Search Mailing List Archives
ANNOUNCE: WebAuth 3.7.4 released
eagle at windlord.stanford.edu
Wed May 11 16:20:20 PDT 2011
I'm pleased to announce release 3.7.4 of WebAuth. This is a minor feature
release that adds support for optional authentication. It also fixes
problems with WebLogin password change, compatibility with new Perl
libraries, build issues with Solaris 10 and RHEL 5, and some other minor
For documentation and downloads of WebAuth 3.7.4, see:
New Debian packages have been uploaded to Debian unstable. New Red Hat
packages will be coming soon.
The user-visible changes in this release are:
WebAuth now supports a new Apache configuration directive,
WebAuthOptional, which can be used in directories and .htaccess files.
If set to on, unauthenticated users are not redirected to WebLogin and
are instead allowed access to the protected resource, but without any
REMOTE_USER or related environment variables set. However, if the
user was previously authenticated to that server, their authentication
information will be present in the environment as normal. This is
intended for use with dynamic content, such as embedded PHP or CGI
scripts, that will inspect REMOTE_USER and decide what content to show
based on the authentication status. Normally, unauthenticated users
would also be shown a login link to a URL protected by WebAuth without
this directive so that they can authenticate if desired. This feature
is sometimes referred to as "passive authentication" or "lazy
sessions." Based on work by niklas.
Previous versions of WebLogin interpreted a "message stream modified"
error on password change as a failure of strength checking because
that error was incorrectly returned by MIT Kerberos for password
strength checking errors with a Heimdal KDC. This turned out to be a
bug in MIT Kerberos, which is now avoided by using a different library
API call that doesn't have that bug. This workaround has now been
removed, so the error reporting from WebLogin on password change will
now be more accurate.
Disable TLS certificate verification in WebLogin if the WebKDC URL is
at localhost, since the presented certificate will generally not be a
localhost certificate. This fixes an incompatibility with libwww-perl
versions later than 5.837, which changed the default value for
Fix compilation error in libwebauth if assert() calls are enabled and
the local C library doesn't define an index function. Fixes
compilation problems on Solaris 10.
Fix an Autoconf probe for the Heimdal Kerberos implementation.
Export the defines to enable system extensions to the module config
header as well. Fixes build problems with APR on Red Hat Enterprise
Linux 5, which requires _GNU_SOURCE be defined before including APR
headers to define off64_t.
Avoid problems with generating the pkg-config configuration file when
the Kerberos linker flags contain commas.
Print a clearer warning in WebLogin when used with a mod_webkdc
older than 3.6.1 and therefore missing the request token type in the
Document the pt and sa key/value pairs in WebKDC logs in the
Be more defensive in mod_webauth against an Apache request struct that
doesn't have the notes table or per-directory configuration filled in,
which seems to happen under the Apache included with Solaris 10 x86.
Based on a patch by Gary Buhrmaster.
Update to rra-c-util 3.4:
* Fix broken GCC attribute markers causing compilation problems.
* Kerberos library probing fixes without transitive shared libraries.
* Fix Autoconf warnings when probing for AIX's bundled Kerberos.
* Update warning flags for GCC 4.6.1.
Update to C TAP Harness 1.7:
* Fix compliation of runtests with more aggressive warnings.
* Add a more complete usage message and a -h command-line flag.
* Flush stderr before printing output from tests.
* Better handle running shell tests without BUILD and SOURCE set.
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University
More information about the webauth-announce