[pubcookie-dev] CVS update: dors;
webiso/pubcookie/doc CHANGES.txt,1.22,1.23
install-filter.html,1.22,1.23 install-login.html,1.43,1.44
install-mod_pubcookie.html,1.27,1.28 templates.html,1.5,1.6
dors at cac.washington.edu
dors at cac.washington.edu
Mon Jul 3 15:11:43 PDT 2006
Update of /usr/local/cvsroot/webiso/pubcookie/doc
In directory webiso-cvs.cac.washington.edu:/var/tmp/cvs-serv28590
Modified Files:
CHANGES.txt install-filter.html install-login.html
install-mod_pubcookie.html templates.html
Log Message:
doc updates for 3.3.1-beta1
Index: webiso/pubcookie/doc/CHANGES.txt
diff -u webiso/pubcookie/doc/CHANGES.txt:1.22 webiso/pubcookie/doc/CHANGES.txt:1.23
--- webiso/pubcookie/doc/CHANGES.txt:1.22 Wed Feb 22 11:00:11 2006
+++ webiso/pubcookie/doc/CHANGES.txt Mon Jul 3 15:11:41 2006
@@ -1,3 +1,59 @@
+Changes with 3.3.1 Beta 1:
+
+*) Fixed session reauthentication messaging so that the module and
+ filter can verify that the login cgi handled a reauth request.
+
+*) Modified Apache module to base64 encode the path when using the POST
+ login method. This allows ampersands and other odd chars in the path.
+
+*) Fixed login cgi not to use the login_reauth message if the user
+ hasn't authenticated to any apps yet. (Submitted by Bradley
+ Schwoerer, University of Wisconsin-Madison.)
+
+*) Added clear_username_at_logout site policy to login cgi to control
+ whether the username is cleared on logout.
+
+*) Fixed Apache module to close key file descriptor after reading it.
+
+*) New default HTML login templates. Contributed by Konstantin
+ Ryabitsev, McGill University.
+
+*) Modified login cgi and default templates to use utf-8 encoding.
+
+*) Modified Apache module to set Expires, Cache-Control and Pragma
+ headers via the Error headers used on redirects.
+
+*) Fixed keyserver.c SSL3_GET_RECORD errors with redundant login_servers
+ by closing stdin/stdout/stderr. (Submitted by <mrevil at gmail.com>)
+
+*) Added PubcookieCatenateAppIDs directive to Apache module. Contributed
+ by Doug DeJulio, Carnegie Mellon University.
+
+*) Fixed Apache module to halt startup if security initialization fails;
+ e.g. when PubcookieSessionCertFile doesn't exist.
+
+*) Modified LDAP verifier so that a few duplicate audit log messages
+ are only be logged at the debug level.
+
+*) Fixed null pointer usage in LDAP verifier when version is empty.
+
+*) Improved Unix keyclient error messages concerning keymgt_uri host.
+
+*) Replaced AddHeader() with SetHeader() in ISAPI filter to eliminate
+ duplicate HTTP Header values.
+
+*) Modified login cgi to use more consistent audit logging strings.
+ Prepended the "first kiss" timestamp to authentication success and
+ failure log file messages.
+
+*) Fixed bug in Apache module's AES encryption mode that causes session
+ cookies to be unreadable when PubcookieInactiveExpire is on.
+
+*) Modified Apache 2 Makefile to better support Apache 2.2 builds.
+
+*) Modified login cgi to allow 'http:' and 'https:' in app server uri
+ query strings without percent encoding the colon.
+
Changes with 3.3.0a:
*) Applied login server security fixes to address XSS vulnerabilities
Index: webiso/pubcookie/doc/install-filter.html
diff -u webiso/pubcookie/doc/install-filter.html:1.22 webiso/pubcookie/doc/install-filter.html:1.23
--- webiso/pubcookie/doc/install-filter.html:1.22 Wed Mar 1 11:29:05 2006
+++ webiso/pubcookie/doc/install-filter.html Mon Jul 3 15:11:41 2006
@@ -66,6 +66,17 @@
<h4><a name="news">What's New</a></h4>
+ <p>Significant changes in Pubcookie 3.3.1:</p>
+
+ <ul>
+ <li><p><b>Fixed duplicate HTTP header values.</b> Replaced AddHeader() with SetHeader() in the ISAPI filter
+ to eliminate duplicate HTTP Header values. </p></li>
+
+ <li><p><b>Modified session reauthenticaiton messaging.</b> The filter now verifies that the login cgi handled a
+ reauthentication request when session reauthentication is configured. (Requires 3.3.1 or higher login server.)</p></li>
+
+ </ul>
+
<p>Significant changes in Pubcookie 3.3.0a:</p>
<ul>
Index: webiso/pubcookie/doc/install-login.html
diff -u webiso/pubcookie/doc/install-login.html:1.43 webiso/pubcookie/doc/install-login.html:1.44
--- webiso/pubcookie/doc/install-login.html:1.43 Wed Mar 1 11:29:05 2006
+++ webiso/pubcookie/doc/install-login.html Mon Jul 3 15:11:41 2006
@@ -79,6 +79,27 @@
<h4><a name="new">What's New</a></h4>
<p>Significant improvements and changes to the login server components included in
+Pubcookie 3.3.1:</p>
+
+<ul>
+
+<li>New default <a href="#templates">login CGI templates</a> with
+ more standard XHTML, CSS, and utf-8 encoding.</li>
+<li>Added <a
+ href="config.html#clear_username_at_logout"><tt>clear_username_at_logout</tt></a>
+ site policy to login cgi to control whether the username is cleared
+ on logout.</li>
+<li>Modified session reauthentication messaging. The login cgi now includes in the granting
+ message whether or not it handled a reauthentication request.</li>
+<li>Fixed null pointer usage in LDAP verifier when version is empty.</li>
+<li>Modified login cgi to use more consistent audit logging strings.
+ Prepended the "first kiss" timestamp to authentication success and
+ failure log file messages.</li>
+<li>Modified login cgi to allow 'http:' and 'https:' in app server uri
+ query strings without percent encoding the colon.</li>
+</ul>
+
+<p>Significant improvements and changes to the login server components included in
Pubcookie 3.3.0a:</p>
<ul>
@@ -130,17 +151,32 @@
<h4><a name="upgrading">Upgrading & Compatibility</a></h4>
-<p>In general, the login server components can be built and installed on a
-live system (if you do that sort of thing) while safely maintaining your existing
-configuration file (<tt>PREFIX/config</tt>) and login templates. Running <tt>make
-install</tt> will not overwrite these files, but it will install new keyserver,
-keyclient, and login cgi binaries into <tt>PREFIX/keyserver</tt>,
-<tt>PREFIX/keyclient</tt>, and <tt>PREFIX/login/index.cgi</tt>, respectively.
-A new sample configuration file is installed into
-<tt>PREFIX/config.login.sample</tt>, and an updated set of generic login templates
-is installed into <tt>PREFIX/login_templates.default</tt>. Sites should compare
-their current config file and current templates against the new ones and resolve
-significant differences before copying the new login cgi in production.</p>
+<p>In general, the login server components can be upgraded (built and
+installed) on a live system while safely maintaining your existing
+configuration file (<tt>PREFIX/config</tt>) and login templates
+(<tt>PREFIX/login_templates</tt>).</p>
+
+<p>Running <tt>make install</tt> on such a system will do the
+following:</p>
+
+<ul>
+
+<li>install new keyserver, keyclient, and login cgi binaries into
+<tt>PREFIX/keyserver</tt>, <tt>PREFIX/keyclient</tt>, and
+<tt>PREFIX/login/index.cgi</tt>, respectively.</li>
+
+<li>install a set of (possibly updated) generic login templates is
+installed into <tt>PREFIX/login_templates.default</tt> but <b>not</b>
+into <tt>PREFIX/login_templates</tt> if it already exists.</li>
+
+<li>install a new sample configuration file
+(<tt>PREFIX/config.login.sample</tt>).</li>
+
+</ul>
+
+<p>Sites should compare their current config file and current templates
+against the new ones and resolve significant differences before copying
+the new login cgi and other binaries in production locations.</p>
<p>Here are some additional compatibility notes for upgrading between specific
versions:</p>
@@ -673,21 +709,29 @@
easy for users to recognize and trust with their password.</p>
<p>The most common approach is to copy it from
-<tt>PREFIX/login/index.cgi</tt> to the server's root directory, resulting
-in a URL such as <i>https://weblogin.example.edu/</i>.
+<tt>PREFIX/login/index.cgi</tt> to your Apache server's root directory,
+resulting in a URL such as <i>https://weblogin.example.edu/</i>.
+
+<p>The default HTML templates use relative links to locate the default
+stylesheet and inline images. These files are found in a <i>media</i>
+subdirectory. Copy the <tt>PREFIX/login/media</tt> directory to the same
+location as the login cgi. It should include one stylesheet file and
+three GIF images.</p>
<p>Refer to <a href="#apacheconfig">Appendix A: Apache Configuration</a>
if you're unfamiliar with the directives that control how Apache detects
-and handles cgi scripts, particularly as a directory index.</p>
+and handles cgi scripts, particularly as a directory index like
+<tt>index.cgi</tt>.</p>
<h4><a name="pinit">Testing Login CGI</a></h4>
<p>The login cgi can be opened directly in a browser. This is sometimes
called a <i>pinit</i> (for Pubcookie init, like kinit) since
authentication is requested without being tied to an application. It's a
-good way to test your current config file and verifier. <i>Go ahead and
-try it now.</i> The login page you see comes from
-<tt>PREFIX/login_templates/login_pinit</tt>.</p>
+good way to test your current config file and verifier. Go ahead and
+try it now. The login page you see comes from the
+<tt>PREFIX/login_templates/login</tt> and
+<tt>PREFIX/login_templates/login_pinit</tt> templates.</p>
<p>If authentication succeeds, congratulations, you now can deploy an
application server using the <a
@@ -715,28 +759,25 @@
<h4><a name="templates">Login CGI Templates</a></h4>
-<p>The login cgi creates login, logout, error, and redirect pages using
-HTML templates it reads from the <tt>PREFIX/login_templates</tt>
-directory. An alternative location can be defined using the <a
+<p>The login cgi reads HTML templates from the
+<tt>PREFIX/login_templates</tt> directory in order to create login,
+logout, error, and redirect pages.</p>
+
+<p>The login cgi will read from an alternative location if the <a
href="config.html#template_root"><tt>template_root</tt></a> config file
-variable.</p>
+variable is defined.</p>
-<p>Edit these templates to suit the naming and web design needs of your
-login server. A set of generic templates is copied into place during
-installation. A backup set is also copied to
+<p>A set of generic, sample templates is copied into place during
+initial installation. A backup set is also copied to
<tt>PREFIX/login_templates.default</tt>.</p>
+<p>Edit these templates (which represent "Example University") to brand
+the login server for your organization and to meet local web design
+standards.</p>
+
<p>Refer to the <a href="templates.html">login cgi template
reference</a> for descriptions of each template.</p>
-<p>Note: For comparison purposes, templates (of some vintage) from
-Carnegie Mellon University and the Univerisity of Washington are
-provided in the distribution. See <tt>src/login_templates.cmu</tt> and
-<tt>src/login_templates.uw</tt>. Be warned, however, that the syntax
-for variable substitution within the templates has changed over time,
-and therefore the CMU and UWash templates may be slightly
-out-of-date.</p>
-
<h4><a name="loginmsgs">Custom Login Messages</a></h4>
<p>This is all about branding. Some application owners require branding
@@ -1183,7 +1224,7 @@
See doc/LICENSE.txt for terms of use.
</p>
<pre>
-$Id: install-login.html,v 1.43 2006/03/01 19:29:05 willey Exp $
+$Id: install-login.html,v 1.44 2006/07/03 22:11:41 dors Exp $
</pre>
</body>
Index: webiso/pubcookie/doc/install-mod_pubcookie.html
diff -u webiso/pubcookie/doc/install-mod_pubcookie.html:1.27 webiso/pubcookie/doc/install-mod_pubcookie.html:1.28
--- webiso/pubcookie/doc/install-mod_pubcookie.html:1.27 Wed Feb 22 11:00:11 2006
+++ webiso/pubcookie/doc/install-mod_pubcookie.html Mon Jul 3 15:11:41 2006
@@ -56,6 +56,20 @@
<h4><a name="new">What's New</a></h4>
+ <p>Significant improvements and changes included in Pubcookie 3.3.1:</p>
+
+ <ul>
+ <li>Added <a href="mod_pubcookie-directives.html#PubcookieCatenateAppIDs">PubcookieCatenateAppIDs</a> directive</li>
+ <li>Improved Makefile for Apache 2.2 builds.</li>
+ <li>Modified session reauthentication messaging. The module now verifies that the login cgi handled a reauthentication request
+ when session reauthentication is configured. (Requires 3.3.1 or higher login server.)
+ <li>Fixed bug in AES encryption mode that causes session cookies to be unreadable when PubcookieInactiveExpire
+ is on. </li>
+ <li>Modified the module's startup process such that it halts if security initialization fails (e.g.,
+ PubcookieSessionCertFile doesn't exist).</li>
+
+ </ul>
+
<p>Significant improvements and changes included in Pubcookie 3.3.0a:</p>
<ul>
Index: webiso/pubcookie/doc/templates.html
diff -u webiso/pubcookie/doc/templates.html:1.5 webiso/pubcookie/doc/templates.html:1.6
--- webiso/pubcookie/doc/templates.html:1.5 Tue Aug 31 14:06:59 2004
+++ webiso/pubcookie/doc/templates.html Mon Jul 3 15:11:41 2006
@@ -35,7 +35,8 @@
automatic variable substitutions for: the login server URL, the reason
for the redirect (pulled from various <tt>login_*</tt> templates), the
user input field (also pulled from other templates), hidden fields
-maintaining state information, and GetCred hidden fields.</dd>
+maintaining state information, GetCred hidden fields, and version
+string.</dd>
<dt><a name="login_bad_auth">login_bad_auth</a></dt>
<dd>The error displayed when authentication failed. File containing
end of message
More information about the pubcookie-dev
mailing list