WebAuth 3.5.1 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 3.5.1. This release contains some additional modifications to the weblogin code to make deployment of HTTP Negotiate (SPNEGO) authentication easier, to aid translation of templates, and to tell users when they're required by a WebAuth-protected site to re-enter their username and password. There is also a fix for reading keyrings on 64-bit platforms and for finding apxs during compilation.
Before upgrading the WebKDC and weblogin server to this release, be sure to read the changes below. Existing weblogin templates will require modifications to work with the new weblogin server code.
For documentation and downloads of WebAuth 3.5.1, see:
With this release, we have also updated all of the binary packages for Solaris, including new versions of Apache and the various prerequisite stow packages. If you are using the pre-built Solaris binaries, now would be a good time to update the various prerequisites as well as WebAuth itself.
The user-visible changes in this release are:
Allow the submit button on the login page to return any value rather than requiring it have the value "Login" so that the template can be more easily translated. Instead, the login form must include the tag:
<input type="hidden" name="login" value="yes">
The form for attempting Apache remote-user authentication should not contain this tag. Existing login.tmpl files must be updated accordingly when upgrading to this version of the Weblogin server.
In the weblogin confirmation page, the variable remuser is now set to 1 if the user has a cookie indicating they want to try REMOTE_USER and is not set otherwise. This is a change from the previous behavior where it was set to either the string "checked" or the empty string. Templates using this variable will require modification. This change was made so that the Weblogin scripts don't assume a particular UI presentation.
Add an err_forced template variable for the login.tmpl file that indicates the user had a single sign-on configuration (either an existing cookie or a request to do REMUSER), but the authenticating web site requires username/password authentication. Existing login.tmpl files must be updated to include a reference to this variable (even if not otherwise used).
Add the @REALMS configuration option to the Weblogin configuration file, for use with Apache authentication where the resulting REMOTE_USER value may be in one of several realms and each realm should be treated identically.
Fix decoding of time_t values in tokens on 64-bit platforms, a bug which usually manifested itself while reading keyrings. Thanks to pod for the analysis.
Properly check for apxs in configure so that an apxs under the provided Apache root will be found. Thanks to Marco Wise for the debugging.