Pages about WebAuth

• WebAuth Overview
• WebAuth Features
• WebAuth News
• Obtaining WebAuth
• WebAuth FAQ

WebAuth Reference

• WebAuth Module
• WebAuth LDAP Module
• WebAuth Protocol
• WebKDC Module
• webauth-info archives

• QUICK LINKS
  • answers.stanford.edu
  • apple.stanford.edu
  • computing.stanford.edu
  • courses.stanford.edu
  • datarates.stanford.edu
  • dell.stanford.edu
  • departmentphone.stanford.edu
  • email.stanford.edu
  • ess.stanford.edu
  • helpsu.stanford.edu
  • ithelp.stanford.edu
  • myitserviceshelp.stanford.edu
  • orderithelp.stanford.edu
  • software.stanford.edu
  • studentphone.stanford.edu
  • techtraining.stanford.edu
  • tools.stanford.edu
  • unixcomputing.stanford.edu
  • vpn.stanford.edu
  • web.stanford.edu
  • windows.stanford.edu
• SERVICES
  • IT Services Only
  • All Campus Providers
    → computing.stanford.edu
• GETTING HELP
  • Self-Help Web Site
  • HelpSU: IT Help Desk
  • Training
• PROJECTS
• ABOUT US
  • What We Do
  • Organization Chart
  • Strategic Plan
  • Jobs
  • Contact info
  • Service & System Metrics
• INTERNAL
• SEARCH

  • Search IT Services:
     

• IT Services
• WebAuth
• News

Stanford WebAuth News

2008-04-02

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 3.6.0 from the download page, thanks to Darren Patterson.

2008-03-22

WebAuth 3.6.0 has been released. This release mostly affects the WebKDC and WebLogin server, adding multiple new features and improving handling of Kerberos cross-realm authentication. It also fixes one bug in the WebAuth module that caused problems for requests with sub-requests (such as mod_autoindex).

See the release announcement for more information.

2008-01-14

WebAuth 3.5.5 has been released. This release fixes an environment handling bug in mod_webauthldap and improves cookie and Shibboleth handling in WebLogin.

See the release announcement for more information.

2007-04-24

WebAuth 3.5.4 has been released. This release fixes mod_webauthldap configuration parsing, adds various minor feature enhancements, and improves presentation of Shibboleth IdP authentication.

See the release announcement for more information.

2006-12-04

Mats Henrikson has released a new version of the Java implementation of the WebAuth protocol. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. The new release adds a logout filter, adds improved debugging and testing, and fixes some other bugs. Several of the improvements were contributed by Matthew Buckett.

This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

2006-10-04

Mats Henrikson has released a new version of the Java implementation of the WebAuth protocol. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. The new release adds support for des-cbc-crc encryption types and fixes a few other minor issues.

This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

2006-09-12

WebAuth 3.5.3 has been released. This release improves and documents the logging in the WebKDC module and adds initial support for Apache 2.2.

See the release announcement for more information.

2006-07-13

WebAuth 3.5.2 has been released. This release fixes a security vulnerability in the default Weblogin templates (as noted below) and fixes several other bugs in the Weblogin code. The changes are only to Weblogin; clients have no need to upgrade from 3.5.1.

See the release announcement for more information.

2006-07-13

A cross-site scripting vulnerability has been discovered in the sample WebLogin templates distributed with WebAuth, and therefore probably affecting any WebLogin templates based on them. Anyone running a WebLogin server needs to replace any instance of:

    <TMPL_VAR NAME=variable>

with:

    <TMPL_VAR ESCAPE=HTML NAME=variable>

in their templates. Successful exploit of this vulnerability could be used to steal users' passwords. A new release of WebAuth containing this fix to the sample templates will be forthcoming shortly.

2006-06-23

RPMs of WebAuth 3.5.1 (only the WebAuth server modules, not the WebKDC components) for Red Hat Enterprise Linux 4 are now available from the download page. Source RPMs are also available and can be used to rebuild WebAuth on other Red Hat-derived distributions. These RPMs are not yet widely tested. Please report any problems.

2006-06-21

WebAuth 3.5.1 has been released. This release contains some additional modifications to the weblogin code to make deployment of HTTP Negotiate (SPNEGO) authentication easier, to aid translation of templates, and to tell users when they're required by a WebAuth-protected site to re-enter their username and password. There is also a fix for reading keyrings on 64-bit platforms and for finding apxs during compilation.

The pre-built Solaris packages, prerequisite stow packages, and Apache binaries have also been updated to more recent versions.

See the release announcement for more information.

2006-05-04

Thanks to Oxford University Computing Services and Mats Henrikson, an experimental implementation of the WebAuth protocol in Java is available. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

2006-03-20

WebAuth 3.5.0 has been released. This is a significant update of the weblogin code to support optionally using an Apache authentication mechanism such as SPENGO (the previous support was all or nothing). As part of this update, the weblogin page flow and configuration options have been thoroughly documented and the template variables updated, regularized, and expanded. For the regular WebAuth module, WebAuthExtraRedirect is now the default.

See the release announcement for more information.

2006-03-16

The WebAuth web pages have been expanded and improved, most notably adding a new overview of WebAuth features and comparison to other systems. The mailing lists have been moved to Mailman and are now archived.

2006-02-17

WebAuth 3.4.2 has been released. This is primarily a portability release that fixes some problems on Red Hat systems and with Heimdal builds.

See the release announcement for more information.

2006-02-06

WebAuth 3.4.1 has been released. This release reverts the change to keep WebAuth data in the URL for unprotected URLs, since it interacted poorly with .htaccess files. As a partial replacement, the option WebAuthStripURL is now documented and supported.

As of this release, WebAuth supports the Heimdal implementation of Kerberos in addition to the MIT implementation, and no longer uses deprecated OpenLDAP interfaces. It should also correctly find the com_err header on newer versions of Red Hat.

See the release announcement for more information.

2006-01-24

WebAuth 3.4.0 has been released. This release adds SPNEGO support to the Weblogin server, which allows clients with Kerberos tickets and browsers that support the SPNEGO authentication protocol with Kerberos V5 GSSAPI to never have to enter their credentials into any web page. As a side effect, any other Apache authentication mechanism is now supported on the Weblogin server, so client-side certificates (for example) can now also be used.

In addition, the WebAuth module no longer removes WebAuth data from URLs for unprotected content, so it can sit alongside another implementation of WebAuth. The protocol specification has been rewritten and improved, the Kerberos library probes when building from source have been significantly improved, and there are other minor improvements (particularly in the documentation).

See the release announcement for more information.

2005-10-04

WebAuth 3.3.0 has been released. This release removes support for S/Ident due to a security flaw in the protocol, adds another option for multi-value attribute handling in LDAP lookups, and improves the LDAP module documentation.

See the release announcement for more information.

2005-06-04

WebAuth 3.2.8 has been released. This is a minor bug fix release fixing handling of empty keyring files and improving the WebKDC module documentation. The Solaris binary packages, stow packages, and Apache build have been updated to more recent versions as part of this release and Debian packages are available.

See the release announcement for more information.

2005-04-23

WebAuth 3.2.7 has been released. This is a minor bug fix release that also updates libtool for better portability to some platforms. Most users will have no reason to upgrade.

See the release announcement for more information.

2005-04-19

WebAuth 3.2.6 has been released. The only change in this release is the renaming of the Perl bindings from WebAuth3 to WebAuth to match the name of the shared library. Most users will have no reason to upgrade.

See the release announcement for more information.

2005-04-14

WebAuth 3.2.5 has been released. This is mostly a packaging release but does fix the priority of messages from mod_webauthldap. Most users will have no reason to upgrade.

See the release announcement for more information.

2004-09-17

WebAuth 3.2.4 has been released. This is a bug fix release for the WebKDC only, and specifically in the S/Ident support. Most users will have no reason to upgrade.

See the release announcement for more information.

2004-06-29

WebAuth 3.2.3 has been released. This release fixes long delays after redirects from the WebAuth module on some browsers and changes the WebKDC templates to something more generic. Also new in this release are experimental Debian packages.

See the release announcement for more information.

2004-03-19

The OpenSSL stow packages have been updated to version 0.9.7d because of denial of service vulnerabilities in OpenSSL 0.9.7c. No other WebAuth packages should have to be updated, as the new version of OpenSSL is backward-compatible with the previous version. The new version is available from the stow packages page.

2004-03-02

WebAuth 3.2.2 has been released. This release adds WebAuthSSLReturn to allow WebAuth to be used with an SSL accelerator. Also in this release are various bug fixes, particularly with Sun cc and non-GNU make.

See the release announcement for more information.

2003-09-10

WebAuth 3.2.1 has been released. This release fixes problems with backward compatibility support, adds a new directive to allow applications to deal with tokens expiring during POST, and fixes problems with re-establishing connections to an LDAP server after a timeout.

See the release announcement for more information.

2003-08-06

WebAuth 3.2.0 has been released. This release adds S/Ident support in the weblogin server and the WebKDC and a preliminary port to Apache for Windows. There are also bug fixes to both the WebAuth and LDAP modules and some fixes to the way that redirects are handled which may prevent looping problems with some browsers.

See the release announcement for more information.

2003-05-29

WebAuth 3.1.2 has been released. This is a bug fix release, mostly affecting the LDAP module.

See the release announcement for more information.

2003-05-01

WebAuth 3.1.0 has been released. The primary additions are LDAP support equal to WebAuth v2 and additional backward compatibility support for current WebAuth v2 users. WebAuth 3.1.0 also features various bug fixes, some additional configuration directives for not caching files and using keytabs that contain multiple principals, and support for additional configuration directives in .htaccess files.

See the release announcement for more information.

2003-02-18

Initial public release of WebAuth v3. This is a complete rewrite of the WebAuth system, sharing no common code with the previous release. It is now based on Apache 2.0, Kerberos v5, and a new infrastructure for managing authentication tokens.

See the release announcement for more information.