WebAuth 3.2.0 Announcement
The ITSS WebAuth team is pleased to announce Stanford WebAuth 3.2.0. This newest version of WebAuth adds S/Ident support to the weblogin server, adds a preliminary port to Windows Apache, and fixes some bugs in the WebAuth and LDAP modules.
For documentation and downloads of WebAuth 3.2.0, see:
In this release, we've also updated the pre-build version of Apache to Apache 2.0.47. Pre-built binaries are, as before, available only for Solaris 8 and 9 at this time.
The user-visible changes in this release are:
Added S/Ident support to weblogin and the WebKDC.
Added a preliminary port to Windows. See the download page and the Windows install documentation for more details. Information about building WebAuth on Windows can be found in windows/BUILD.txt in the source distribution.
Fixed a bug when handling sub-requests (like in mod_autoindex). This could have caused authentication information to be incorrect in pages generated by fancy indexing.
Removed WebAuthProxyHeaders directive. Added new documentation to mod_webauth.xml that recommends people use mod_headers instead. See "Using WebAuth with Proxy Servers" in that document.
Modified WebAuthDontCache so it also adds "Pragma: no-cache" and "Cache-Control: no-cache" headers in addition to the "Expires" header.
Modified WebAuthDoLogout so that it enables WebAuthDontCache automatically. (If the logout page was cached, second and subsequent visits wouldn't remove the login cookie correctly.)
When returning redirects, make sure to set r->header_only so there is no extra content generated by Apache. Also set the same Expires, Pragma, and Cache-Control headers that WebAuthDontCache sets. This will hopefully work around the bugs that occur when caching redirects in some browsers.
Increased robustness of the privgroup handling in mod_webauthldap when the LDAP query returns multiple entries. Errors when looking for attributes in one entry no longer prevent checking for attributes in additional entries.
The weblogin test cookie is now a session cookie like the WebAuth cookie, so we test what we use, and so it works correctly with browsers that disable non-session cookies.
Build portability fix for Tru64 and other platforms whose sed cannot handle multiline patterns.
Removed extra logging from mod_webauth/webkdc.c, and moved other extraneous logging so it's only logged at a level of APLOG_DEBUG when WebAuthDebug is turned on.