CAS 5.2.0 RC1 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.1.0 GA was released on May 27th 2017. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.2.0. This post intends to highlight some of the improvements and enhancements packed into the first release candidate in the 5.2.0 series.

The in-development documentation of CAS 5.2.0 is available here. The release schedule is also available here. The release policy is available here.

0.1. Minors

  • Performance improvements to ensure service selection strategies are properly sorted at runtime.
  • A few bug fixes that affect the password management functionality and webflow handling of authentication failure events, thanks to @pdrados.
  • Small regression in how URL-based SAML2 metadata resources are retrieved from http vs https resources.
  • Thanks to @pavelhoral, ticket registries properly take into account the task of encoding tickets, if needed, before deleting them.
  • Thanks to @jkacer, failed authentication attempts are improved to no longer be reported as throttled authentication attempts. Changes are backported as far as back as 5.0.x.
  • Plenty of minor performance improvements to the CAS service registry as well as the overall ticket registry components and that of Hazelcast in particular, thanks to @DavidRG13 and @tsschmidt.
  • Delegated authentication flows now gain support for naming the client, thanks to @rrenomeron.
  • The Duo WebSDK has been upgraded to its most recent version.

0.2. Documentation

Thanks to @mindblender, the documentation site for the CAS project is now equipped with a much better search user interface.

0.3. WebJARs for Static Resources

Targeting CAS deployments in environments that have no network access can be tricky. In this release candidate, CAS begins to beautifully bundle static UI resources (css, javascript, etc) into the build for offline access. These resources are turned into dependencies that the project stuffs into the build by default using WebJARs. The org.webjars project seems to package up most things that CAS needs in jars that are available in maven central and the servlet 3.0 specification makes the resources available to be served up by CAS.

Huge thanks to @hdeadman for executing on this.

0.4. Trusted Authentication Attributes

The Trusted Authentication features of CAS are now able to extract attributes from the remote request object, in cases where CAS is sitting behind a Shibboleth Service Provider, etc. Thanks to @scalding for the find and suggestions on how to improve this best.

0.5. Amazon Cloud Directory Authentication

Thanks to @vulpayga, CAS gains the ability to use Amazon Cloud Directory for authentication.

0.6. CAS Protocol v2 Forward Compatibility

It is now possible to ensure CAS protocol v2 views are forward compatible with CAS v3. The most significant change here is the ability to release attributes via v2. The behavior is controlled via a setting that can be turned on/off globally for the CAS deployment. You can read more about this behavior here.

0.7. JWTs for REST API

The CAS REST API/Protocol is now equipped with the capability to issue JWTs for service tickets.

0.8. Dynamic Caches for Ticket Registries

The Ehcache Ticket Registry now gains the option to split caches dynamically based on ticket types, rather than keeping every ticket inside a single statically created cache. The same changeset is also applied to the ticket registry based on MongoDb as well as that of Apache Ignite.

0.9. Update Checking

CAS has been given the ability to check for newer released versions and report back as part of its banner. This behavior is off by default, and may be conditionally enabled via the following guide.

0.10. HEADER Response Method

CAS has for some time had the ability to redirect back to a requesting application providing the generated service ticket in form of a GET or POST via the method parameter. In this release, CAS adds an extra HEADER option, stuffing the ticket into a response header. This might be useful if you intend to execute non-interactive modes of authentication such as Basic Authentication.

0.11. ADFS Delegated Authentication

Delagating authentication to ADFS is now enhanced to support more than once ADFS instance.

0.12. ADFS SAML Integration

A number of minor bugs have been fixed in this release to ensure ADFS acting as a SAML2 SP can be integrated with CAS acting as a SAML2 identity provider.

0.13. Ticket Registry Encryption

The ticket registry implementations based on Apache Ignite and MongoDb are now enhanced to support ticket registry encryption.

0.14. Stormpath Support Removed

Stormpath support has been removed from the codebase. This feature will no longer be available, as Stormpath APIs are soon to be retired in mid August after the Okta acquisition.

0.15. Ticket Validator SSL Configuration

There are areas in CAS where a ticket is issued and validated internally to allow access to other downstream components. The configuration of ticket validation component is now exposed to the entire runtime and takes advantage of familiar CAS settings when it comes to SSL factories and hostname verifications.

0.16. Registered Services Endpoint

A new endpoint is now exposed in CAS that can report back the collection of registered services with CAS.

0.17. YubiKey MongoDb/JPA Storage

YubiKey multifactor authentication is now able to use MongoDb or a relational database for persisting device registration records. Improvements are in to also support new device registration workflows.

0.18. Couchbase Authentication

CAS gains the ability to use Couchbase as an authentication store. Remember that Couchbase can also be used to manage CAS services and act as a ticket store for HA deployments.

0.19. Apache Cassandra Authentication

Thanks to @vulpayga, CAS gains the ability to use Apache Cassandra as an authentication store.

0.20. Custom LDAP Password Policy

There is now support for implementing your own custom LDAP password policy handler based on Ldaptive. Your implementation needs to be taught to CAS and should take on the following form:

import org.ldaptive.auth.AuthenticationResponseHandler;

public class MyPasswordPolicyAuthenticationResponseHandler implements AuthenticationResponseHandler {

0.21. FIDO U2F Device Registration

FIDO U2F support for multifactor authentication is now equipped with the ability to store device registration records inside a relational database and more. See this for more info.

0.22. JWTs As Service Tickets

× Beware
This may be a breaking configuration change. Consult the docs to learn more.

The ability to issue JWTs as service tickets is now refactored and moved into its own dedicated module such that it can then become reusable as a pluggable extension point in other parts of the codebase. If you had this feature turned on, you may need to adjust the module definition in your build slightly to stay on course with the coolness.

0.23. Swivel Secure Authentication

CAS can now take advantage of Swivel Secure’s image-based multifactor authentication. See this guide to learn more.

Special thanks to @dacurry-tns for contributing the baseline integration.

0.24. OpenID Connect Introspection

Modest support is now added for OpenID Connect to allow for introspection of access tokens.

0.25. OAuth Client Credentials Grant

Support for OAuth2’s client_credentials grant is now included in this release.

0.26. Attribute Repository Merging

Attributes retrieved during the authentication phase are now given the ability to merge with attributes retrieved from separate attribute repository sources. This behavior previously was only available to select authentication strategies and is now globally applied to all.

0.27. Library Upgrades

  • Spring Data
  • Spring MongoDb
  • Spring Cloud
  • Spring Security
  • EhCache
  • Apache CXF
  • Thymeleaf
  • Sentry
  • Memcached
  • Apache Ignite
  • Gradle
  • Spring Boot
  • Couchbase
  • Infinispan
  • UnboundID SCIM

0.28. What’s Next?

We are all working to make sure the CAS 5.2.0 release is on schedule.

0.29. Get Involved

0.30. Das Ende

A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Log4J Vulnerability Disclosure

Disclosure of a security issue with the CAS software as a consumer of the Log4j logging framework.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Publish Private CAS Releases

GitHub Actions workflows allow publishing to private repositories.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.