                          WebAuth Change History

WebAuth 3.5.3 (2006-09-12)

 *) Add the connection IP address and, for Weblogin logins, the client IP
    address to the WebKDC to the WebKDC log messages whenever processing
    XML requests.

 *) Document the log messages from the WebKDC in the mod_webkdc manual.

 *) Handle the renaming of ap_run_http_method to ap_run_http_scheme so
    that WebAuth will compile under Apache 2.2.  Thanks to Jim Rodgers for
    the patch.

 *) Turn off debug-level logging in the Weblogin login.fcgi script by
    default.  The REMOTE_USER code now seems to be stable and working
    correctly and the extra verbose logging is not needed.

 *) Remove extraneous newlines from the messages logged by the mod_webauth
    module.

 *) Remove duplicate defininitions from src/modules/webauth/mod_webauth.h.
    Thanks to Robert A. Basch for the patch.

 *) Update libtool, config.guess, and config.sub to the latest Debian
    versions.

 *) Update how xml2rfc is run on make dist, since the latest version can't
    handle partial paths (at least in Debian).

WebAuth 3.5.2 (2006-07-13)

 *) SECURITY: Modify the default templates to add ESCAPE=HTML when
    inserting the values of variables.  Without telling HTML::Template to
    escape values in this fashion, a cross-site scripting attack is
    possible with at least the username field of the login form.  Any site
    using customized templates should make the equivalent change to their
    templates.

 *) Set Pragma: no-cache and Cache-Control: no-cache in the HTTP headers
    of all responses from the Weblogin scripts.  This is particularly
    important for the logout script, since otherwise browsers may cache
    the logout page and not actually be logged out.

 *) Don't ever redirect the user to the URL that attempts Apache
    authentication if they've already submitted the login form, even if
    they didn't supply a username or password.  Once the user reaches the
    login page, the page flow should keep them there until they log in
    with username and password.

WebAuth 3.5.1 (2006-06-20)

 *) Allow the submit button on the login page to return any value rather
    than requiring it have the value "Login" so that the template can be
    more easily translated.  Instead, the login form must include the tag:

        <input type="hidden" name="login" value="yes">

    The form for attempting Apache remote-user authentication should not
    contain this tag.  Existing login.tmpl files must be updated
    accordingly when upgrading to this version of the Weblogin server.

 *) In the weblogin confirmation page, the variable remuser is now set to
    1 if the user has a cookie indicating they want to try REMOTE_USER and
    is not set otherwise.  This is a change from the previous behavior
    where it was set to either the string "checked" or the empty string.
    Templates using this variable will require modification.  This change
    was made so that the Weblogin scripts don't assume a particular UI
    presentation.

 *) Add an err_forced template variable for the login.tmpl file that
    indicates the user had a single sign-on configuration (either an
    existing cookie or a request to do REMUSER), but the authenticating
    web site requires username/password authentication.  Existing
    login.tmpl files must be updated to include a reference to this
    variable (even if not otherwise used).

 *) Add the @REALMS configuration option to the Weblogin configuration
    file, for use with Apache authentication where the resulting
    REMOTE_USER value may be in one of several realms and each realm
    should be treated identically.

 *) Modify the default login template to show a single error message if
    the user provided neither username nor password rather than showing
    the missing username and missing password errors one after the other.

 *) Fix decoding of time_t values in tokens on 64-bit platforms, a bug
    which usually manifested itself while reading keyrings.  Thanks to pod
    for the analysis.

 *) Properly check for apxs in configure so that an apxs under the
    provided Apache root will be found.  Thanks to Marco Wise for the
    debugging.

 *) Add a slash after any use of $(top_builddir) since Autoconf 2.60
    doesn't add the extraneous trailing slash any more.

 *) Add datarootdir to src/utils/Makefile.in since Autoconf 2.60 bases
    mandir on datarootdir.

 *) Initialize a few variables in the Perl bindings to suppress compiler
    warnings with gcc 4.1.

 *) Use a temporary variable rather than passing a pointer to unsigned int
    to a function that takes a pointer to int, and use intptr_t variables
    instead of int variables to hold numbers passed through Apache's
    configuration interface in pointer data types.  These changes fix
    warnings with gcc 4.1.

 *) Encode the right dependencies in the Makefile for libwebauth/krb5.c.

WebAuth 3.5.0 (2006-03-20)

 *) Rename the template variables used by the weblogin templates to be
    a bit more consistent and add an error variable to the login template
    that is set whenever there was any error.  Existing weblogin templates
    will require modifications.  See doc/weblogin-config for the new
    configuration and customization documentation.

 *) Sometimes an Apache authentication mechanism should only be attempted
    if the user explicitly requests it since it may fail in a way that
    doesn't allow weblogin to proceed.  SPNEGO is an example, since it has
    bad behavior with some browsers.  Implement weblogin script support
    for the required more complex page flow and additional template
    variables.

 *) Document in detail how to configure the weblogin front-end, including
    all of the template variables used and the configuration variables
    that can be set in /etc/webkdc/webkdc.conf.

 *) Document in detail the page flow for the weblogin script and the
    variables it uses when rendering page templates.

 *) WebAuthExtraRedirect is now the default.  If you don't want this
    behavior, you now need to turn it off explicitly in the Apache
    configuration.

 *) WebAuthExtraRedirect is now accepted at the server and virtual host
    level as well as in <Directory> and .htaccess files.

 *) In the WebKDC installation instructions, stop recommending that the
    WebkDC /webkdc-service URL run on a different port than the regular
    SSL port.  There's no reason why it and the weblogin service can't
    both run on the regular SSL port.

 *) Preliminary port to Heimdal 0.6 (0.7 was previously supported).  This
    has not yet been well-tested.

 *) Use webauth.stanford.edu as the canonical site for WebAuth instead of
    webauthv3.stanford.edu.

 *) Recommend installing an SSL certificate before testing in INSTALL,
    since otherwise WebAuth would be unhappy.  Combine a few steps
    together and also recommend WebAuthSSLRedirect on.

 *) Change WebAuthSSLRedirect to on in the recommended and default
    configuration files, since it works with the standard installation
    instructions.

 *) Turn off WebAuthExtraRedirect by default for all the tests so that
    they continue working as expected.

 *) Change the link for the first WebAuth test to "basic WebAuth" from
    "basic auth" to avoid confusion.

 *) Update to the latest config.sub, config.guess, and libtool.

WebAuth 3.4.2 (2006-02-17)

 *) Don't try to build the modules with -z defs.  If it actually works, it
    breaks the build, since Apache modules refer to symbols that are only
    in httpd, not in any linked library.

 *) Transform -pthread or -pthreads in the Kerberos compiler flags into
    something that apxs can handle.  This is needed for some builds of
    Heimdal.

 *) Added another fix for finding et/com_err.h on Red Hat, this time for
    mod_webauthldap.

 *) Search for apxs2 in the path before apxs.  WebAuth requires Apache
    2.x, so if apxs2 is available, it's more likely the right thing to use
    than apxs.  This change allows the WebAuth build to find apxs properly
    on Debian without extra configure flags.

 *) Documented the Kerberos ticket encoding for WebAuth tokens in the
    protocol specification.

 *) Some coding style cleanup in the Kerberos v5 parts of libwebauth.

WebAuth 3.4.1 (2006-02-06)

 *) Reverted the change in 3.4.0 to not strip WebAuth data from the URLs
    for unprotected URLs, since URLs with protection applied via .htaccess
    files aren't detected early enough in request processing to be
    recognized in the translation hook and look like they're unprotected.

 *) Documented the WebAuthStripURL directive as a partial replacement for
    the problem the reverted change was supposed to solve.  This directive
    has always been supported but it was previously undocumented and not
    guaranteed to remain.

 *) Ported to Heimdal.  The Kerberos implementation dependencies are all
    inside libwebauth, which can now be built with either MIT Kerberos or
    Heimdal.  Mixed environments with some Heimdal-based WebAuth modules
    and some MIT-based modules should work correctly.

 *) Use ldap_initialize and ldap_unbind_ext instead of the deprecated
    ldap_init and ldap_unbind interfaces, since the deprecated interfaces
    have been #ifdef'd out of the header file in OpenLDAP 2.3.

 *) Support et/com_err.h as well as com_err.h for portability to Red Hat
    Enterprise Linux 4 and possibly other newer Red Hat-based Linux
    systems.

 *) Include com_err.h properly in the mod_webauthldap source.

 *) Updated the software dependencies in README.

WebAuth 3.4.0 (2006-01-24)

 *) Added support to the weblogin server and WebKDC module to trust an
    authentication identity asserted by Apache.  This allows use of any
    authentication type that Apache supports as WebAuth authentication, in
    particular SPNEGO/GSSAPI.

 *) Allow login.fcgi to be used as the target of an ErrorDocument Apache
    directive and read the query parameters from the redirect environment
    variable.  This lets one use SPNEGO as the default and fall back on
    password authentication if it fails.  To support this feature, there
    is an additional template variable for the login template,
    script_name, that should be used as the action of the login form.

 *) The WebAuth module no longer strips WebAuth data (WEBAUTHR and
    WEBAUTHS) from the internal URL for requests to URLs not protected by
    WebAuth.  This way, Apache with mod_webauth loaded will not interfere
    with applications that wish to implement the WebAuth protocol
    themselves.   Thanks to Mats Henrikson for the report.

 *) Rewrote the WebAuth protocol documentation in RFC 2629 XML.  In the
    process, edited it extensively for consistency of terminology, updated
    it in a few places, and clarified the wording.

 *) Updated the Kerberos library probes in configure to use krb5-config
    where appropriate and to check for krb5support (MIT Kerberos 1.4) if
    krb5-config isn't available.

 *) Added --enable-reduced-depends to configure to request the minimal
    possible shared library dependencies be encoded at run-time.  This is
    for systems that properly implement transitive shared library
    dependencies, in order to minimize shared library conflicts introduced
    by SONAME changes and upgrades (mainly for Linux distribution
    packagers).

 *) The public interface for the libwebauth library now uses char *
    uniformly instead of unsigned char *, since using the latter is too
    annoying and causes too many compiler warnings.

 *) Remove more vestiges of S/Ident support.  mod_webkdc will no longer
    recognize the old Apache S/Ident directives.

 *) Ask the linker to be sure that all external references are defined
    when linking the Apache modules on Linux.

 *) Removed the old workaround for libgcc dependencies in libraries when
    building with a non-gcc compiler.  gcc has used a shared libgcc for a
    long time and this was always an edge case.

 *) mod_webkdc doesn't need to include cURL headers; it never uses cURL.

 *) Cleaned up lots of compiler warnings.  All of WebAuth now builds under
    gcc -Wall without warnings.

 *) Lots of general documentation updates for clarity and style.

 *) Removed some Stanford-specific parts of doc/install-webkdc since we
    don't need instructions for what to do at Stanford any more.
    Clarified the documentation slightly.

 *) Removed the Doxygen configuration and makefile targets.  Failed
    experiment.

WebAuth 3.3.0 (2005-10-04)

 *) All WebKDC support for S/Ident removed.  The S/Ident protocol is
    inherently vulnerable to an active man-in-the-middle attack that is
    particularly severe for WebAuth, since S/Ident authentication is done
    by a single server and WebAuth users regularly visit that server.
    Exploiting this protocol flaw would allow an attacker to capture a
    single sign-on cookie and then impersonate the user to all WebAuth
    sites in that domain.

 *) Added WebAuthLdapSeparator to specify the separator for multivalued
    attributes.  When set in the server configuration, all values of a
    multivalued attribute are concatenated together, separated by that
    separator, and put into the base WEBAUTH_LDAP_* environment variable
    (rather than only the first one).

 *) Cleaned up, expanded, and improved the module documentation for
    mod_webauthldap.

 *) Added symbol versioning for libwebauth on Linux.  Symbol versioning
    is not supported on other platforms (at least yet).

 *) Updated tools/config.guess and tools/config.sub to the latest Debian
    versions.

 *) Update HACKING for the new Subversion repository and to reflect our
    change in practice regarding pre-release versions.

 *) Consolidate all the duplicate copies of util.pl in the mod_webauthldap
    test suite.

 *) Updated tools/mkmanifest to ignore Subversion files.

WebAuth 3.2.8 (2005-06-03)

 *) mod_webauth now treats empty keyrings the same as keyrings that cannot
    be read, which will force the creation of a new keyring if auto-update
    is turned on.

 *) The mod_webkdc manual has been expanded and improved, fixing several
    documentation bugs (including a badly incorrect wa_keyring gc
    example).

 *) The .html files for the module manuals have been rebuilt using the
    current Apache 2.0 documentation tools after fixing various validation
    errors.

 *) Updated tools/config.guess and tools/config.sub to the latest Debian
    versions.

WebAuth 3.2.7 (2005-04-23)

 *) Update libtool to 1.5.6 (the Debian version) to support proper shared
    library builds on Linux MIPS.

 *) In the weblogin login script, check to be sure the service token is
    set as well as the request token to avoid weird error messages from
    the WebKDC module later on.

WebAuth 3.2.6 (2005-04-19)

 *) Rename the Perl bindings from WebAuth3 to WebAuth to match the name of
    the shared library.

WebAuth 3.2.5 (2005-04-14)

 *) Downgrade most of the messages from mod_webauthldap to info from
    notice, including the messages about authorization.  Downgrade the
    message about failed authorization from warning to notice.  This seems
    more consistent with the Apache documentation of log levels.

 *) Update tools/config.guess and tools/config.sub to the latest Debian
    versions.

 *) Drop the debian directory from the source distribution, following the
    Debian packaging best practices.

WebAuth 3.2.4 (2004-08-25)

 *) In the weblogin script, only check for cookies when the user is not
    using S/Ident to authenticate.  This fixes the problem with users
    seeing the login page even if S/Ident is enabled, and then being
    allowed to proceed with S/Ident authentication after a simple page
    reload.

 *) Cleaned up and commented the weblogin login and logout scripts and
    remove Perl module uses that are no longer needed.

 *) Fixed the error reporting in the WebKDC module when S/Ident requests
    fail.  Previously, the actual error would never be reported.

 *) Added a make maintclean target to remove everything that isn't in
    CVS.

 *) Added a prerm script for the Debian module packages to call a2dismod
    if the modules were enabled.

WebAuth 3.2.3 (2004-06-23)

 *) Modified the redirect code in mod_webauth to not set the header-only
    flag, since that was producing messages with no body but without a
    Content-Length header, forcing browsers that implemented keep-alive to
    time out before acting on the redirect.

 *) The WebKDC package now looks at /etc/webkdc/webkdc.conf and paths can
    be overridden by modifying that file.

 *) Replaced the sample weblogin server templates with generic templates
    that don't use any Stanford-copyrighted logos or design.

 *) Added build rules for Debian packages and added Debian packaging to
    the make dist target.

 *) Added wa_keyring.1 to the distribution and to the installation rules.

 *) Install the webauth.h header file along with the library.

 *) Portability fix to older versions of the cURL libraries.

 *) Add WebAuthAuthType StanfordAuth to the LDAP test configuration so
    that it would work even if that wasn't set globally.

 *) Improve the build system for the WebAuth Perl bindings and the Apache
    modules to avoid hard-coding rpath into either, to make it possible
    to generate policy-compliant Debian packages.

 *) Modified the Autoconf probes to tolerate --with-X without any argument,
    for all of the --with options.

 *) Fix a POD error in the WebKDC module.

WebAuth 3.2.2 (2004-03-02)

 *) Add new WebAuthSSLReturn directive. If an unauth'd user shows up
    via http at a webauth-protected page and gets redirected to weblogin,
    the return URL will be https.

 *) Fixed a bug in libwebauth that prevented wa_keyring from adding keys
    to an empty keyring file.

 *) Add a new mod-config.h for Autoconf results that we want to use in
    module builds, and use this to fix compatibility in mod_webauthldap
    for older versions of the Kerberos libraries and remove code to add
    Autoconf results to the compile command line for mod_webkdc builds.

 *) Fix lots of signed char vs. unsigned char mismatches and warnings by
    changing variable types and adding casts where appropriate.  This
    should significantly reduce the warnings produced when using the Sun
    compiler.

 *) Change C++-style // comments to C commands to make the Sun compiler
    happier.

 *) Improved the wa_keyring POD documentation.

 *) Include the right compiler flags to find the extra Kerberos libraries
    we need when probing for S/Ident, if they're in a non-standard
    location that isn't the same as the S/Ident location.

 *) Fix invalid HTML in the templates for the weblogin script.

 *) Fix some portability issues with non-GNU make.

WebAuth 3.2.1 (2003-09-10)

 *) When AuthType is StanfordAuth, don't default to WebAuthDontCache.
    This appears to break IE 6.0 downloads.

 *) Add WebAuthPostReturnURL directive to allow an app to deal with 
    handling a POST that didn't have authentication.

 *) When operating in legacy mode, only check LDAP for a group if it
    contains a colon.  Otherwise, defer to Apache's normal group handling.

 *) When a call to the LDAP server fails, try binding again and retrying
    the call before actually failing.  The connection may have timed out
    or something else may have temporarily gone wrong.

 *) Improve logging of some LDAP lookup problems.

 *) Make sure the ident_set_authflag call is made after ident_set_authtype
    call.

 *) Corrected handling of successful S/Ident calls returning errors in
    mod_webkdc when debugging is turned off.

 *) Remove some unnecessary debugging code in mod_webkdc.

 *) Fixed an incorrect handling of a string transformation in the attrs
    code, likely only affecting a test failure on Tru64.

 *) Improve the handling of the configure probes to include the right
    prerequisites for Kerberos checks and to probe for libz before cURL.

WebAuth 3.2.0 (2003-08-07)

 *) Added S/Ident support to weblogin and the WebKDC.

 *) Added a preliminary port to Windows.  See windows/BUILD.txt for more
    information.

 *) Fixed bug when handling sub-requests (like in mod_autoindex).  Make
    sure to stash notes in the top-most main request.

 *) Add new WebKDC commands webkdcProxyToken and webkdcProxyTokenInfo.

 *) Add three new functions to libwebauth: webauth_krb5_init_via_cache
    and webauth_krb5_{mk,rd}_req_with_data.

 *) Removed WebAuthProxyHeaders directive.  Added new documentation
    to mod_webauth.xml that recommends people use mod_headers instead.
    See "Using WebAuth with Proxy Servers" in that document.

 *) Modified WebAuthDontCache so it also adds "Pragma: no-cache" and
    "Cache-Control: no-cache" headers in addition to the "Expires" header.

 *) Modified WebAuthDoLogout so when it is enabled so is WebAuthDontCache.

 *) When returning redirects, make sure to set r->header_only so there
    is no extra content generated by Apache.  Also set the same
    Expires, Pragma, and Cache-Control headers that WebAuthDontCache sets.

 *) Increased robustness of the privgroup handling in mod_webauthldap when
    the LDAP query returns multiple entries.  Errors when looking for
    attributes in one entry no longer prevent going on to check for
    attributes in additional entries.

 *) The weblogin test cookie is now a session cookie like the WebAuth
    cookie so that we test what we use and so that it works correctly with
    browsers that disable non-session cookies.

 *) Build portability fix for Tru64 and other platforms whose sed cannot
    handle multiline patterns.

 *) Removed extra logging from mod_webauth/webkdc.c, and moved other
    extraneous logging so its only logged at a level of APLOG_DEBUG when
    WebAuthDebug is turned on.

 *) Added package-webauth and package-webkdc targets for maintainers to
    generate WebAuth module packages.

 *) DESTDIR support fixed for WebKDC installations.

 *) Tweaks to the WebKDC templates and images.

WebAuth 3.1.2 (2003-05-29)

 *) mod_webauthldap: Added mutexes around the entire ldap operation to 
    avoid GSSAPI thread safety issues.  All server_rec structures are now
    initialized, correctly supporting multiple virtual host
    configurations.  Refactored LDAP binds for better failback support,
    fixing a double free memory error.  Additional memory cleanup for krb5
    TGT operations. Fixed memory leak related to unbind after connection
    expiry, via ignoring SIGPIPE.

 *) mod_webauth: Correctly construct the return url for reverse proxies 
    (explicitly compare r->proxyreq to PROXYREQ_PROXY instead of testing
    for != PROXYREQ_NONE, which also matched PROXYREQ_REVERSE.

 *) mod_webauth: Don't try to attr decode a zero length service token 
    cache file.  Log a warning and return NULL like there was no file.

 *) Update configure.ac to check for netinet/in.h for windows build.

 *) Modify wa_keyring to not use getopt (not available on windows),
    and change strftime format from %T to %H:%M:%S (%T also not available
    on windows strftime).

 *) Fix a bug in libwebauth/krb5.c where we would try to call
    krb5_free_context on a NULL context.

 *) Expanded the libgcc linking hack to apply to all of the module builds
    rather than just the cURL link flags, since it showed up on Solaris 7
    affecting mod_webauthldap as well.  This fix is specific to Solaris.

 *) Ported the test suite driver to AIX 4.3 and tweaked the OpenLDAP
    library probe to handle operating systems without shared library
    dependencies.

 *) Fixed the installation rule for the test suite to properly honor
    DESTDIR.

 *) Cleaned up the sample configuration files somewhat and made them more
    consistent with each other.

WebAuth 3.1.1 (2003-05-08)

 *) Fixed HTML_TEMPLATE_ROOT in src/webkdc/logout.fcgi script by
    changing the path to relative instead of absolute.

WebAuth 3.1.0 (2003-05-01)

 *) Add WebAuthSSLRedirect and WebAuthSSLRedirectPort directives to
    enable redirecting of users from http to https when accessing a
    WebAuth-protected resource.

 *) Add WebAuthWebKdcSSLCertCheck directive to enable/disable checking
    of the WebKDC SSL certificate. Defaults to "on" and should only be
    turned off for debugging/testing purposes.

 *) Added mod_webauthldap for LDAP directory information lookups via
    Kerberos v5 GSS-API binds.

 *) Add new WebAuthDontCache directive which sets r->no_cache. Defaults
    to 0 (allow documents to be cached).

 *) Allow these directives to present in .htaccess files (they were
    previously only allowed in <Directory>/<Location> directives):

    WebAuthExtraRedirect
    WebAuthReturnURL
    WebAuthLoginCanceledURL
    WebAuthVarPrefix

 *) Add more backward compatibility support for WebAuth 2.5 by allowing
    the following directives to appear in .htaccess files:

    StanfordAuthConfirmMsg  -> ignored

    StanfordAuthDoConfirm   -> warns to error_log if set to on

    StanfordAuthDontCache   -> maps to WebAuthDontCache. If AuthType
                               is set to StanfordAuth, defaults to 1.

    StanfordAuthForceReload -> maps to WebAuthExtraRedirect

    StanfordAuthLife        -> maps to WebAuthAppTokenLifetime and enables
                               WebAuthForceLogin

    StanfordAuthReturnURL   -> maps to WebAuthReturnURL

    StanfordAuthGroups      -> unsupported, if specified access is denied
   
 *) Have the WebKDC re-read the token ACL file if its mtime changes.

 *) Added WebAuthAuthType directive to help people transistion to
    mod_webauth.  This directive allows you to specify an additional
    AuthType name that will be treated the same as WebAuth.  If this
    directive is set to StanfordAuth, it will also set two extra
    environment variables: SU_AUTH_USER and SU_AUTH_AGE.

 *) Clean up environment variable setting.  Set environment variables
    (r->subprocess_env) in check_user_id hook instead of waiting until
    fixups hook to make them more accessible to other hooks/modules.

 *) When scrubbing tokens from r->args and r->parsed_uri.query, look
    for "?WEBAUTHR=" first, then "WEBAUTHR=".  If there were no query
    args, the tokens could get parsed as query args.  This caused tokens
    to show up as query args when we changed from ";WEBAUTHR=" to
    "?WEBAUTHR=".

 *) If we are proxying a request, strip out all webauth_* cookies and
    and webauth tokens from Referer header.  Also, if we are proxying or
    the URI passed to the server in the HTTP request has a scheme, use it
    as the return URL instead of constructing one relative to the server.

 *) Modify WebAuthKeytab and WebKdcKeytab directives so you can optionally
    specify which principal to use with the specified keytab, instead of
    using the first principal found.  This required modifying the
    webauth_krb5_* APIs.
 
 *) Implement WebAuthProxyHeaders directive.  See the WebAuth module
    documentation for more information.

 *) Clean up header includes in tests and wa_keyring.

 *) mod_{webauth,webkdc}.h - "module" declaration should be extern.

 *) Remove the service token cache in mod_webauth on restarts.

 *) Restructured the mod_webauth code to define a pluggable credential
    interface, isolating all credential-related functions so that new
    credential types can easily be supported.

 *) Added --with-apxs configure option to set the path to apxs
    independently from the path to the Apache installation.

WebAuth 3.0.0 (2003-02-18)

 *) Initial public release.
