                          WebAuth Change History

WebAuth 3.3.0 (2005-10-04)

 *) All WebKDC support for S/Ident removed.  The S/Ident protocol is
    inherently vulnerable to an active man-in-the-middle attack that is
    particularly severe for WebAuth, since S/Ident authentication is done
    by a single server and WebAuth users regularly visit that server.
    Exploiting this protocol flaw would allow an attacker to capture a
    single sign-on cookie and then impersonate the user to all WebAuth
    sites in that domain.

 *) Added WebAuthLdapSeparator to specify the separator for multivalued
    attributes.  When set in the server configuration, all values of a
    multivalued attribute are concatenated together, separated by that
    separator, and put into the base WEBAUTH_LDAP_* environment variable
    (rather than only the first one).

 *) Cleaned up, expanded, and improved the module documentation for
    mod_webauthldap.

 *) Added symbol versioning for libwebauth on Linux.  Symbol versioning
    is not supported on other platforms (at least yet).

 *) Updated tools/config.guess and tools/config.sub to the latest Debian
    versions.

 *) Update HACKING for the new Subversion repository and to reflect our
    change in practice regarding pre-release versions.

 *) Consolidate all the duplicate copies of util.pl in the mod_webauthldap
    test suite.

 *) Updated tools/mkmanifest to ignore Subversion files.

WebAuth 3.2.8 (2005-06-03)

 *) mod_webauth now treats empty keyrings the same as keyrings that cannot
    be read, which will force the creation of a new keyring if auto-update
    is turned on.

 *) The mod_webkdc manual has been expanded and improved, fixing several
    documentation bugs (including a badly incorrect wa_keyring gc
    example).

 *) The .html files for the module manuals have been rebuilt using the
    current Apache 2.0 documentation tools after fixing various validation
    errors.

 *) Updated tools/config.guess and tools/config.sub to the latest Debian
    versions.

WebAuth 3.2.7 (2005-04-23)

 *) Update libtool to 1.5.6 (the Debian version) to support proper shared
    library builds on Linux MIPS.

 *) In the weblogin login script, check to be sure the service token is
    set as well as the request token to avoid weird error messages from
    the WebKDC module later on.

WebAuth 3.2.6 (2005-04-19)

 *) Rename the Perl bindings from WebAuth3 to WebAuth to match the name of
    the shared library.

WebAuth 3.2.5 (2005-04-14)

 *) Downgrade most of the messages from mod_webauthldap to info from
    notice, including the messages about authorization.  Downgrade the
    message about failed authorization from warning to notice.  This seems
    more consistent with the Apache documentation of log levels.

 *) Update tools/config.guess and tools/config.sub to the latest Debian
    versions.

 *) Drop the debian directory from the source distribution, following the
    Debian packaging best practices.

WebAuth 3.2.4 (2004-08-25)

 *) In the weblogin script, only check for cookies when the user is not
    using S/Ident to authenticate.  This fixes the problem with users
    seeing the login page even if S/Ident is enabled, and then being
    allowed to proceed with S/Ident authentication after a simple page
    reload.

 *) Cleaned up and commented the weblogin login and logout scripts and
    remove Perl module uses that are no longer needed.

 *) Fixed the error reporting in the WebKDC module when S/Ident requests
    fail.  Previously, the actual error would never be reported.

 *) Added a make maintclean target to remove everything that isn't in
    CVS.

 *) Added a prerm script for the Debian module packages to call a2dismod
    if the modules were enabled.

WebAuth 3.2.3 (2004-06-23)

 *) Modified the redirect code in mod_webauth to not set the header-only
    flag, since that was producing messages with no body but without a
    Content-Length header, forcing browsers that implemented keep-alive to
    time out before acting on the redirect.

 *) The WebKDC package now looks at /etc/webkdc/webkdc.conf and paths can
    be overridden by modifying that file.

 *) Replaced the sample weblogin server templates with generic templates
    that don't use any Stanford-copyrighted logos or design.

 *) Added build rules for Debian packages and added Debian packaging to
    the make dist target.

 *) Added wa_keyring.1 to the distribution and to the installation rules.

 *) Install the webauth.h header file along with the library.

 *) Portability fix to older versions of the cURL libraries.

 *) Add WebAuthAuthType StanfordAuth to the LDAP test configuration so
    that it would work even if that wasn't set globally.

 *) Improve the build system for the WebAuth Perl bindings and the Apache
    modules to avoid hard-coding rpath into either, to make it possible
    to generate policy-compliant Debian packages.

 *) Modified the Autoconf probes to tolerate --with-X without any argument,
    for all of the --with options.

 *) Fix a POD error in the WebKDC module.

WebAuth 3.2.2 (2004-03-02)

 *) Add new WebAuthSSLReturn directive. If an unauth'd user shows up
    via http at a webauth-protected page and gets redirected to weblogin,
    the return URL will be https.

 *) Fixed a bug in libwebauth that prevented wa_keyring from adding keys
    to an empty keyring file.

 *) Add a new mod-config.h for Autoconf results that we want to use in
    module builds, and use this to fix compatibility in mod_webauthldap
    for older versions of the Kerberos libraries and remove code to add
    Autoconf results to the compile command line for mod_webkdc builds.

 *) Fix lots of signed char vs. unsigned char mismatches and warnings by
    changing variable types and adding casts where appropriate.  This
    should significantly reduce the warnings produced when using the Sun
    compiler.

 *) Change C++-style // comments to C commands to make the Sun compiler
    happier.

 *) Improved the wa_keyring POD documentation.

 *) Include the right compiler flags to find the extra Kerberos libraries
    we need when probing for S/Ident, if they're in a non-standard
    location that isn't the same as the S/Ident location.

 *) Fix invalid HTML in the templates for the weblogin script.

 *) Fix some portability issues with non-GNU make.

WebAuth 3.2.1 (2003-09-10)

 *) When AuthType is StanfordAuth, don't default to WebAuthDontCache.
    This appears to break IE 6.0 downloads.

 *) Add WebAuthPostReturnURL directive to allow an app to deal with 
    handling a POST that didn't have authentication.

 *) When operating in legacy mode, only check LDAP for a group if it
    contains a colon.  Otherwise, defer to Apache's normal group handling.

 *) When a call to the LDAP server fails, try binding again and retrying
    the call before actually failing.  The connection may have timed out
    or something else may have temporarily gone wrong.

 *) Improve logging of some LDAP lookup problems.

 *) Make sure the ident_set_authflag call is made after ident_set_authtype
    call.

 *) Corrected handling of successful S/Ident calls returning errors in
    mod_webkdc when debugging is turned off.

 *) Remove some unnecessary debugging code in mod_webkdc.

 *) Fixed an incorrect handling of a string transformation in the attrs
    code, likely only affecting a test failure on Tru64.

 *) Improve the handling of the configure probes to include the right
    prerequisites for Kerberos checks and to probe for libz before cURL.

WebAuth 3.2.0 (2003-08-07)

 *) Added S/Ident support to weblogin and the WebKDC.

 *) Added a preliminary port to Windows.  See windows/BUILD.txt for more
    information.

 *) Fixed bug when handling sub-requests (like in mod_autoindex).  Make
    sure to stash notes in the top-most main request.

 *) Add new WebKDC commands webkdcProxyToken and webkdcProxyTokenInfo.

 *) Add three new functions to libwebauth: webauth_krb5_init_via_cache
    and webauth_krb5_{mk,rd}_req_with_data.

 *) Removed WebAuthProxyHeaders directive.  Added new documentation
    to mod_webauth.xml that recommends people use mod_headers instead.
    See "Using WebAuth with Proxy Servers" in that document.

 *) Modified WebAuthDontCache so it also adds "Pragma: no-cache" and
    "Cache-Control: no-cache" headers in addition to the "Expires" header.

 *) Modified WebAuthDoLogout so when it is enabled so is WebAuthDontCache.

 *) When returning redirects, make sure to set r->header_only so there
    is no extra content generated by Apache.  Also set the same
    Expires, Pragma, and Cache-Control headers that WebAuthDontCache sets.

 *) Increased robustness of the privgroup handling in mod_webauthldap when
    the LDAP query returns multiple entries.  Errors when looking for
    attributes in one entry no longer prevent going on to check for
    attributes in additional entries.

 *) The weblogin test cookie is now a session cookie like the WebAuth
    cookie so that we test what we use and so that it works correctly with
    browsers that disable non-session cookies.

 *) Build portability fix for Tru64 and other platforms whose sed cannot
    handle multiline patterns.

 *) Removed extra logging from mod_webauth/webkdc.c, and moved other
    extraneous logging so its only logged at a level of APLOG_DEBUG when
    WebAuthDebug is turned on.

 *) Added package-webauth and package-webkdc targets for maintainers to
    generate WebAuth module packages.

 *) DESTDIR support fixed for WebKDC installations.

 *) Tweaks to the WebKDC templates and images.

WebAuth 3.1.2 (2003-05-29)

 *) mod_webauthldap: Added mutexes around the entire ldap operation to 
    avoid GSSAPI thread safety issues.  All server_rec structures are now
    initialized, correctly supporting multiple virtual host
    configurations.  Refactored LDAP binds for better failback support,
    fixing a double free memory error.  Additional memory cleanup for krb5
    TGT operations. Fixed memory leak related to unbind after connection
    expiry, via ignoring SIGPIPE.

 *) mod_webauth: Correctly construct the return url for reverse proxies 
    (explicitly compare r->proxyreq to PROXYREQ_PROXY instead of testing
    for != PROXYREQ_NONE, which also matched PROXYREQ_REVERSE.

 *) mod_webauth: Don't try to attr decode a zero length service token 
    cache file.  Log a warning and return NULL like there was no file.

 *) Update configure.ac to check for netinet/in.h for windows build.

 *) Modify wa_keyring to not use getopt (not available on windows),
    and change strftime format from %T to %H:%M:%S (%T also not available
    on windows strftime).

 *) Fix a bug in libwebauth/krb5.c where we would try to call
    krb5_free_context on a NULL context.

 *) Expanded the libgcc linking hack to apply to all of the module builds
    rather than just the cURL link flags, since it showed up on Solaris 7
    affecting mod_webauthldap as well.  This fix is specific to Solaris.

 *) Ported the test suite driver to AIX 4.3 and tweaked the OpenLDAP
    library probe to handle operating systems without shared library
    dependencies.

 *) Fixed the installation rule for the test suite to properly honor
    DESTDIR.

 *) Cleaned up the sample configuration files somewhat and made them more
    consistent with each other.

WebAuth 3.1.1 (2003-05-08)

 *) Fixed HTML_TEMPLATE_ROOT in src/webkdc/logout.fcgi script by
    changing the path to relative instead of absolute.

WebAuth 3.1.0 (2003-05-01)

 *) Add WebAuthSSLRedirect and WebAuthSSLRedirectPort directives to
    enable redirecting of users from http to https when accessing a
    WebAuth-protected resource.

 *) Add WebAuthWebKdcSSLCertCheck directive to enable/disable checking
    of the WebKDC SSL certificate. Defaults to "on" and should only be
    turned off for debugging/testing purposes.

 *) Added mod_webauthldap for LDAP directory information lookups via
    Kerberos v5 GSS-API binds.

 *) Add new WebAuthDontCache directive which sets r->no_cache. Defaults
    to 0 (allow documents to be cached).

 *) Allow these directives to present in .htaccess files (they were
    previously only allowed in <Directory>/<Location> directives):

    WebAuthExtraRedirect
    WebAuthReturnURL
    WebAuthLoginCanceledURL
    WebAuthVarPrefix

 *) Add more backward compatibility support for WebAuth 2.5 by allowing
    the following directives to appear in .htaccess files:

    StanfordAuthConfirmMsg  -> ignored

    StanfordAuthDoConfirm   -> warns to error_log if set to on

    StanfordAuthDontCache   -> maps to WebAuthDontCache. If AuthType
                               is set to StanfordAuth, defaults to 1.

    StanfordAuthForceReload -> maps to WebAuthExtraRedirect

    StanfordAuthLife        -> maps to WebAuthAppTokenLifetime and enables
                               WebAuthForceLogin

    StanfordAuthReturnURL   -> maps to WebAuthReturnURL

    StanfordAuthGroups      -> unsupported, if specified access is denied
   
 *) Have the WebKDC re-read the token ACL file if its mtime changes.

 *) Added WebAuthAuthType directive to help people transistion to
    mod_webauth.  This directive allows you to specify an additional
    AuthType name that will be treated the same as WebAuth.  If this
    directive is set to StanfordAuth, it will also set two extra
    environment variables: SU_AUTH_USER and SU_AUTH_AGE.

 *) Clean up environment variable setting.  Set environment variables
    (r->subprocess_env) in check_user_id hook instead of waiting until
    fixups hook to make them more accessible to other hooks/modules.

 *) When scrubbing tokens from r->args and r->parsed_uri.query, look
    for "?WEBAUTHR=" first, then "WEBAUTHR=".  If there were no query
    args, the tokens could get parsed as query args.  This caused tokens
    to show up as query args when we changed from ";WEBAUTHR=" to
    "?WEBAUTHR=".

 *) If we are proxying a request, strip out all webauth_* cookies and
    and webauth tokens from Referer header.  Also, if we are proxying or
    the URI passed to the server in the HTTP request has a scheme, use it
    as the return URL instead of constructing one relative to the server.

 *) Modify WebAuthKeytab and WebKdcKeytab directives so you can optionally
    specify which principal to use with the specified keytab, instead of
    using the first principal found.  This required modifying the
    webauth_krb5_* APIs.
 
 *) Implement WebAuthProxyHeaders directive.  See the WebAuth module
    documentation for more information.

 *) Clean up header includes in tests and wa_keyring.

 *) mod_{webauth,webkdc}.h - "module" declaration should be extern.

 *) Remove the service token cache in mod_webauth on restarts.

 *) Restructured the mod_webauth code to define a pluggable credential
    interface, isolating all credential-related functions so that new
    credential types can easily be supported.

 *) Added --with-apxs configure option to set the path to apxs
    independently from the path to the Apache installation.

WebAuth 3.0.0 (2003-02-18)

 *) Initial public release.
