now built with Module::Build instead of ExtUtils::MakeMaker. This should be transparent to anyone not working with the source code, but Module::Build and ExtUtils::CBuilder are now required to build the WebLogin code. They are included in Perl 5.10 or later and can be installed separately for older versions of Perl.

WebAuth 4.4.0 (2012-12-19)

The WebKDC and WebLogin server now support allowing a user to assert an authorization identity other than their own identity. This can be used to allow a user to access a test account on a particular WebAuth Application Server, pretend to be another user for testing or administrative reasons, or otherwise use an identity other than their own. This support is disabled by default; to enable it, set the WebKdcIdentityAcl Apache directive to the path to an ACL file describing acceptable combinations of authentication and authorization identities for each site. See the WebKdcIdentityAcl documentation in the mod_webkdc manual for more information. Updates to the confirm and possibly the login templates in WebLogin will also be required. See the sample templates for the new parameters and fields.

mod_webauth by default ignores the new authorization identities (and old versions will always ignore them) except for recording the authorization identity in the new environment variable WEBAUTH_AUTHZ_USER. There is a new mod_webauth Apache directive, WebAuthTrustAuthzIdentity, which can be enabled to set REMOTE_USER to the authorization identity instead of the authentication identity and to use the authorization identity for access control (such as mod_webauthldap privilege group lookups). WEBAUTH_USER will always be set to the authentication identity. This directive is allowed in .htaccess files (if authentication overrides are allowed) as well as anywhere in the main Apache configuration. Authorization identities will still be ignored if WebAuthSubjectAuthType is set to krb5.

Add new mod_webkdc Apache directive WebKdcLoginTimeLimit, which controls the time limit for completing a multi-step login process (such as with multifactor authentication) and how recently authentication must have occurred to count for session factors and forced login. The default value is five minutes, matching the previous default behavior for multifactor logins.

WebAuthForceLogin no longer forces re-entry of the user's password if the user has done an interactive authentication within the WebKdcLoginTimeLimit interval (five minutes by default). Initial authentication factors also count as session factors for single sign-on authentications within that time interval. This allows WebAuthForceLogin to work in combination with other features such as multi-step authentication processes and authorization identities and improves the user experience when simultaneously visiting multiple sites with forced login set. To disable this behavior and always force reauthentication, WebKdcLoginTimeLimit can be set to 0s, but this will make multi-stage login processes, such as multifactor, impossible.

Add replay detection to WebLogin. When enabled, only one username and password authentication is permitted with a given request token, and further authentications with the same request token are rejected as replays. This can protect against an attacker using the back button in an abandoned browser to replay the form submission on the WebLogin server. This support requires a memcached server be available for data storage and the Perl modules Cache::Memcached and Digest::SHA. The latter is available as part of Perl since 5.9.3.

Add rate limiting of login attempts in WebLogin. If enabled, after a configured number of failed login attempts, all password authentications for a given username will be rejected (valid or not) until a configurable interval of time has passed. This support also requires a memcached server for data storage and the Perl module Cache::Memcached.

The WebLogin error template has two new parameters: err_lockout and err_replay, corresponding to a replayed authentication and an account that was locked out due to too many login failures. Local templates should be updated to handle those parameters, particularly if either of these features are in use.

In WebLogin, set single sign-on cookies if present even when displaying an error. This establishes single sign-on when errors are returned after authentication, such as authentication rejected errors from the user information service. Without this behavior, if the custom error sent the user to another page that also required authentication, the user would have to log in again and may given up, thinking that authentication was looping.

Support two additional WebLogin configuration settings: @REMUSER_LOCAL_REALMS and @REMUSER_PERMITTED_REALMS. These provide the equivalent of WebKdcLocalRealms and WebKdcPermittedRealms for Apache REMOTE_USER authentication handled by the WebLogin front-end (such as when using Negotiate-Auth with mod_auth_kerb). Previously, there was only a @REMUSER_REALMS setting, which combined both meanings. @REMUSER_REALMS continues to be supported for backward compatibility, but will only be used if the more-specific variable is not set. Patch from Tom Jones.

Fix encoding of Kerberos credentials containing addresses or authdata when built against MIT Kerberos. WebAuth 4.3.0 and later would fail to encode those credentials properly. This bug only affects people using credential delegation with either Active Directory or with Kerberos configured to add addresses to tickets, which are relatively rare configurations.

Fix encoding of ticket flags with Heimdal Kerberos and tolerate the old, incorrect encoding. All previous versions of WebAuth, when built with Heimdal, encoded the ticket flags on the wire with the flag bits reversed (matching the in-memory Heimdal format). Prior to this version, flags would be lost when reading credentials encoded via MIT Kerberos with Heimdal or vice versa. As of this release, the portable flag encoding used for ticket caches is used when writing credentials with both MIT and Heimdal, and the flag order is detected when decoding credentials and fixed if necessary. If you use delegated credentials and link with Heimdal Kerberos, upgrade mod_webauth prior to upgrading the WebKDC to ensure the ticket flags are conveyed correctly.

Fix mapping of WebKDC error codes to names when reporting errors in WebLogin, fixing mostly cosmetic Perl warnings in the WebLogin server logs.

Document the WebAuthRequireSSL configuration directive. Under normal circumstances, this directive should always be left on (the default) to avoid serious security vulnerabilities, but there are some specific situations where it may be necessary to turn it off.

Add webauth_token_encrypt and webauth_token_decrypt to the public API, including the Perl API. These functions provide access to the low-level token encryption and decryption routines. Normally, the high-level webauth_token_{encode,decode} functions will be used instead, but these functions are useful for constructing low-level tests.

The webauth_base64_* functions have been removed from libwebauth, as have the corresponding Perl bindings. For C programs, use the apr_base64_* functions from APR-Util instead. For Perl programs, use MIME::Base64.

The webauth_attr_*, webauth_attrs_*, and webauth_hex_* functions have been removed from libwebauth, as have the corresponding Perl bindings. These functions provided a low-level interface to internal WebAuth data structures that is no longer necessary.

Remove webauth.h. The only remaining contents of interest to clients were the WebAuth protocol error constants, which have now moved to webauth/tokens.h.

Add public webauth_keyring_encode and webauth_keyring_decode functions that encode and decode keyrings into the serialization format used for storing them in files. These are useful for sending WebAuth keyrings over other protocols. Add a corresponding keyring_decode method to the Perl WebAuth class and encode and decode methods to the WebAuth::Keyring class.

The WA_TK_*, WA_TT_*, and WA_SA_* preprocessor constants are no longer provided by webauth.h. These contained a subset of the encoding rules for the WebAuth wire protocol, but were not really useful to clients of the library.

The WA_ERR_KEYRING_* error codes have changed to WA_ERR_FILE_* and will be used for any errors inside the WebAuth library when reading or writing to files. Now that WebAuth can report rich error messages, there is no need for the codes to be this specific. Add new WA_ERR_FILE_NOT_FOUND error, which replaces WA_ERR_KEYRING_OPENREAD when the error is due to the file not existing.

Update to rra-c-util 4.7:

WebAuth 4.3.3 (2012-11-05)

Fix a memory initialization issue in the WebKDC that could cause incorrect handling of random multifactor verification, including requiring random multifactor when the WebAuth Application Server didn't request it.

Fix a memory allocation error in the WebAuth Perl module that could cause memory corruption in the WebLogin server.

WebAuth 4.3.2 (2012-09-27)

Fix a pool management bug when mod_webauth requested a service token from the WebKDC. A premature release of an APR memory pool could result in a corrupted Kerberos authenticator, resulting in an inability to obtain new service tokens.

WebAuth 4.3.1 (2012-08-08)

Allow WebAuthDoLogout in .htaccess files with AllowOverride AuthConfig. Previously, WebAuthDoLogout could only be set in the Apache server configuration.

Fix invalid free in webauth_webkdc_login when there are permitted realms configured.

Add a replacement for krb5_cc_get_full_name for Kerberos libraries that don't have this function. Fixes compilation against MIT Kerberos 1.8 and earlier.

Fix incorrect Perl module includes in pwchange.fcgi that prevented the WebLogin password change component from starting properly.

Add an overloaded cmp operator for WebAuth::Exception, primarily to make testing easier.

Document that while WebAuthLdapKeytab can be set in either the main server configuration or in a virtual host, separate configurations for different virtual hosts are not supported due to the way the module is currently implemented.

WebAuth 4.3.0 (2012-08-06)

mod_webauth now sets the HttpOnly flag on all WebAuth session cookies by default. This can be turned off at the server or virtual host level with the new WebAuthHttpOnly Apache directive. (Although be aware that the structure of the WebAuth cookies is an internal implementation detail; if this directive is needed, the web site is probably doing something unsupported.)

WebLogin now sets the HttpOnly flag on the single sign-on cookie, and on the test cookie used to probe whether cookies are supported.

Add a new optional <userMessage> element to the specification of the <requestTokenResponse> reply from the WebKDC and a new error code. These are used to indicate a rejected authentication and to return an HTML error that should be displayed to the user.

Support a new <error> return element inside the <authdata> reply from the user information service during WebLogin authentication. Presence of this element indicates that the user information service has rejected this authentication. The content is raw HTML content (which should be protected by a CDATA block in the XML) to display to the user. Make appropriate changes to the webauth_user_info and webauth_webkdc_login APIs and to mod_webkdc to return this information via the new <userMessage> element and the new protocol error code.

Add a new parameter, err_html, to the error page template in WebLogin. When this parameter is set, the contents should be used as the entire error message to display to the user. Local WebLogin error templates should be updated to support this parameter.

Fix wa_keyring compilation error when older versions of the WebAuth headers are installed in the APR header path.

Change all Kerberos functions in the WebAuth library API to take the WebAuth context and use APR memory management and new-style error message handling. There is a new include file, webauth/krb5.h, for the Kerberos functions. Remove webauth_krb5_error_code and webauth_krb5_error_message in favor of the new-style error handling. Call the proper Kerberos error reporting functions to get more information than was available via com_err.

Replace webauth_krb5_export_ticket and webauth_krb5_export_tgt with a new webauth_krb5_export_cred function that is parallel to webauth_krb5_import_cred and can do either operation. Similarly, merge webauth_krb5_init_via_cred and webauth_krb5_import_cred into webauth_krb5_import_cred.

Rename webauth_krb5_rd_req to webauth_krb5_read_auth and webauth_krb5_mk_req to webauth_krb5_make_auth. Rename the _with_data variations of both to _data.

Remove webauth_krb5_keep_cred_cache. This was no longer used anywhere in the WebAuth source.

Revise the Perl API for Kerberos-related functions to match the changes to libwebauth, including changes of method names and removal of now-unused functions, and complete the conversion to an object-oriented interface. A WebAuth::Krb5 object is now returned by the krb5_new method, and all other Kerberos functions are now implemented as methods on that object.

Fix decoding of Kerberos credentials that include a second ticket when built with MIT Kerberos.

Kerberos realm names are no longer escaped before matching them against the Apache configuration. This only affects handling realm names with unusual characters.

WebAuth 4.2.2 (2012-07-19)

Fix WebKDC::WebRequest error introduced in 4.2.0 that broke WebLogin functionality.

Fix Kerberos context cleanup bug after storing delegated credentials in a file cache, introduced in 4.2.0. This bug would cause segfaults in the child Apache process after completion of the request.

WebAuth 4.2.1 (2012-07-18)

Fix error decoding keyrings from files on 64-bit systems, preventing all use of keyring files. Reported by Kai Lanz.

Fix compilation with Apache 2.0, which does not have the mod_auth.h header. Reported by Kai Lanz.

WebAuth 4.2.0 (2012-07-13)

Port to Apache 2.4 (tested with Apache 2.4.1).

Support for AuthType StanfordAuth has been deprecated and will be removed from mod_webauth and mod_webauthldap in a subsequent release.

Support for AuthType StanfordAuth in mod_webauthldap is not available when built with Apache 2.4. This includes treating "require group" directives where the group contains a colon as "require privgroup" and setting the SU_AUTH_DIRMAIL, SU_AUTH_DIRNAME, and SU_AUTH_UNIVID environment variables. This behavior is currently still supported for now when built with Apache 2.2 or earlier, but is deprecated as mentioned above.

Support Kerberos keyring ticket caches for passing delegated credentials from mod_webauth to CGI and embedded code. Set possessor permissions on Kerberos keyring tickets so that other processes running as the same UID should not have access. Patch from Benjamin Coddington.

Fix merging of mod_webkdc Apache directives in some corner cases where the directive has a default value or is explicitly set to off.

WebLogin now only sets a SIGTERM handler to defer exit while processing a request. This will hopefully fix orphaned login.fcgi and pwchange.fcgi processes due to SIGTERM arriving while waiting in the FastCGI listen loop and then never being woken up again.

The WebAuth Perl module API now requires creating a WebAuth object first and passing that object as the first argument to all other functions except the krb5_* functions. This is the first step in making the API more object-oriented. The only export groups provided are :const and :krb5, and all other export requests should be removed. All users will need code changes to work with the new API. WebAuth::Krb5 has not yet been converted, but will be in a subsequent release. This means that the WebKDC and WebLogin Perl modules in this release require the WebAuth module from this release and vice versa, so be careful of partial upgrades.

webauth_token_encode now correctly allows id tokens of type krb5 to omit the subject attribute. The receiver is supposed to determine the subject via the Kerberos authenticator.

All key and keyring functions in the WebAuth library API have changed to take the WebAuth context and use APR memory management and new-style error message handling. All the *_free functions have therefore been removed. Keyrings are now represented by an APR array; callers that want to walk through the keyring entries will need the relevant APR headers. Functions that could only fail if memory allocation failed now either return new objects directly or are declared void, since APR code assumes memory allocation does not fail. The API now uses named structs instead of typedefs.

webauth_key_create will now create a random key if passed NULL for the key material. It also now returns a status code so that better error messages can be reported.

webauth_keyring_read_file has been renamed to webauth_keyring_read. webauth_keyring_write_file has been renamed to webauth_keyring_write.

The webauth_keyring_encode and webauth_keyring_decode functions have been removed from the public API.

The constant WA_AES_KEY has been renamed to WA_KEY_AES.

The webauth_random_bytes and webauth_random_key functions have been removed from the public API.

webauth_keyring_best_key now takes a WA_KEY_DECRYPT or WA_KEY_ENCRYPT argument instead of a boolean. This makes the meaning clearer at the call site.

The Perl API for manipulating keyrings has been modified to include the WebAuth context. The read_file method in the WebAuth::Keyring class has been renamed to read, calling an underlying keyring_read method in the WebAuth class. The WebAuth::Keyring new constructor now takes a WebAuth context and calls a keyring_new method in the WebAuth class so that the WebAuth context can be tracked. The capacity method on a WebAuth::Keyring object has been removed since it's not part of the abstraction.

The Perl WebAuth::Key class now supports type, length, and data accessor methods so that Perl programs can inspect the contents of keys. It also supports a convenience new constructor that calls WebAuth::key_create.

The old webauth_token_create and webauth_token_parse functions have been removed from the public API in favor of the new _encode and _decode functions. The token_create and token_parse methods have also been removed from the Perl API in favor of the new token_decode method and WebAuth::Token::* classes.

The Perl WebKDC::Token module and the classes it defined have been removed. Use the new WebAuth::Token::* classes instead.

All WebKDC::* Perl modules now have POD documentation.

Update to rra-c-util 4.5:

Update to C TAP Harness 1.12:

WebAuth 4.1.1 (2012-04-25)

Fix a bug in webauth_user_info that misparsed timestamp attributes from the user information query results, causing timestamps to be ignored and always set to 0 in user login history information and causing the function to fail if any unknown attributes were returned.

Fix the sample confirm template to use the correct attribute for login history timestamps and to suppress the timestamp section if that history entry had no associated timestamp.

Fix the sample confirm template to properly suppress the history and token rights sections when there are no entries in the corresponding arrays. Thanks, Sam Morris.

Add explicit HTML filters to all interpolated variables in the sample WebLogin templates. Previous versions of the sample templates (since the conversion to Template Toolkit in 4.0) did not uniformly apply the HTML filter, which could cause rendering problems or even cross-site scripting vulnerabilities in some corner cases. For most attributes missing this filter there was no chance of HTML special characters, but now the filter is applied uniformly for consistency. Sites with custom templates should check their templates for any instance of a variable interpolation ([% variable %]) and ensure that the HTML filter is applied ([% variable FILTER html %] instead).

Update the generated HTML version of the mod_webkdc manual to include the new directives introduced in WebAuth 4.1.0.

Update to rra-c-util 4.3:

Update to C TAP Harness 1.11:

WebAuth 4.1.0 (2012-03-15)

Add new mod_webkdc configuration option WebKdcUserInfoTimeout, which sets the network timeout used for user information service queries and multifactor authentications. The default timeout is 30 seconds. Timeout support requires compiling with remctl 3.1 or later.

Add new mod_webkdc configuration option WebKdcUserInfoIgnoreFail, which if set tells mod_webkdc to not fail the login if a user information service is configured but cannot be queried (either due to timeout or due to some other error). By default, all logins will be rejected if a user information service is configured but returns an error. If this option is set, the login can proceed, but only a password factor will be available and no level of assurance can be set. Be aware that setting this option may allow bypassing a multifactor requirement expressed by the user information service rather than the destination site.

Really fix compilation without remctl libraries. The previous change would always define HAVE_REMCTL even if the libraries weren't found.

If the remctl_set_ccache function is available, use it instead of setenv of KRB5CCNAME to set the ticket cache location when making user information service calls. This at least only affects thread state instead of global process state and doesn't leak memory.

Fix error handling in WebLogin when the password field on the login form is left blank. The correct error is now returned, leaving the user at the login page, rather than giving the user a generic error page. Thanks to Petr Grolmus for the report.

Display the correct WebLogin error when the user enters a password and omits the username, and avoid attempting to authenticate with an empty username.

Drop library support for base64-encoded token attributes. This was never used in the WebAuth code.

Drop the webauth_info_build and webauth_info_version functions from the libwebauth library and instead build the version and build information directly into the modules. These functions were only used to get information for startup logging and reported versions in the modules.

Document in the mod_webauth manual a problematic interaction of URL parsing between Apache and Tomcat that affects any Apache authentication mechanism used to protect URLs that are proxied to Tomcat. Apache configuration to restrict access to proxied URLs needs to allow for URI path parameters at the end of path segments.

Update to rra-c-util 4.2:

Update to C TAP Harness 1.10:

WebAuth 4.0.2 (2011-12-02)

Fix a typo that caused the cookie tracking whether a user had requested REMOTE_USER authentication to be reset as a session cookie.

Fix compilation without remctl libraries.

Port to APR 0.9, which comes with Red Hat Enterprise 4 and distributions derived from it.

Ignore cookies with undefined values in WebLogin and tokens that aren't present in the password change page to avoid Perl warnings in the Apache error log.

Document factor codes in the mod_webauth manual.

Add additional Stanford-specific documentation for how to enable multifactor authentication on a WebAuth Application Server at Stanford.

Update to rra-c-util 3.11:

WebAuth 4.0.1 (2011-09-23)

The protocol for getting suspicious login information from the user information service and conveying that information to WebLogin has changed to use the IP address as the content of the tag and move the hostname to an attribute, since the hostname is optional and may not be available.

If the user information service returns suspicious logins, WebLogin now forces a confirmation page and displays those logins. Full use of this functionality will require an update to the local confirm template to add the suspicious login display if the corresponding template variable is set.

Log the return URL of authentication requests to the WebKDC.

Fix a memory leak in token decoding.

Properly initialize the creation time of the error token returned to the WAS when a login is canceled.

Reduce the log level of the mod_webauth logging when retrieving credentials from the WebKDC. The full XML exchange is now only logged when debug logging is enabled.

Update to rra-c-util 3.9:

WebAuth 4.0.0 (2011-09-02)

WARNING: This release is a major revision with significant changes to mod_webkdc and to the WebLogin code. While the additions are not completely specific to Stanford University, it still has some limitations and missing components that will make it difficult to deploy new features outside of Stanford, and it's not yet been tested in a production deployment. The new mod_webauth and mod_webauthldap are suitable for everyone, but sites outside of Stanford University will probably want to wait for subsequent releases before updating mod_webkdc and the WebLogin code.

WebAuth now has support for multifactor authentication. New WebAuth configuration directives WebAuthRequireInitialFactor, WebAuthRequireSessionFactor, and WebAuthRequireLOA can be used to require specific authentication factors, unspecified multiple factors, or a site-specific level of assurance value to allow access to particular content. Using this feature currently requires a custom middleware service that returns information about users and their configured factors and that validates a provided OTP code. New WebKDC configuration directives WebKdcUserInfoURL and WebKdcUserInfoPrincipal control how that middleware service is used. WebKdcKerberosFactors controls what factors are assigned to webkdc-proxy tokens obtained directly from the WebKDC rather than via WebLogin.

mod_webauth now exposes the user's initial and session authentication methods via environment variables WEBAUTH_FACTORS_INITIAL and WEBAUTH_FACTORS_SESSION, and the user's level of assurance (if known) via WEBAUTH_LOA.

WebLogin now uses Template Toolkit for all templating instead of HTML::Template. This means that all local WebLogin templates will have to be revised for the new syntax. WebLogin has also dropped support for obsolete template variables and for templates that don't support the new variables that have been introduced over the years. See the sample templates in weblogin/templates for examples of what the new templates should look like.

WebLogin now uses CGI::Application to control page flow through the WebLogin pages. WebLogin servers will need CGI::Application plus additional plugin modules installed. See docs/install-webkdc for a complete list.

As part of multifactor support, WebLogin can now tell an external middleware service to send an OTP code to the user through site-specific means (such as an SMS message). There are new configuration variables for webkdc.conf to specify how to contact this optional service.

As part of multifactor support, WebLogin supports a new site-specific callback to determine the initial and session factors for a user who has been authenticated via some other Apache authentication mechanism (such as GSS-API via mod_auth_kerb). See docs/weblogin-config under remuser_factors for more information.

The libwebauth library API has changed significantly in this version and will be changing further in subsequent versions. There are new webauth/*.h headers for the new API, but this API should not yet be considered stable. External users of the libwebauth API should stay with previous releases until the libwebauth library changes have been completed, and should expect to require substantial changes (mostly simplifications).

The proxy data attribute of webkdc-proxy tokens is now optional and may be omitted for webkdc-proxy token types (like remuser) that carry no additional data. The WebKDC now accepts webkdc-proxy tokens with no data but always adds some data for backward compatibility with older servers. It will stop generating that data in a future release.

The keyring manipulation functions of the WebAuth Perl module have been rewritten to be object-oriented, introducing new WebAuth::Keyring and WebAuth::KeyringEntry objects. Perl code using the WebAuth module to manipulate keyrings will have to be modified, since several functions were removed in favor of the new interface. Methods to remove a key from a keyring, get the timestamps and keys associated with keyring entries, and choose the best key from a keyring have been added.

Use PATH_KRB5_CONFIG as the environment variable to set the path to krb5-config rather than KRB5_CONFIG, since the latter is used by the Kerberos libraries to specify an alternative path to krb5.conf.

Update to rra-c-util 3.8:

Update to C TAP Harness 1.8:

WebAuth 3.7.4 (2011-05-11)

WebAuth now supports a new Apache configuration directive, WebAuthOptional, which can be used in directories and .htaccess files. If set to on, unauthenticated users are not redirected to WebLogin and are instead allowed access to the protected resource, but without any REMOTE_USER or related environment variables set. However, if the user was previously authenticated to that server, their authentication information will be present in the environment as normal. This is intended for use with dynamic content, such as embedded PHP or CGI scripts, that will inspect REMOTE_USER and decide what content to show based on the authentication status. Normally, unauthenticated users would also be shown a login link to a URL protected by WebAuth without this directive so that they can authenticate if desired. This feature is sometimes referred to as "passive authentication" or "lazy sessions." Based on work by niklas.

Previous versions of WebLogin interpreted a "message stream modified" error on password change as a failure of strength checking because that error was incorrectly returned by MIT Kerberos for password strength checking errors with a Heimdal KDC. This turned out to be a bug in MIT Kerberos, which is now avoided by using a different library API call that doesn't have that bug. This workaround has now been removed, so the error reporting from WebLogin on password change will now be more accurate.

Disable TLS certificate verification in WebLogin if the WebKDC URL is at localhost, since the presented certificate will generally not be a localhost certificate. This fixes an incompatibility with libwww-perl versions later than 5.837, which changed the default value for certificate validation.

Fix compilation error in libwebauth if assert() calls are enabled and the local C library doesn't define an index function. Fixes compilation problems on Solaris 10.

Fix an Autoconf probe for the Heimdal Kerberos implementation.

Export the defines to enable system extensions to the module config header as well. Fixes build problems with APR on Red Hat Enterprise Linux 5, which requires _GNU_SOURCE be defined before including APR headers to define off64_t.

Avoid problems with generating the pkg-config configuration file when the Kerberos linker flags contain commas.

Print a clearer warning in WebLogin when used with a mod_webkdc older than 3.6.1 and therefore missing the request token type in the repsonse.

Document the pt and sa key/value pairs in WebKDC logs in the mod_webkdc manual.

Be more defensive in mod_webauth against an Apache request struct that doesn't have the notes table or per-directory configuration filled in, which seems to happen under the Apache included with Solaris 10 x86. Based on a patch by Gary Buhrmaster.

Update to rra-c-util 3.4:

Update to C TAP Harness 1.7:

WebAuth 3.7.3 (2010-09-20)

Explicitly link the mod_webauthldap module with the portability glue library, fixing a build failure on Red Hat Enterprise 4 x86_64.

Fix LDAP attribute retrieval in WebAuth 2.x backward compatibility mode, which was broken in 3.7.0.

The WebAuth library also installs a pkg-config configuration file for the use of software that wants to link against it.

Update to rra-c-util 2.7:

WebAuth 3.7.2 (2010-08-12)

Fix wa_keyring option parsing problems introduced in 3.7.0. Correctly count arguments so that commands are recognized correctly and do not require -- before commands with negative time offsets, like "gc -90d".

Fix uninitialized variable that caused wa_keyring to randomly default to verbose mode for list.

mod_webkdc now returns a user rejected error instead of a generic Kerberos error for attempted authentications to expired accounts or accounts set to disallow authentication, allowing WebLogin to display a rejected user error message rather than a generic failure message.

Add portability code for old MIT Kerberos and Heimdal libraries without krb5_get_init_creds_opt_free.

Fix build problems with with Perl module (only built when the WebKDC is enabled) on platforms where all shared libraries need to be linked with explicitly.

WebAuth 3.7.1 (2010-07-23)

Add new WebLogin configuration parameter $EXPIRING_PW_RESEND_PASSWORD. If set, a user who is changing their password due to either an expired password or by following the prompt to change a password that's expiring soon is required to re-enter their current password on the same screen as the new password, even if they had just authenticated with the old password. This may be required by site security policy and is enabled by default.

Improve error reporting in WebLogin when password change fails.

Make mod_webkdc behavior match the documentation by changing the default WebKdcProxyTokenLifetime to be the lifetime of the underlying Kerberos credential. Previously, the default was ten hours.

When probing for Apache module build flags, call apr-config --includes and add it to the preprocessor flags. Fixes build failures on Red Hat Enterprise Linux 4 and 5.

WebAuth 3.7.0 (2010-07-08)

The WebAuthLdapAuthRule directive in mod_webauthldap has been fixed to do something closer to its documentation. Previously, it was documented as containing "group <privgroup>" if the user was authorized by a privgroup directive, but actually contained only the privgroup. Now, it contains "privgroup <privgroup>" if the user was authorized by a privgroup directive. Patch from Ian Ward Comfort.

mod_webauthldap supports a new WebAuthLdapPrivgroup directive that names a list of privgroups against which the authenticated user's membership should be checked. All privgroups listed of which the user is a member will be put into the WEBAUTH_LDAPPRIVGROUP environment variable. Patch from Ian Ward Comfort.

The WebAuthLdapAttribute directive can now take multiple attributes on the same line. Patch from Ian Ward Comfort.

WebLogin now includes a password change script and associated template to allow users to change their Kerberos password.

WebLogin now supports password expiration. If the account password is expired when a user authenticates with a password at the WebLogin login screen, they are redirected to the password change screen, forced to change their password, and then reauthenticated with their new password so that they can continue as normal with their authentication.

WebLogin can be optionally configured to warn users, via the confirmation screen, if their password is about to expire. Currently, this warning requires remctl, configuration of a Kerberos ticket cache, and the kadmin-remctl backend running somewhere for that Kerberos realm.

The WebAuth Apache modules are no longer built with apxs, which allows a cleaner build and installation process. However, this means that the modules are now installed in <libexecdir>/apache2/modules by default, where <libexecdir> is specified via the --libexecdir flag to configure and defaults to /usr/local/libexec.

The --with-apache option has been dropped. Use --with-apxs to specify the full path to apxs if it's not in your PATH.

The --enable-mod_webkdc flag is now --enable-webkdc, since it also controls installation of the WebLogin scripts and templates.

The --enable-debug flag has been dropped. Set CFLAGS on the configure command line if you want to override the default compiler flags.

Catch SIGTERM in the login.fcgi script and only exit once processing of the current request has completed. mod_fastcgi restarts FastCGI scripts periodically by killing the old one with SIGTERM, which previously could result in internal server errors handed back to the client if the script was killed in the middle of processing a request.

Correctly encode RT and ST tokens in the URL when redirecting to an alternate URL to attempt REMOTE_USER authentication in WebLogin. Patch from Ian Ward Comfort.

The majority of the WebLogin scripts have been moved into a new WebLogin Perl module, which should make it somewhat easier to further customize the WebLogin interface if desired.

The timestamps output by wa_keyring list now contain dates in the ISO format YYYY-MM-DD instead of the US-centric and ambiguous MM/DD/YYYY.

Removed the webauth_krb5_service_principal function from libwebauth and from the WebAuth Perl module. This function's API was fundamentally flawed since it did not handle realms, and it was not used anywhere in the WebAuth code.

Change the libwebauth API to use size_t and other data types more correctly instead of always using int. This will require updates in all calling applications.

wa_keyring calls the OpenSSL MD5 functions directly, so explicitly link it with libcrypto. Fixes build failures with gold.

Lower the logging level of mod_webauth messages about setting cookies (to debug) and environment variables (to info, since that's the best way right now to see a trace of authenticated users).

Avoid importing isa from UNIVERSAL in the WebAuth Perl modules. This is deprecated in Perl 5.12 and later.

Mention setting $KEYRING_PATH in docs/install-spnego and expand the documentation in docs/weblogin-config.

Changed terminology in the WebAuth protocol specification to refer to a KRB_AP_REQ rather than the results of krb5_mk_req. The latter is a call specific to a particular API, whereas the former is the term used in the Kerberos protocol documentation. Thanks, Liam Atkinson.

The Autoconf probe for the cURL libraries now uses curl-config if available. The path to curl-config can be overridden by setting the CURL_CONFIG variable on the configure command line or in the environment.

Update to rra-c-util 2.5:

Update to C TAP Harness 1.4:

WebAuth 3.6.2 (2009-09-10)

SECURITY: When generating the redirect to test for cookie support if the test cookie is not already set, be sure not to include the username and password query fields in the redirect URL. Otherwise, the user's password could be logged in the Apache logs and possibly be included in referrer information sent by the browser.

SECURITY: Reject username/password logins via methods other than POST, since continuing risks exposing the password in the browser history and via referrer information.

If the user submits the login form via POST without including the test cookie, assume that the browser supports cookies and proceed. We won't present the initial login form without seeing the test cookie, so something strange is happening. Continuing and assuming everything will work seems to be the best approach.

Add tools/weblogin-passcheck to examine Apache logs looking for users who were affected by the above security vulnerabilities. This script is not installed by default but is provided in the distribution for WebLogin administrators to use to determine the scope of this problem. For documentation, run tools/weblogin-passcheck -h.

WebAuth 3.6.1 (2009-07-14)

Setting $BYPASS_CONFIRM in the WebLogin configuration now also suppresses the confirmation page after username/password login provided that the browser supports HTTP/1.1 (and the web server tells the WebLogin script that in the form Apache does).

Setting $BYPASS_CONFIRM to the special value "id" in the WebLogin configuration suppresses the confirmation page only if the WebAuth Application Server requests an id token (in other words, only asks for the user's identity). If it instead requests a proxy token, which would allow it to later ask for delegated user credentials, the confirmation page is still displayed.

Add a new WebLogin configuration variable $TOKEN_ACL. If set to the path of the token.acl file used by the WebKDC, and if the WebAuth Application Server requests a proxy token, the list of credentials the WAS may request is provided to the confirmation page template for display to the user. See doc/weblogin-config for more information.

WebLogin now sets and updates its cookies after successful authentication even if the confirmation screen is bypassed. This primarily affects the update of the expiration time of the REMOTE_USER cookie.

Handle err_confirm in the error.tmpl sample template and document this in doc/weblogin-config. This error is returned when redisplaying the confirmation page after a change in the REMOTE_USER cookie.

Fix a coding error in login.fcgi when redisplaying the confirmation page fails. Thanks to pod for the report.

Fix an off-by-one error in error code to error string mapping in WebKDC::WebKDCException that resulted in incorrect error names in WebLogin error messages. Thanks to pod for the report.

The WebLogin scripts and templates are now installed by default under /usr/local/share/weblogin. This can be modified with the --prefix or --datadir options to configure.

There is no longer an install-tests target; instead, to install the test suite, copy the directories under tests/mod_webauth recursively. This will be replaced by a better test suite mechanism in a future version of WebAuth.

Update the mod_webauth documentation to reflect that separate WebAuth servers in the same load-balanced pool can use separate keytabs. Only the keyring needs to be shared between systems.

Improved the comments in the provided sample configuration files.

Update the INSTALL documentation for obtaining keytabs for Stanford users to reference wallet instead of leland_srvtab.

WebAuth 3.6.0 (2008-03-22)

Allocate all note keys and values in the top-most request pool in mod_webauth, avoiding problems with prematurely freed internal data structures. This fixes problems with checking access permissions of subdirectories in mod_autoindex and may have fixed problems elsewhere. Thanks to Ian Ward Comfort for the patch.

Add the WebKdcLocalRealms configuration option to mod_webkdc, which specifies the transformation behavior for authenticated identities. The default is "local", which runs krb5_aname_to_localname and uses the result as the authenticated identity (matching previous behavior). Setting it to "none" always keeps the fully-qualified Kerberos principal as the authenticated identity, and setting it to a list of realms strips the realm if it matches one of the listed realms and uses the fully-qualified Kerberos principal otherwise. Thanks to Dmitri Priimak for the patch.

Add the WebKdcPermittedRealms configuration option to mod_webkdc. If set, only Kerberos principals in the listed realms will be able to obtain authentication tokens from the WebKDC. This allows sites with Kerberos cross-realm trust to prevent users in foreign realms from obtaining WebAuth credentials that satisfy "require valid-user". Thanks to Dmitri Priimak for the patch.

Add an additional check to webkdcProxyTokenRequest processing in mod_webkdc to ensure that the Kerberos authenticator and the included Kerberos TGT are for the same principal.

The WebLogin login.tmpl template may be called with err_rejected set if the authenticating principal is rejected by the WebKDC. Login templates should be modified to handle this variable.

Add a new error to the WebKDC protocol, 18, indicating that the WebKDC did not permit that user to authenticate. This error is returned when WebKdcPermittedRealms is set and the realm of the authenticating principal isn't included. Add support for the new error in the WebLogin code, setting the template variable err_rejected. Based on work by Dmitri Priimak.

libwebauth provides a new webauth_krb5_get_realm function, which returns the realm of the current authenticated principal.

The libwebauth webauth_krb5_get_principal function takes as its third argument, instead of a flag, an enum indicating what sort of canonicalization to perform. Accepted values are WA_KRB5_CANON_LOCAL (to call krb5_aname_to_localname), WA_KRB5_CANON_STRIP (to strip any realm), and WA_KRB5_CANON_NONE (to return the fully-qualified principal).

In the WebLogin script, work around a bug in the CGI module that causes it to misparse and die on WebLogin URLs that contain two slashes and two plus signs.

WebLogin now supports delegated credentials, allowing browsers that support credential delegation via SPNEGO to still get single sign-on even to services that require proxy credentials or krb5 authenticators. See doc/install-spnego for configuration details. Based on work by Joachim Keltsch.

WebLogin now supports a new configuration variable, $DEFAULT_REALM. If set, WebLogin will append @ and $DEFAULT_REALM to usernames that do not contain @ before passing them to the WebKDC. This is primarily useful if principals should be authenticated in a different Kerberos realm than the default realm of the WebKDC.

WebLogin now supports a new configuration file, $BYPASS_CONFIRM. If set, the confirmation page will only be displayed if required by the HTTP protocol after a POST of the login form. Otherwise, the user will be silently redirected to the destination site.

Add support for a map_username function defined in the WebLogin config file. If defined, this function will be called to map the user-supplied username to a Kerberos principal for authentication.

Add support for a record_login function defined in the WebLogin config file. If defined, this function will be called after any successful authentication.

Many of the REMOTE_USER configuration variables have been renamed for consistency. The old names are still supported for backward compatibility. $REALM has been deprecated in favor of setting @REMUSER_REALMS to a list with a single value.

Escape Mac OS X compiler flags for apxs, fixing build issues on Mac OS X 10.5.

WebAuth 3.5.5 (2008-01-14)

Check for browser cookies on the first page visit to WebLogin via a redirect and show an error immediately if the user doesn't have cookies enabled. This works correctly in the presence of Apache authentication. Thanks to Joachim Keltsch for the patch.

There is a new template variable, err_cookies_disabled, for the error template, indicating that the user doesn't have cookies enabled. Old templates are supported but won't offer as nice of an error message. The err_cookies parameter to the login template is no longer used.

Fix memory allocation in mod_webauthldap for the Kerberos ticket cache environment variable to use persistant rather than pool memory. Fixes occasional segfaults in mod_php.

Improve extraction of return URLs for user-friendly display when doing authentication for a Shibboleth IdP. Thanks, Robert Basch.

Show the correct pretty Shibboleth return URL when redisplaying the confirmation page. Thanks, Robert Basch.

Mark the test cookie secure to match other cookies so that we're testing what we're using.

Use Javascript in the default login template to set focus to the username entry box.

WebAuth 3.5.4 (2007-04-24)

Add a configuration option to WebLogin to attempt to decode return URLs pointing to a Shibboleth IdP and display on the confirmation page the final destination instead of the intermediate IdP.

For pages that the browser should reload each time (WebAuthDoLogout or WebAuthDontCache), also always set the content modification time to now. Otherwise, the browser may check the last modification time on the page and then serve its cached copy, ignoring any new Cookie headers from the server (such as cookie clearing from a logout page).

For WebAuthDoLogout, WebAuthDontCache, and all WebLogin pages, set Cache-Control: no-store as well as no-cache. no-store wasn't really intended for this purpose but preventing the browser from keeping a local copy is more likely to force the behavior we want. (This is probably not necessary given the above change, but shouldn't hurt.)

Properly merge configuration settings in mod_webauthldap. This will correct problems with WebAuthLdapAuthrule, WebAuthLdapFilter, and WebAuthLdapPort configuration options not being honored inside virtual hosts. Thanks to Wadud Miah for the bug report.

Refresh the REMOTE_USER configuration cookie on each WebLogin page visit so that it won't expire if the user is using WebLogin regularly.

Document the cookies used by the WebLogin service.

Read ticket defaults from krb5.conf properly when built with Heimdal.

Fix configure logic and Kerberos library analysis on systems with multiple versions of Kerberos installed.

Escape -R linker flags from apxs, which doesn't understand them. Patch from Robert A. Basch.

WebAuth 3.5.3 (2006-09-12)

Add the connection IP address and, for WebLogin logins, the client IP address to the WebKDC to the WebKDC log messages whenever processing XML requests.

Document the log messages from the WebKDC in the mod_webkdc manual.

Initial port to Apache 2.2. Thanks to Jim Rodgers for the patch.

Turn off debug-level logging in the WebLogin login.fcgi script by default. The REMOTE_USER code now seems to be stable and working correctly and the extra verbose logging is not needed.

Remove extraneous newlines from the messages logged by the mod_webauth module.

WebAuth 3.5.2 (2006-07-13)

SECURITY: Modify the default templates to add ESCAPE=HTML when inserting the values of variables. Without telling HTML::Template to escape values in this fashion, a cross-site scripting attack is possible with at least the username field of the login form. Any site using customized templates should make the equivalent change to their templates.

Set Pragma: no-cache and Cache-Control: no-cache in the HTTP headers of all responses from the WebLogin scripts. This is particularly important for the logout script, since otherwise browsers may cache the logout page and not actually be logged out.

Don't ever redirect the user to the URL that attempts Apache authentication if they've already submitted the login form, even if they didn't supply a username or password. Once the user reaches the login page, the page flow should keep them there until they log in with username and password.

WebAuth 3.5.1 (2006-06-20)

Allow the submit button on the login page to return any value rather than requiring it have the value "Login" so that the template can be more easily translated. Instead, the login form must include the tag:

    <input type="hidden" name="login" value="yes">

The form for attempting Apache remote-user authentication should not contain this tag. Existing login.tmpl files must be updated accordingly when upgrading to this version of the WebLogin server.

In the weblogin confirmation page, the variable remuser is now set to 1 if the user has a cookie indicating they want to try REMOTE_USER and is not set otherwise. This is a change from the previous behavior where it was set to either the string "checked" or the empty string. Templates using this variable will require modification. This change was made so that the WebLogin scripts don't assume a particular UI presentation.

Add an err_forced template variable for the login.tmpl file that indicates the user had a single sign-on configuration (either an existing cookie or a request to do REMUSER), but the authenticating web site requires username/password authentication. Existing login.tmpl files must be updated to include a reference to this variable (even if not otherwise used).

Add the @REALMS configuration option to the WebLogin configuration file, for use with Apache authentication where the resulting REMOTE_USER value may be in one of several realms and each realm should be treated identically.

Modify the default login template to show a single error message if the user provided neither username nor password rather than showing the missing username and missing password errors one after the other.

Fix decoding of time_t values in tokens on 64-bit platforms, a bug which usually manifested itself while reading keyrings. Thanks to pod for the analysis.

Properly check for apxs in configure so that an apxs under the provided Apache root will be found. Thanks to Marco Wise for the debugging.

WebAuth 3.5.0 (2006-03-20)

Rename the template variables used by the weblogin templates to be a bit more consistent and add an error variable to the login template that is set whenever there was any error. Existing weblogin templates will require modifications. See doc/weblogin-config for the new configuration and customization documentation.

Sometimes an Apache authentication mechanism should only be attempted if the user explicitly requests it since it may fail in a way that doesn't allow weblogin to proceed. SPNEGO is an example, since it has bad behavior with some browsers. Implement weblogin script support for the required more complex page flow and additional template variables.

Document in detail how to configure the weblogin front-end, including all of the template variables used and the configuration variables that can be set in /etc/webkdc/webkdc.conf.

Document in detail the page flow for the weblogin script and the variables it uses when rendering page templates.

WebAuthExtraRedirect is now the default. If you don't want this behavior, you now need to turn it off explicitly in the Apache configuration.

WebAuthExtraRedirect is now accepted at the server and virtual host level as well as in <Directory> and .htaccess files.

In the WebKDC installation instructions, stop recommending that the WebkDC /webkdc-service URL run on a different port than the regular SSL port. There's no reason why it and the weblogin service can't both run on the regular SSL port.

Preliminary port to Heimdal 0.6 (0.7 was previously supported). This has not yet been well-tested.

Recommend installing an SSL certificate before testing in INSTALL, since otherwise WebAuth would be unhappy. Combine a few steps together and also recommend WebAuthSSLRedirect on.

Change WebAuthSSLRedirect to on in the recommended and default configuration files, since it works with the standard installation instructions.

WebAuth 3.4.2 (2006-02-17)

Don't try to build the modules with -z defs. If it actually works, it breaks the build, since Apache modules refer to symbols that are only in httpd, not in any linked library.

Transform -pthread or -pthreads in the Kerberos compiler flags into something that apxs can handle. This is needed for some builds of Heimdal.

Add another fix for finding et/com_err.h on Red Hat, this time for mod_webauthldap.

Search for apxs2 in the path before apxs. WebAuth requires Apache 2.x, so if apxs2 is available, it's more likely the right thing to use than apxs. This change allows the WebAuth build to find apxs properly on Debian without extra configure flags.

Document the Kerberos ticket encoding for WebAuth tokens in the protocol specification.

WebAuth 3.4.1 (2006-02-06)

Revert the change in 3.4.0 to not strip WebAuth data from the URLs for unprotected URLs since it didn't work with .htaccess files.

Document the WebAuthStripURL directive as a partial replacement for the problem the reverted change was supposed to solve. This directive has always been supported but it was previously undocumented and not guaranteed to remain.

Port to Heimdal. The Kerberos implementation dependencies are all inside libwebauth, which can now be built with either MIT Kerberos or Heimdal. Mixed environments with some Heimdal-based WebAuth modules and some MIT-based modules should work correctly.

Avoid deprecated OpenLDAP interfaces whose prototypes are unavailable by default in OpenLDAP 2.3.

Support et/com_err.h as well as com_err.h for portability to Red Hat Enterprise Linux 4 and possibly other newer Red Hat-based Linux systems.

WebAuth 3.4.0 (2006-01-24)

Add support to the weblogin server and WebKDC module to trust an authentication identity asserted by Apache. This allows use of any authentication type that Apache supports as WebAuth authentication, in particular SPNEGO/GSSAPI.

Allow login.fcgi to be used as the target of an ErrorDocument Apache directive and read the query parameters from the redirect environment variable. This lets one use SPNEGO as the default and fall back on password authentication if it fails. To support this feature, there is an additional template variable for the login template, script_name, that should be used as the action of the login form.

The WebAuth module no longer strips WebAuth data (WEBAUTHR and WEBAUTHS) from the internal URL for requests to URLs not protected by WebAuth. This way, Apache with mod_webauth loaded will not interfere with applications that wish to implement the WebAuth protocol themselves. Thanks to Mats Henrikson for the report.

Rewrite the WebAuth protocol documentation in RFC 2629 XML. In the process, edited it extensively for consistency of terminology, updated it in a few places, and clarified the wording.

Better Kerberos library checks, including support for MIT Kerberos 1.4 and use of krb5-config where appropriate.

Add --enable-reduced-depends to configure to request the minimal possible shared library dependencies be encoded at run-time. This is for systems that properly implement transitive shared library dependencies, in order to minimize shared library conflicts introduced by SONAME changes and upgrades (mainly for Linux distribution packagers).

The public interface for the libwebauth library now uses char * uniformly instead of unsigned char *, since using the latter is too annoying and causes too many compiler warnings.

Remove more vestiges of S/Ident support. mod_webkdc will no longer recognize the old Apache S/Ident directives.

Ask the linker to be sure that all external references are defined when linking the Apache modules on Linux.

Lots of general documentation updates for clarity and style.

WebAuth 3.3.0 (2005-10-04)

All WebKDC support for S/Ident removed. The S/Ident protocol is inherently vulnerable to an active man-in-the-middle attack that is particularly severe for WebAuth, since S/Ident authentication is done by a single server and WebAuth users regularly visit that server. Exploiting this protocol flaw would allow an attacker to capture a single sign-on cookie and then impersonate the user to all WebAuth sites in that domain.

Add WebAuthLdapSeparator to specify the separator for multivalued attributes. When set in the server configuration, all values of a multivalued attribute are concatenated together, separated by that separator, and put into the base WEBAUTH_LDAP_* environment variable (rather than only the first one).

Clean up, expand, and improve the module documentation for mod_webauthldap.

Add symbol versioning for libwebauth on Linux. Symbol versioning is not supported on other platforms (at least yet).

WebAuth 3.2.8 (2005-06-03)

mod_webauth now treats empty keyrings the same as keyrings that cannot be read, which will force the creation of a new keyring if auto-update is turned on.

The mod_webkdc manual has been expanded and improved, fixing several documentation bugs (including a badly incorrect wa_keyring gc example).

WebAuth 3.2.7 (2005-04-23)

Update libtool to 1.5.6 (the Debian version) to support proper shared library builds on Linux MIPS.

In the weblogin login script, check to be sure the service token is set as well as the request token to avoid weird error messages from the WebKDC module later on.

WebAuth 3.2.6 (2005-04-19)

Rename the Perl bindings from WebAuth3 to WebAuth to match the name of the shared library.

WebAuth 3.2.5 (2005-04-14)

Downgrade most of the messages from mod_webauthldap to info from notice, including the messages about authorization. Downgrade the message about failed authorization from warning to notice. This seems more consistent with the Apache documentation of log levels.

WebAuth 3.2.4 (2004-08-25)

In the weblogin script, only check for cookies when the user is not using S/Ident to authenticate. This fixes the problem with users seeing the login page even if S/Ident is enabled, and then being allowed to proceed with S/Ident authentication after a simple page reload.

Clean up and comment the weblogin login and logout scripts and remove Perl module uses that are no longer needed.

Fix the error reporting in the WebKDC module when S/Ident requests fail. Previously, the actual error would never be reported.

WebAuth 3.2.3 (2004-06-23)

Long delays for some clients after redirects from mod_webauth should improve. The redirect was being returned without a body but also without a Content-Length, forcing clients supporting keep-alive to wait for a timeout. This may (but hopefully won't) cause more looping problems.

The WebKDC package now looks at /etc/webkdc/webkdc.conf and paths can be overridden by modifying that file.

Replace the sample WebLogin server templates with generic templates that don't use any Stanford-copyrighted logos or design.

Install a man page for wa_keyring and the header file for the webauth library.

WebAuth 3.2.2 (2004-03-02)

Add new WebAuthSSLReturn directive. If an unauth'd user shows up via http at a webauth-protected page and gets redirected to weblogin, the return URL will be https.

Fix a bug in libwebauth that prevented wa_keyring from adding keys to an empty keyring file.

Add a new mod-config.h for Autoconf results that we want to use in module builds, and use this to fix compatibility in mod_webauthldap for older versions of the Kerberos libraries and remove code to add Autoconf results to the compile command line for mod_webkdc builds.

Fix various compilation problems with Sun cc, including signed vs. unsigned char mismatches and C++-style comments.

Fix invalid HTML in the templates for the weblogin pages.

Include the right compiler flags to find the extra Kerberos libraries we need when probing for S/Ident, if they're in a non-standard location that isn't the same as the S/Ident location.

Support older 1.2.x Kerberos libraries in mod_webauthldap.

Fix some portability issues with non-GNU make.

WebAuth 3.2.1 (2003-09-10)

When AuthType is StanfordAuth, don't default to WebAuthDontCache. This appears to break IE 6.0 downloads.

Add WebAuthPostReturnURL directive to allow an app to deal with handling a POST that didn't have authentication.

When operating in legacy mode, only check LDAP for a group if it contains a colon. Otherwise, defer to Apache's normal group handling. This fixes handling of user-defined groups in .htaccess files when backward compatibility is turned on.

When a call to the LDAP server fails, try binding again and retrying the call before actually failing. The connection may have timed out or something else may have temporarily gone wrong. This will help with error messages about the LDAP server not being available.

Fix the setting of the interactive flag on S/Ident queries in the WebKDC.

Correct handling of successful S/Ident calls returning errors in mod_webkdc when debugging is turned off.

WebAuth 3.2.0 (2003-08-07)

Add S/Ident support to weblogin and the WebKDC.

Add a preliminary port to Windows. See windows/BUILD.txt for more information.

Fix a bug when handling sub-requests (like in mod_autoindex). This could have caused authentication information to be incorrect in pages generated by fancy indexing.

Add new WebKDC commands webkdcProxyToken and webkdcProxyTokenInfo.

Add three new functions to libwebauth: webauth_krb5_init_via_cache and webauth_krb5_{mk,rd}_req_with_data.

Remove the WebAuthProxyHeaders directive. Add new documentation to mod_webauth.xml that recommends people use mod_headers instead. See "Using WebAuth with Proxy Servers" in that document.

Modify WebAuthDontCache so it also adds "Pragma: no-cache" and "Cache-Control: no-cache" headers in addition to the "Expires" header.

Modify WebAuthDoLogout so that it enables WebAuthDontCache automatically. (If the logout page was cached, second and subsequent visits wouldn't remove the login cookie correctly.)

When returning redirects, make sure to set r->header_only so there is no extra content generated by Apache. Also set the same Expires, Pragma, and Cache-Control headers that WebAuthDontCache sets. This will hopefully work around the bugs that occur when caching redirects in some browsers.

Increased robustness of the privgroup handling in mod_webauthldap when the LDAP query returns multiple entries. Errors when looking for attributes in one entry no longer prevent checking for attributes in additional entries.

The WebLogin test cookie is now a session cookie like the WebAuth cookie, so we test what we use, and so it works correctly with browsers that disable non-session cookies.

Build portability fix for Tru64 and other platforms whose sed cannot handle multiline patterns.

Remove extra logging from mod_webauth/webkdc.c, and moved other extraneous logging so it's only logged at a level of APLOG_DEBUG when WebAuthDebug is turned on.

WebAuth 3.1.2 (2003-05-29)

Multiple bugs were fixed in mod_webauthldap, it now supports multiple virtualhosts, and it now has better memory utilization and thread safety improvements.

Correctly construct the return URL for reverse proxies.

Don't try to decode a zero length service token cache file. Log a warning and return NULL as if there were no file.

Ported to Solaris 7 with gcc 2.95. Basic WebAuth (but not LDAP) ported to AIX 4.3.

Modify wa_keyring to not use getopt (not available on windows), and change strftime format from %T to %H:%M:%S (%T also not available on windows strftime).

WebAuth 3.1.1 (2003-05-08)

Fix HTML_TEMPLATE_ROOT in src/webkdc/logout.fcgi script by changing the path to relative instead of absolute.

WebAuth 3.1.0 (2003-05-01)

Add a new Apache module, mod_webauthldap, for LDAP directory information lookups via Kerberos v5 GSS-API binds. This module provides the same directory lookup capability as older versions of WebAuth, but does so against OpenLDAP servers, via Kerberos v5 authentication, and with considerably more flexible support for what attributes to query. See the mod_webauthldap manual for more details.

Add WebAuthSSLRedirect and WebAuthSSLRedirectPort directives so that users can be redirected from http to https when accessing a WebAuth-protected resource.

Add a WebAuthAuthType directive to help people transition to mod_webauth from older versions. This directive allows you to specify an additional AuthType name that will be treated the same as WebAuth. If this directive is set to StanfordAuth, it will also set two extra environment variables: SU_AUTH_USER and SU_AUTH_AGE (these were set by WebAuth 2.5).

Add more backward compatibility support for WebAuth 2.5 by allowing the following directives to appear in .htaccess files:

StanfordAuthConfirmMsg  -> ignored
StanfordAuthDoConfirm   -> warns to error_log if set to on
StanfordAuthDontCache   -> maps to WebAuthDontCache. If AuthType
                           is set to StanfordAuth, defaults to 1.

StanfordAuthForceReload -> maps to WebAuthExtraRedirect

StanfordAuthLife        -> maps to WebAuthAppTokenLifetime and enables
StanfordAuthReturnURL   -> maps to WebAuthReturnURL
StanfordAuthGroups      -> unsupported, if specified access is denied

Allow these directives to be present in .htaccess files (they were previously only allowed in <Directory>/<Location> directives):


This is in partial support of backward compatibility.

Add WebAuthProxyHeaders directive to pass WebAuth information to a proxied server. See the WebAuth module documentation for more information.

Add WebAuthWebKdcSSLCertCheck directive to enable/disable checking of the WebKDC SSL certificate. Defaults to "on" and should only be turned off for debugging/testing purposes.

Add new WebAuthDontCache directive, which signals a browser not to cache those web pages. Defaults to 0 (allow documents to be cached).

Modify the WebAuthKeytab and WebKdcKeytab directives so you can optionally specify which principal to use with the specified keytab, instead of using the first principal found. This is useful if the keytab contains multiple keys.

Remove the service token cache on restarts, so that a restart will clear up any inconsistencies between the server and the WebKDC.

Have the WebKDC re-read the token ACL file if its mtime changes.

Clean up environment variable setting. Set environment variables (r->subprocess_env) in check_user_id hook instead of waiting until fixups hook to make them more accessible to other hooks/modules.

Add --with-apxs configure option to set the path to apxs independently from the path to the Apache installation. This was needed in order to easily build WebAuth on Linux distributions that install Apache following the Linux Filesystem Standard.

Fix several bugs in scrubbing WebAuth tokens from the URL.

If we are proxying or the URI passed to the server in the HTTP request has a scheme, use it as the return URL instead of constructing one relative to the server.

Restructure the mod_webauth code to define a pluggable credential interface, isolating all credential-related functions so that new credential types can easily be supported.

WebAuth 3.0.0 (2003-02-18)

Initial public release of WebAuth v3. This is a complete rewrite of the WebAuth system, sharing no common code with the previous release. It is now based on Apache 2.0, Kerberos v5, and a new infrastructure for managing authentication tokens.

This is the initial release with basic authentication support and Perl bindings only.

Converted to XHTML by faq2html version 1.36