                       User-Visible WebAuth Changes

WebAuth 3.5.3 (2006-09-12)

 *) Add the connection IP address and, for Weblogin logins, the client IP
    address to the WebKDC to the WebKDC log messages whenever processing
    XML requests.

 *) Document the log messages from the WebKDC in the mod_webkdc manual.

 *) Initial port to Apache 2.2.  Thanks to Jim Rodgers for the patch.

 *) Turn off debug-level logging in the Weblogin login.fcgi script by
    default.  The REMOTE_USER code now seems to be stable and working
    correctly and the extra verbose logging is not needed.

WebAuth 3.5.2 (2006-07-13)

 *) SECURITY: Modify the default templates to add ESCAPE=HTML when
    inserting the values of variables.  Without telling HTML::Template to
    escape values in this fashion, a cross-site scripting attack is
    possible with at least the username field of the login form.  Any site
    using customized templates should make the equivalent change to their
    templates.

 *) Set Pragma: no-cache and Cache-Control: no-cache in the HTTP headers
    of all responses from the Weblogin scripts.  This is particularly
    important for the logout script, since otherwise browsers may cache
    the logout page and not actually be logged out.

 *) Don't ever redirect the user to the URL that attempts Apache
    authentication if they've already submitted the login form, even if
    they didn't supply a username or password.  Once the user reaches the
    login page, the page flow should keep them there until they log in
    with username and password.

WebAuth 3.5.1 (2006-06-20)

 *) Allow the submit button on the login page to return any value rather
    than requiring it have the value "Login" so that the template can be
    more easily translated.  Instead, the login form must include the tag:

        <input type="hidden" name="login" value="yes">

    The form for attempting Apache remote-user authentication should not
    contain this tag.  Existing login.tmpl files must be updated
    accordingly when upgrading to this version of the Weblogin server.

 *) In the weblogin confirmation page, the variable remuser is now set to
    1 if the user has a cookie indicating they want to try REMOTE_USER and
    is not set otherwise.  This is a change from the previous behavior
    where it was set to either the string "checked" or the empty string.
    Templates using this variable will require modification.  This change
    was made so that the Weblogin scripts don't assume a particular UI
    presentation.

 *) Add an err_forced template variable for the login.tmpl file that
    indicates the user had a single sign-on configuration (either an
    existing cookie or a request to do REMUSER), but the authenticating
    web site requires username/password authentication.  Existing
    login.tmpl files must be updated to include a reference to this
    variable (even if not otherwise used).

 *) Add the @REALMS configuration option to the Weblogin configuration
    file, for use with Apache authentication where the resulting
    REMOTE_USER value may be in one of several realms and each realm
    should be treated identically.

 *) Fix decoding of time_t values in tokens on 64-bit platforms, a bug
    which usually manifested itself while reading keyrings.  Thanks to pod
    for the analysis.

 *) Properly check for apxs in configure so that an apxs under the
    provided Apache root will be found.  Thanks to Marco Wise for the
    debugging.

WebAuth 3.5.0 (2006-03-20)

 *) Rename the template variables used by the weblogin templates to be
    a bit more consistent and add an error variable to the login template
    that is set whenever there was any error.  Existing weblogin templates
    will require modifications.  See doc/weblogin-config for the new
    configuration and customization documentation.

 *) Sometimes an Apache authentication mechanism should only be attempted
    if the user explicitly requests it since it may fail in a way that
    doesn't allow weblogin to proceed.  SPNEGO is an example, since it has
    bad behavior with some browsers.  Implement weblogin script support
    for the required more complex page flow and additional template
    variables.

 *) Document in detail how to configure the weblogin front-end, including
    all of the template variables used and the configuration variables
    that can be set in /etc/webkdc/webkdc.conf.

 *) Document in detail the page flow for the weblogin script and the
    variables it uses when rendering page templates.

 *) WebAuthExtraRedirect is now the default.  If you don't want this
    behavior, you now need to turn it off explicitly in the Apache
    configuration.

 *) WebAuthExtraRedirect is now accepted at the server and virtual host
    level as well as in <Directory> and .htaccess files.

 *) In the WebKDC installation instructions, stop recommending that the
    WebkDC /webkdc-service URL run on a different port than the regular
    SSL port.  There's no reason why it and the weblogin service can't
    both run on the regular SSL port.

 *) Preliminary port to Heimdal 0.6 (0.7 was previously supported).  This
    has not yet been well-tested.

WebAuth 3.4.2 (2006-02-17)

 *) Don't try to build the modules with -z defs.  If it actually works, it
    breaks the build, since Apache modules refer to symbols that are only
    in httpd, not in any linked library.

 *) Transform -pthread or -pthreads in the Kerberos compiler flags into
    something that apxs can handle.  This is needed for some builds of
    Heimdal.

 *) Added another fix for finding et/com_err.h on Red Hat, this time for
    mod_webauthldap.

 *) Search for apxs2 in the path before apxs.  WebAuth requires Apache
    2.x, so if apxs2 is available, it's more likely the right thing to use
    than apxs.  This change allows the WebAuth build to find apxs properly
    on Debian without extra configure flags.

 *) Documented the Kerberos ticket encoding for WebAuth tokens in the
    protocol specification.

WebAuth 3.4.1 (2006-02-06)

 *) Reverted the change in 3.4.0 to not strip WebAuth data from the URLs
    for unprotected URLs since it didn't work with .htaccess files.

 *) Documented the WebAuthStripURL directive as a partial replacement for
    the problem the reverted change was supposed to solve.  This directive
    has always been supported but it was previously undocumented and not
    guaranteed to remain.

 *) Ported to Heimdal.  The Kerberos implementation dependencies are all
    inside libwebauth, which can now be built with either MIT Kerberos or
    Heimdal.  Mixed environments with some Heimdal-based WebAuth modules
    and some MIT-based modules should work correctly.

 *) Avoid deprecated OpenLDAP interfaces whose prototypes are unavailable
    by default in OpenLDAP 2.3.

 *) Support et/com_err.h as well as com_err.h for portability to Red Hat
    Enterprise Linux 4 and possibly other newer Red Hat-based Linux
    systems.

WebAuth 3.4.0 (2006-01-24)

 *) Added support to the weblogin server and WebKDC module to trust an
    authentication identity asserted by Apache.  This allows use of any
    authentication type that Apache supports as WebAuth authentication, in
    particular SPNEGO/GSSAPI.

 *) Allow login.fcgi to be used as the target of an ErrorDocument Apache
    directive and read the query parameters from the redirect environment
    variable.  This lets one use SPNEGO as the default and fall back on
    password authentication if it fails.  To support this feature, there
    is an additional template variable for the login template,
    script_name, that should be used as the action of the login form.

 *) The WebAuth module no longer strips WebAuth data (WEBAUTHR and
    WEBAUTHS) from the internal URL for requests to URLs not protected by
    WebAuth.  This way, Apache with mod_webauth loaded will not interfere
    with applications that wish to implement the WebAuth protocol
    themselves.   Thanks to Mats Henrikson for the report.

 *) Rewrote the WebAuth protocol documentation in RFC 2629 XML.  In the
    process, edited it extensively for consistency of terminology, updated
    it in a few places, and clarified the wording.

 *) Better Kerberos library checks, including support for MIT Kerberos 1.4
    and use of krb5-config where appropriate.

 *) Added --enable-reduced-depends to configure to request the minimal
    possible shared library dependencies be encoded at run-time.  This is
    for systems that properly implement transitive shared library
    dependencies, in order to minimize shared library conflicts introduced
    by SONAME changes and upgrades (mainly for Linux distribution
    packagers).

 *) The public interface for the libwebauth library now uses char *
    uniformly instead of unsigned char *, since using the latter is too
    annoying and causes too many compiler warnings.

 *) Remove more vestiges of S/Ident support.  mod_webkdc will no longer
    recognize the old Apache S/Ident directives.

 *) Lots of general documentation updates for clarity and style.

WebAuth 3.3.0 (2005-10-04)

 *) All WebKDC support for S/Ident removed.  The S/Ident protocol is
    inherently vulnerable to an active man-in-the-middle attack that is
    particularly severe for WebAuth, since S/Ident authentication is done
    by a single server and WebAuth users regularly visit that server.
    Exploiting this protocol flaw would allow an attacker to capture a
    single sign-on cookie and then impersonate the user to all WebAuth
    sites in that domain.

 *) Added WebAuthLdapSeparator to specify the separator for multivalued
    attributes.  When set in the server configuration, all values of a
    multivalued attribute are concatenated together, separated by that
    separator, and put into the base WEBAUTH_LDAP_* environment variable
    (rather than only the first one).

 *) Cleaned up, expanded, and improved the module documentation for
    mod_webauthldap.

WebAuth 3.2.8 (2005-06-03)

 *) mod_webauth now treats empty keyrings the same as keyrings that cannot
    be read, which will force the creation of a new keyring if auto-update
    is turned on.

 *) The mod_webkdc manual has been expanded and improved, fixing several
    documentation bugs (including a badly incorrect wa_keyring gc
    example).

WebAuth 3.2.7 (2005-04-23)

 *) Update libtool to 1.5.6 (the Debian version) to support proper shared
    library builds on Linux MIPS.

WebAuth 3.2.6 (2005-04-19)

 *) Rename the Perl bindings from WebAuth3 to WebAuth to match the name of
    the shared library.

WebAuth 3.2.5 (2005-04-14)

 *) Downgrade most of the messages from mod_webauthldap to info from
    notice, including the messages about authorization.  Downgrade the
    message about failed authorization from warning to notice.  This seems
    more consistent with the Apache documentation of log levels.

WebAuth 3.2.4 (2004-08-25)

 *) In the weblogin script, only check for cookies when the user is not
    using S/Ident to authenticate.  This fixes the problem with users
    seeing the login page even if S/Ident is enabled, and then being
    allowed to proceed with S/Ident authentication after a simple page
    reload.

WebAuth 3.2.3 (2004-06-23)

 *) Long delays for some clients after redirects from mod_webauth should
    improve.  The redirect was being returned without a body but also
    without a Content-Length, forcing clients supporting keep-alive to
    wait for a timeout.  This may (but hopefully won't) cause more looping
    problems.

 *) The WebKDC package now looks at /etc/webkdc/webkdc.conf and paths can
    be overridden by modifying that file.

 *) Replaced the sample weblogin server templates with generic templates
    that don't use any Stanford-copyrighted logos or design.

 *) Install a man page for wa_keyring and the header file for the webauth
    library.

 *) Added configuration and rules for Debian packages.

WebAuth 3.2.2 (2004-03-02)

 *) Add new WebAuthSSLReturn directive. If an unauth'd user shows up
    via http at a webauth-protected page and gets redirected to weblogin,
    the return URL will be https.

 *) Fixed a bug in libwebauth that prevented wa_keyring from adding keys
    to an empty keyring file.

 *) Fix various compilation problems with Sun cc, including signed vs.
    unsigned char mismatches and C++-style comments.

 *) Fix invalid HTML in the templates for the weblogin pages.

 *) Support older 1.2.x Kerberos libraries in mod_webauthldap.

 *) Fix some portability issues with non-GNU make.

WebAuth 3.2.1 (2003-09-10)

 *) When AuthType is StanfordAuth, don't default to WebAuthDontCache.
    This appears to break IE 6.0 downloads.

 *) Add WebAuthPostReturnURL directive to allow an app to deal with 
    handling a POST that didn't have authentication.

 *) When operating in legacy mode, only check LDAP for a group if it
    contains a colon.  Otherwise, defer to Apache's normal group handling.
    This fixes handling of user-defined groups in .htaccess files when
    backward compatibility is turned on.

 *) When a call to the LDAP server fails, try binding again and retrying
    the call before actually failing.  The connection may have timed out
    or something else may have temporarily gone wrong.  This will help
    with error messages about the LDAP server not being available.

 *) Fix the setting of the interactive flag on S/Ident queries in the
    WebKDC.

 *) Corrected handling of successful S/Ident calls returning errors in
    mod_webkdc when debugging is turned off.

WebAuth 3.2.0 (2003-08-07)

 *) Added S/Ident support to weblogin and the WebKDC.

 *) Added a preliminary port to Windows.  See windows/BUILD.txt for more
    information.

 *) Fixed a bug when handling sub-requests (like in mod_autoindex).  This
    could have caused authentication information to be incorrect in pages
    generated by fancy indexing.

 *) Removed WebAuthProxyHeaders directive.  Added new documentation
    to mod_webauth.xml that recommends people use mod_headers instead.
    See "Using WebAuth with Proxy Servers" in that document.

 *) Modified WebAuthDontCache so it also adds "Pragma: no-cache" and
    "Cache-Control: no-cache" headers in addition to the "Expires" header.

 *) Modified WebAuthDoLogout so that it enables WebAuthDontCache
    automatically.  (If the logout page was cached, second and subsequent
    visits wouldn't remove the login cookie correctly.)

 *) When returning redirects, make sure to set r->header_only so there
    is no extra content generated by Apache.  Also set the same Expires,
    Pragma, and Cache-Control headers that WebAuthDontCache sets.  This
    will hopefully work around the bugs that occur when caching redirects
    in some browsers.

 *) Increased robustness of the privgroup handling in mod_webauthldap when
    the LDAP query returns multiple entries.  Errors when looking for
    attributes in one entry no longer prevent checking for attributes in
    additional entries.

 *) The weblogin test cookie is now a session cookie like the WebAuth
    cookie, so we test what we use, and so it works correctly with
    browsers that disable non-session cookies.

 *) Build portability fix for Tru64 and other platforms whose sed cannot
    handle multiline patterns.

 *) Removed extra logging from mod_webauth/webkdc.c, and moved other
    extraneous logging so it's only logged at a level of APLOG_DEBUG when
    WebAuthDebug is turned on.

WebAuth 3.1.2 (2003-05-29)

 *) mod_webauthldap has several bugfixes, supports multiple virtualhosts,
    and has better memory utilization and thread safety improvements.

 *) Correctly construct the return URL for reverse proxies.

 *) Ported to Solaris 7 with gcc 2.95.  Basic WebAuth (but not LDAP)
    ported to AIX 4.3.

WebAuth 3.1.1 (2003-05-08)

 *) Fixed HTML_TEMPLATE_ROOT in src/webkdc/logout.fcgi script by
    changing the path to relative instead of absolute.

WebAuth 3.1.0 (2003-05-01)

 *) Added a new Apache module, mod_webauthldap, for LDAP directory
    information lookups via Kerberos v5 GSS-API binds.  This module
    provides the same directory lookup capability as older versions of
    WebAuth, but does so against OpenLDAP servers, via Kerberos v5
    authentication, and with considerably more flexible support for what
    attributes to query. See the mod_webauthldap manual for more details.

 *) Added WebAuthSSLRedirect and WebAuthSSLRedirectPort directives so
    that users can be redirected from http to https when accessing
    a WebAuth-protected resource.

 *) Added a WebAuthAuthType directive to help people transition to
    mod_webauth from older versions.  This directive allows you to specify
    an additional AuthType name that will be treated the same as WebAuth.
    If this directive is set to StanfordAuth, it will also set two extra
    environment variables: SU_AUTH_USER and SU_AUTH_AGE (these were set
    by WebAuth 2.5).

 *) Added more backward compatibility support for WebAuth 2.5 by allowing
    the following directives to appear in .htaccess files:

    StanfordAuthConfirmMsg  -> ignored

    StanfordAuthDoConfirm   -> warns to error_log if set to on

    StanfordAuthDontCache   -> maps to WebAuthDontCache. If AuthType
                               is set to StanfordAuth, defaults to 1.

    StanfordAuthForceReload -> maps to WebAuthExtraRedirect

    StanfordAuthLife        -> maps to WebAuthAppTokenLifetime and enables
                               WebAuthForceLogin

    StanfordAuthReturnURL   -> maps to WebAuthReturnURL

    StanfordAuthGroups      -> unsupported, if specified access is denied

 *) Allowed these directives to be present in .htaccess files (they were
    previously only allowed in <Directory>/<Location> directives):

        WebAuthExtraRedirect
        WebAuthReturnURL
        WebAuthLoginCanceledURL
        WebAuthVarPrefix

    This is in partial support of backward compatibility.

 *) Added WebAuthProxyHeaders directive to pass WebAuth information to
    a proxied server.  See the WebAuth module documentation for more
    information.

 *) Added WebAuthWebKdcSSLCertCheck directive to enable/disable checking
    of the WebKDC SSL certificate.  Defaults to "on" and should only
    be turned off for debugging/testing purposes.

 *) Added new WebAuthDontCache directive, which signals a browser not to
    cache those web pages.  Defaults to 0 (allow documents to be cached).

 *) Modified WebAuthKeytab and WebKdcKeytab directives so you can
    optionally specify which principal to use with the specified keytab,
    instead of using the first principal found.  This is useful if the
    keytab contains multiple keys.

 *) Removed the service token cache on restarts, so that a restart will
    clear up any inconsistencies between the server and the WebKDC.

 *) Have the WebKDC re-read the token ACL file if its mtime changes.

 *) Added --with-apxs configure option to set the path to apxs
    independently from the path to the Apache installation.  This was
    needed in order to easily build WebAuth on Linux distributions that
    install Apache following the Linux Filesystem Standard.

 *) Bug fixed in scrubbing WebAuth tokens from the URL.

WebAuth 3.0.0 (2003-02-18)

 *) Initial public release of WebAuth v3.  This is a complete rewrite of
    the WebAuth system, sharing no common code with the previous release.
    It is now based on Apache 2.0, Kerberos v5, and a new infrastructure
    for managing authentication tokens.

 *) This is the initial release with basic authentication support and Perl
    bindings only.
