The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS 5.1.0 GA was released on May 27th 2017. Since then,
the project has been moving forward with development of the next feature release
that is tagged as 5.2.0. This post intends to highlight some of the improvements
and enhancements packed into the first release candidate in the 5.2.0 series.
The in-development documentation of CAS 5.2.0 is available here.
The release schedule is also available here. The release policy
is available here.
- 0.1. Minors
- 0.2. Documentation
- 0.3. WebJARs for Static Resources
- 0.4. Trusted Authentication Attributes
- 0.5. Amazon Cloud Directory Authentication
- 0.6. CAS Protocol v2 Forward Compatibility
- 0.7. JWTs for REST API
- 0.8. Dynamic Caches for Ticket Registries
- 0.9. Update Checking
- 0.10. HEADER Response Method
- 0.11. ADFS Delegated Authentication
- 0.12. ADFS SAML Integration
- 0.13. Ticket Registry Encryption
- 0.14. Stormpath Support Removed
- 0.15. Ticket Validator SSL Configuration
- 0.16. Registered Services Endpoint
- 0.17. YubiKey MongoDb/JPA Storage
- 0.18. Couchbase Authentication
- 0.19. Apache Cassandra Authentication
- 0.20. Custom LDAP Password Policy
- 0.21. FIDO U2F Device Registration
- 0.22. JWTs As Service Tickets
- 0.23. Swivel Secure Authentication
- 0.24. OpenID Connect Introspection
- 0.25. OAuth Client Credentials Grant
- 0.26. Attribute Repository Merging
- 0.27. Library Upgrades
- 0.28. What’s Next?
- 0.29. Get Involved
- 0.30. Das Ende
0.1. Minors
- Performance improvements to ensure service selection strategies are properly sorted at runtime.
- A few bug fixes that affect the password management functionality and webflow handling of authentication failure events, thanks to @pdrados.
- Small regression in how URL-based SAML2 metadata resources are retrieved from
httpvshttpsresources. - Thanks to @pavelhoral, ticket registries properly take into account the task of encoding tickets, if needed, before deleting them.
- Thanks to @jkacer, failed authentication attempts are improved to no longer be reported as throttled authentication attempts. Changes are backported as far as back as
5.0.x. - Plenty of minor performance improvements to the CAS service registry as well as the overall ticket registry components and that of Hazelcast in particular, thanks to @DavidRG13 and @tsschmidt.
- Delegated authentication flows now gain support for naming the client, thanks to @rrenomeron.
- The Duo WebSDK has been upgraded to its most recent version.
0.2. Documentation
Thanks to @mindblender, the documentation site for the CAS project is now equipped with a much better search user interface.
0.3. WebJARs for Static Resources
Targeting CAS deployments in environments that have no network access can be tricky. In this release candidate, CAS begins to beautifully bundle static UI resources (css, javascript, etc) into the build for offline access. These resources are turned into dependencies that the project stuffs into the build by default using WebJARs. The org.webjars project seems to package up most things that CAS needs in jars that are available in maven central and the servlet 3.0 specification makes the resources available to be served up by CAS.
Huge thanks to @hdeadman for executing on this.
0.4. Trusted Authentication Attributes
The Trusted Authentication features of CAS are now able to extract attributes from the remote request object, in cases where CAS is sitting behind a Shibboleth Service Provider, etc. Thanks to @scalding for the find and suggestions on how to improve this best.
0.5. Amazon Cloud Directory Authentication
Thanks to @vulpayga, CAS gains the ability to use Amazon Cloud Directory for authentication.
0.6. CAS Protocol v2 Forward Compatibility
It is now possible to ensure CAS protocol v2 views are forward compatible with CAS v3. The most significant change here is the ability to release attributes via v2. The behavior is controlled via a setting that can be turned on/off globally for the CAS deployment. You can read more about this behavior here.
0.7. JWTs for REST API
The CAS REST API/Protocol is now equipped with the capability to issue JWTs for service tickets.
0.8. Dynamic Caches for Ticket Registries
The Ehcache Ticket Registry now gains the option to split caches dynamically based on ticket types, rather than keeping every ticket inside a single statically created cache. The same changeset is also applied to the ticket registry based on MongoDb as well as that of Apache Ignite.
0.9. Update Checking
CAS has been given the ability to check for newer released versions and report back as part of its banner. This behavior is off by default, and may be conditionally enabled via the following guide.
0.10. HEADER Response Method
CAS has for some time had the ability to redirect back to a requesting application providing the generated service ticket in form of a GET or POST via the method parameter. In this release, CAS adds an extra HEADER option, stuffing the ticket into a response header. This might be useful if you intend to execute non-interactive modes of authentication such as Basic Authentication.
0.11. ADFS Delegated Authentication
Delagating authentication to ADFS is now enhanced to support more than once ADFS instance.
0.12. ADFS SAML Integration
A number of minor bugs have been fixed in this release to ensure ADFS acting as a SAML2 SP can be integrated with CAS acting as a SAML2 identity provider.
0.13. Ticket Registry Encryption
The ticket registry implementations based on Apache Ignite and MongoDb are now enhanced to support ticket registry encryption.
0.14. Stormpath Support Removed
Stormpath support has been removed from the codebase. This feature will no longer be available, as Stormpath APIs are soon to be retired in mid August after the Okta acquisition.
0.15. Ticket Validator SSL Configuration
There are areas in CAS where a ticket is issued and validated internally to allow access to other downstream components. The configuration of ticket validation component is now exposed to the entire runtime and takes advantage of familiar CAS settings when it comes to SSL factories and hostname verifications.
0.16. Registered Services Endpoint
A new endpoint is now exposed in CAS that can report back the collection of registered services with CAS.
0.17. YubiKey MongoDb/JPA Storage
YubiKey multifactor authentication is now able to use MongoDb or a relational database for persisting device registration records. Improvements are in to also support new device registration workflows.
0.18. Couchbase Authentication
CAS gains the ability to use Couchbase as an authentication store. Remember that Couchbase can also be used to manage CAS services and act as a ticket store for HA deployments.
0.19. Apache Cassandra Authentication
Thanks to @vulpayga, CAS gains the ability to use Apache Cassandra as an authentication store.
0.20. Custom LDAP Password Policy
There is now support for implementing your own custom LDAP password policy handler based on Ldaptive. Your implementation needs to be taught to CAS and should take on the following form:
import org.ldaptive.auth.AuthenticationResponseHandler;
public class MyPasswordPolicyAuthenticationResponseHandler implements AuthenticationResponseHandler {
}
0.21. FIDO U2F Device Registration
FIDO U2F support for multifactor authentication is now equipped with the ability to store device registration records inside a relational database and more. See this for more info.
0.22. JWTs As Service Tickets
The ability to issue JWTs as service tickets is now refactored and moved into its own dedicated module such that it can then become reusable as a pluggable extension point in other parts of the codebase. If you had this feature turned on, you may need to adjust the module definition in your build slightly to stay on course with the coolness.
0.23. Swivel Secure Authentication
CAS can now take advantage of Swivel Secure’s image-based multifactor authentication. See this guide to learn more.
Special thanks to @dacurry-tns for contributing the baseline integration.
0.24. OpenID Connect Introspection
Modest support is now added for OpenID Connect to allow for introspection of access tokens.
0.25. OAuth Client Credentials Grant
Support for OAuth2’s client_credentials grant is now included in this release.
0.26. Attribute Repository Merging
Attributes retrieved during the authentication phase are now given the ability to merge with attributes retrieved from separate attribute repository sources. This behavior previously was only available to select authentication strategies and is now globally applied to all.
0.27. Library Upgrades
- Spring Data
- Spring MongoDb
- Spring Cloud
- Spring Security
- EhCache
- Apache CXF
- Thymeleaf
- Sentry
- Memcached
- Apache Ignite
- Gradle
- Spring Boot
- Couchbase
- Infinispan
- UnboundID SCIM
0.28. What’s Next?
We are all working to make sure the CAS 5.2.0 release is on schedule.
0.29. Get Involved
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
0.30. Das Ende
A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!