                       User-Visible WebAuth Changes

WebAuth 3.3.0 (2005-10-04)

 *) All WebKDC support for S/Ident removed.  The S/Ident protocol is
    inherently vulnerable to an active man-in-the-middle attack that is
    particularly severe for WebAuth, since S/Ident authentication is done
    by a single server and WebAuth users regularly visit that server.
    Exploiting this protocol flaw would allow an attacker to capture a
    single sign-on cookie and then impersonate the user to all WebAuth
    sites in that domain.

 *) Added WebAuthLdapSeparator to specify the separator for multivalued
    attributes.  When set in the server configuration, all values of a
    multivalued attribute are concatenated together, separated by that
    separator, and put into the base WEBAUTH_LDAP_* environment variable
    (rather than only the first one).

 *) Cleaned up, expanded, and improved the module documentation for
    mod_webauthldap.

WebAuth 3.2.8 (2005-06-03)

 *) mod_webauth now treats empty keyrings the same as keyrings that cannot
    be read, which will force the creation of a new keyring if auto-update
    is turned on.

 *) The mod_webkdc manual has been expanded and improved, fixing several
    documentation bugs (including a badly incorrect wa_keyring gc
    example).

WebAuth 3.2.7 (2005-04-23)

 *) Update libtool to 1.5.6 (the Debian version) to support proper shared
    library builds on Linux MIPS.

WebAuth 3.2.6 (2005-04-19)

 *) Rename the Perl bindings from WebAuth3 to WebAuth to match the name of
    the shared library.

WebAuth 3.2.5 (2005-04-14)

 *) Downgrade most of the messages from mod_webauthldap to info from
    notice, including the messages about authorization.  Downgrade the
    message about failed authorization from warning to notice.  This seems
    more consistent with the Apache documentation of log levels.

WebAuth 3.2.4 (2004-08-25)

 *) In the weblogin script, only check for cookies when the user is not
    using S/Ident to authenticate.  This fixes the problem with users
    seeing the login page even if S/Ident is enabled, and then being
    allowed to proceed with S/Ident authentication after a simple page
    reload.

WebAuth 3.2.3 (2004-06-23)

 *) Long delays for some clients after redirects from mod_webauth should
    improve.  The redirect was being returned without a body but also
    without a Content-Length, forcing clients supporting keep-alive to
    wait for a timeout.  This may (but hopefully won't) cause more looping
    problems.

 *) The WebKDC package now looks at /etc/webkdc/webkdc.conf and paths can
    be overridden by modifying that file.

 *) Replaced the sample weblogin server templates with generic templates
    that don't use any Stanford-copyrighted logos or design.

 *) Install a man page for wa_keyring and the header file for the webauth
    library.

 *) Added configuration and rules for Debian packages.

WebAuth 3.2.2 (2004-03-02)

 *) Add new WebAuthSSLReturn directive. If an unauth'd user shows up
    via http at a webauth-protected page and gets redirected to weblogin,
    the return URL will be https.

 *) Fixed a bug in libwebauth that prevented wa_keyring from adding keys
    to an empty keyring file.

 *) Fix various compilation problems with Sun cc, including signed vs.
    unsigned char mismatches and C++-style comments.

 *) Fix invalid HTML in the templates for the weblogin pages.

 *) Support older 1.2.x Kerberos libraries in mod_webauthldap.

 *) Fix some portability issues with non-GNU make.

WebAuth 3.2.1 (2003-09-10)

 *) When AuthType is StanfordAuth, don't default to WebAuthDontCache.
    This appears to break IE 6.0 downloads.

 *) Add WebAuthPostReturnURL directive to allow an app to deal with 
    handling a POST that didn't have authentication.

 *) When operating in legacy mode, only check LDAP for a group if it
    contains a colon.  Otherwise, defer to Apache's normal group handling.
    This fixes handling of user-defined groups in .htaccess files when
    backward compatibility is turned on.

 *) When a call to the LDAP server fails, try binding again and retrying
    the call before actually failing.  The connection may have timed out
    or something else may have temporarily gone wrong.  This will help
    with error messages about the LDAP server not being available.

 *) Fix the setting of the interactive flag on S/Ident queries in the
    WebKDC.

 *) Corrected handling of successful S/Ident calls returning errors in
    mod_webkdc when debugging is turned off.

WebAuth 3.2.0 (2003-08-07)

 *) Added S/Ident support to weblogin and the WebKDC.

 *) Added a preliminary port to Windows.  See windows/BUILD.txt for more
    information.

 *) Fixed a bug when handling sub-requests (like in mod_autoindex).  This
    could have caused authentication information to be incorrect in pages
    generated by fancy indexing.

 *) Removed WebAuthProxyHeaders directive.  Added new documentation
    to mod_webauth.xml that recommends people use mod_headers instead.
    See "Using WebAuth with Proxy Servers" in that document.

 *) Modified WebAuthDontCache so it also adds "Pragma: no-cache" and
    "Cache-Control: no-cache" headers in addition to the "Expires" header.

 *) Modified WebAuthDoLogout so that it enables WebAuthDontCache
    automatically.  (If the logout page was cached, second and subsequent
    visits wouldn't remove the login cookie correctly.)

 *) When returning redirects, make sure to set r->header_only so there
    is no extra content generated by Apache.  Also set the same Expires,
    Pragma, and Cache-Control headers that WebAuthDontCache sets.  This
    will hopefully work around the bugs that occur when caching redirects
    in some browsers.

 *) Increased robustness of the privgroup handling in mod_webauthldap when
    the LDAP query returns multiple entries.  Errors when looking for
    attributes in one entry no longer prevent checking for attributes in
    additional entries.

 *) The weblogin test cookie is now a session cookie like the WebAuth
    cookie, so we test what we use, and so it works correctly with
    browsers that disable non-session cookies.

 *) Build portability fix for Tru64 and other platforms whose sed cannot
    handle multiline patterns.

 *) Removed extra logging from mod_webauth/webkdc.c, and moved other
    extraneous logging so it's only logged at a level of APLOG_DEBUG when
    WebAuthDebug is turned on.

WebAuth 3.1.2 (2003-05-29)

 *) mod_webauthldap has several bugfixes, supports multiple virtualhosts,
    and has better memory utilization and thread safety improvements.

 *) Correctly construct the return URL for reverse proxies.

 *) Ported to Solaris 7 with gcc 2.95.  Basic WebAuth (but not LDAP)
    ported to AIX 4.3.

WebAuth 3.1.1 (2003-05-08)

 *) Fixed HTML_TEMPLATE_ROOT in src/webkdc/logout.fcgi script by
    changing the path to relative instead of absolute.

WebAuth 3.1.0 (2003-05-01)

 *) Added a new Apache module, mod_webauthldap, for LDAP directory
    information lookups via Kerberos v5 GSS-API binds.  This module
    provides the same directory lookup capability as older versions of
    WebAuth, but does so against OpenLDAP servers, via Kerberos v5
    authentication, and with considerably more flexible support for what
    attributes to query. See the mod_webauthldap manual for more details.

 *) Added WebAuthSSLRedirect and WebAuthSSLRedirectPort directives so
    that users can be redirected from http to https when accessing
    a WebAuth-protected resource.

 *) Added a WebAuthAuthType directive to help people transition to
    mod_webauth from older versions.  This directive allows you to specify
    an additional AuthType name that will be treated the same as WebAuth.
    If this directive is set to StanfordAuth, it will also set two extra
    environment variables: SU_AUTH_USER and SU_AUTH_AGE (these were set
    by WebAuth 2.5).

 *) Added more backward compatibility support for WebAuth 2.5 by allowing
    the following directives to appear in .htaccess files:

    StanfordAuthConfirmMsg  -> ignored

    StanfordAuthDoConfirm   -> warns to error_log if set to on

    StanfordAuthDontCache   -> maps to WebAuthDontCache. If AuthType
                               is set to StanfordAuth, defaults to 1.

    StanfordAuthForceReload -> maps to WebAuthExtraRedirect

    StanfordAuthLife        -> maps to WebAuthAppTokenLifetime and enables
                               WebAuthForceLogin

    StanfordAuthReturnURL   -> maps to WebAuthReturnURL

    StanfordAuthGroups      -> unsupported, if specified access is denied

 *) Allowed these directives to be present in .htaccess files (they were
    previously only allowed in <Directory>/<Location> directives):

        WebAuthExtraRedirect
        WebAuthReturnURL
        WebAuthLoginCanceledURL
        WebAuthVarPrefix

    This is in partial support of backward compatibility.

 *) Added WebAuthProxyHeaders directive to pass WebAuth information to
    a proxied server.  See the WebAuth module documentation for more
    information.

 *) Added WebAuthWebKdcSSLCertCheck directive to enable/disable checking
    of the WebKDC SSL certificate.  Defaults to "on" and should only
    be turned off for debugging/testing purposes.

 *) Added new WebAuthDontCache directive, which signals a browser not to
    cache those web pages.  Defaults to 0 (allow documents to be cached).

 *) Modified WebAuthKeytab and WebKdcKeytab directives so you can
    optionally specify which principal to use with the specified keytab,
    instead of using the first principal found.  This is useful if the
    keytab contains multiple keys.

 *) Removed the service token cache on restarts, so that a restart will
    clear up any inconsistencies between the server and the WebKDC.

 *) Have the WebKDC re-read the token ACL file if its mtime changes.

 *) Added --with-apxs configure option to set the path to apxs
    independently from the path to the Apache installation.  This was
    needed in order to easily build WebAuth on Linux distributions that
    install Apache following the Linux Filesystem Standard.

 *) Bug fixed in scrubbing WebAuth tokens from the URL.

WebAuth 3.0.0 (2003-02-18)

 *) Initial public release of WebAuth v3.  This is a complete rewrite of
    the WebAuth system, sharing no common code with the previous release.
    It is now based on Apache 2.0, Kerberos v5, and a new infrastructure
    for managing authentication tokens.

 *) This is the initial release with basic authentication support and Perl
    bindings only.
