Skip navigation



WebAuth 3.4.0 Announcement

The ITS WebAuth team is pleased to announce Stanford WebAuth 3.4.0. This release adds SPNEGO support to the Weblogin server, which allows clients with Kerberos tickets and browsers that support the SPNEGO authentication protocol with Kerberos V5 GSSAPI to never have to enter their credentials into any web page. As a side effect, any other Apache authentication mechanism is now supported on the Weblogin server, so client-side certificates (for example) can now also be used.

In addition, the WebAuth module no longer removes WebAuth data from URLs for unprotected content, so it can sit alongside another implementation of WebAuth. The protocol specification has been rewritten and improved, the Kerberos library probes when building from source have been significantly improved, and there are other minor improvements (particularly in the documentation).

When upgrading the WebKDC to this release, please note that there is a new template variable, script_name, which should be used as the target of the POST action in the login form. The generic templates that come with WebAuth already have this change.

For documentation and downloads of WebAuth 3.4.0, see:


We have not yet updated the versions of the binary packages for Solaris.

The user-visible changes in this release are:

  • Added support to the weblogin server and WebKDC module to trust an authentication identity asserted by Apache. This allows use of any authentication type that Apache supports as WebAuth authentication, in particular SPNEGO/GSSAPI.

  • Allow login.fcgi to be used as the target of an ErrorDocument Apache directive and read the query parameters from the redirect environment variable. This lets one use SPNEGO as the default and fall back on password authentication if it fails. To support this feature, there is an additional template variable for the login template, script_name, that should be used as the action of the login form.

  • The WebAuth module no longer strips WebAuth data (WEBAUTHR and WEBAUTHS) from the internal URL for requests to URLs not protected by WebAuth. This way, Apache with mod_webauth loaded will not interfere with applications that wish to implement the WebAuth protocol themselves. Thanks to Mats Henrikson for the report.

  • Rewrote the WebAuth protocol documentation in RFC 2629 XML. In the process, edited it extensively for consistency of terminology, updated it in a few places, and clarified the wording.

  • Better Kerberos library checks, including support for MIT Kerberos 1.4 and use of krb5-config where appropriate.

  • Added --enable-reduced-depends to configure to request the minimal possible shared library dependencies be encoded at run-time. This is for systems that properly implement transitive shared library dependencies, in order to minimize shared library conflicts introduced by SONAME changes and upgrades (mainly for Linux distribution packagers).

  • The public interface for the libwebauth library now uses char * uniformly instead of unsigned char *, since using the latter is too annoying and causes too many compiler warnings.

  • Remove more vestiges of S/Ident support. mod_webkdc will no longer recognize the old Apache S/Ident directives.

  • Lots of general documentation updates for clarity and style.

Last modified Friday, 12-Dec-2014 02:31:13 PM

Stanford University Home Page