Search Mailing List Archives
ANNOUNCE: WebAuth 3.6.1 released
eagle at windlord.stanford.edu
Tue Jul 14 19:46:40 PDT 2009
The ITS WebAuth team is pleased to announce Stanford WebAuth 3.6.1. This
release focuses primarily on improvements to the WebLogin server,
particularly in the confirmation page and support for bypassing that page
in various circumstances. It also contains significant code restructuring
and build system updates that will make further improvements easier.
As of this release, WebAuth is now maintained in Git. Russ Allbery hosts
a gitweb interface to the repository and an anonymous Git server at:
For documentation and downloads of WebAuth 3.6.1, see:
New Debian packages have been uploaded to Debian unstable. Updated Red
Hat packages will be available shortly. We are no longer producing binary
builds for Solaris.
The user-visible changes in this release are:
Setting $BYPASS_CONFIRM in the WebLogin configuration now also
suppresses the confirmation page after username/password login
provided that the browser supports HTTP/1.1 (and the web server tells
the WebLogin script that in the form Apache does).
Setting $BYPASS_CONFIRM to the special value "id" in the WebLogin
configuration suppresses the confirmation page only if the WebAuth
Application Server requests an id token (in other words, only asks for
the user's identity). If it instead requests a proxy token, which
would allow it to later ask for delegated user credentials, the
confirmation page is still displayed.
Add a new WebLogin configuration variable $TOKEN_ACL. If set to the
path of the token.acl file used by the WebKDC, and if the WebAuth
Application Server requests a proxy token, the list of credentials the
WAS may request is provided to the confirmation page template for
display to the user. See doc/weblogin-config for more information.
WebLogin now sets and updates its cookies after successful
authentication even if the confirmation screen is bypassed. This
primarily affects the update of the expiration time of the REMOTE_USER
Handle err_confirm in the error.tmpl sample template and document this
in doc/weblogin-config. This error is returned when redisplaying the
confirmation page after a change in the REMOTE_USER cookie.
Fix a coding error in login.fcgi when redisplaying the confirmation
page fails. Thanks to pod for the report.
Fix an off-by-one error in error code to error string mapping in
WebKDC::WebKDCException that resulted in incorrect error names in
WebLogin error messages. Thanks to pod for the report.
The WebLogin scripts and templates are now installed by default under
/usr/local/share/weblogin. This can be modified with the --prefix or
--datadir options to configure.
There is no longer an install-tests target; instead, to install the
test suite, copy the directories under tests/mod_webauth recursively.
This will be replaced by a better test suite mechanism in a future
version of WebAuth.
Update the mod_webauth documentation to reflect that separate WebAuth
servers in the same load-balanced pool can use separate keytabs. Only
the keyring needs to be shared between systems.
Improved the comments in the provided sample configuration files.
Update the INSTALL documentation for obtaining keytabs for Stanford
users to reference wallet instead of leland_srvtab.
If you have any problems or questions about WebAuth 3.6.1 or WebAuth in
general, please join and send them to the webauth-info at lists.stanford.edu
mailing list via:
Stanford users may also file a HelpSU ticket.
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS UNIX Systems and Applications, Stanford University
More information about the webauth-announce