This post is not official yet and may be heavily edited as CAS development makes progress. Watch for further updates.
The official CAS
5.1.0 GA was released on May 27th 2017. Since then,
the project has been moving forward with development of the next feature release
that is tagged as
5.2.0. This post intends to highlight some of the improvements
and enhancements packed into the third release candidate in the
You can read more about the previous release candidate here.
- Test Drive
- Caffein for Guava Caching
- Authentication Interrupt
- OpenID Connect Pairwise Subject Identifiers
- Attribute Consent Policy Per Service
- Time-based Multifactor Authentication Trigger
- Surrogate Authentication Improvements
- Library Upgrades
- What’s Next?
- Get Involved
- Das Ende
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. In order to start experimenting with release candidates, use the following strategies.
At any given time, you should be able to
-SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
pom.xml of the overlay, adjust the following tag to match below:
gradle.properties of the overlay, adjust the following tag to match below:
- MongoDb authentication is improved to honor the MongoDb connection pool and threads which monitor that pool.
- The default port for the management web application when run in embedded mode is now switched to
8444to avoid conflicts with the main CAS web application server when both are run in the same environment.
- The default ability of defining Spring beans in XML inside the management web application has been removed.
- The default ability of defining Spring beans in XML/Groovy inside the CAS web application has been removed.
- The management web application is now able to advertise readiness in logs via ascii art.
- Thanks to @scalding, generating persistent ids in a Shibboleth-friendly way now correctly takes into account the salt and more.
- Thanks to @robertoschwald, generating primary keys for hibernate schemas is improved to take on a more
nativeapproach with some caveats documented that affect MySQL while running in a Galera cluster.
- Thanks to @tduehr, generating random secure strings falls back to a more performant though ever-so-slightly less secure strategy and algorithm until Java 9 is released.
- The multifactor trusted device functionality for Google Authenticator and Swivel now correctly registers the relevant MFA flow into the CAS webflow engine at runtime.
- Thanks to @SRieckhoff, a possible NPE with SPNEGO authentication is now prevented.
- SAML1 validation response is now updated in the documentation to ensure it matches the structure produced by CAS.
- Thanks to @tduehr, Apache Ignite support is given the ability to run in client mode.
- Thanks to @kingjared, generating SAML1 assertions gains an
issueLengthproperty to set the interval between the
Caffein for Guava Caching
Most if not all internal caching strategies and policies have switched from using the Guava library to Caffein. This is for the most part a transparent and invisible change, yet the swich allows CAS to dictate more granular expiration policies for caches that apply to each individual entry in the cache, rather then the cache itself as a whole.
CAS has the ability to pause and interrupt the authentication flow to reach out to external services and resources, querying for status and setings that would then dictate how CAS should manage and control the SSO session. Interrupt services are able to present notification messages to the user, provide options for redirects to external services, etc. A common use case of this functionality deals with presenting a bulletin board during the authentication flow to present messages and announcements to select users and then optionally require that audience to complete a certain task before CAS is able to honor the authentication request and establish a session.
See this guide for more info.
OpenID Connect Pairwise Subject Identifiers
OpenID Connect support in CAS now presents the ability to support different subject types. This specifically includes support for
pairwise subject id generation. See this guide for more info.
Attribute Consent Policy Per Service
Handling attribute consent now takes on a more wholesome API approach where there exists a
consentPolicy that can dictate how attribute are selected and qualified for consent. See this guide for more info.
Time-based Multifactor Authentication Trigger
Adaptive authentication can also be configured to trigger multifactor based on specific days and times.
See this guide for more info.
Surrogate Authentication Improvements
Surrogate authentication (Impersonation) gains the ability to dictate an expiration policy assigned to a surrogate session. Additionally, surrogate account storage and querying can now be done via a REST resource as well.
Note that the baseline module to include in the overlay has changed in this release candidate to clearly separate core and webflow functionality. Consult this guide for more info.
- Spring Shell
- Spring Cloud Sleuth
- Apache Fediz
- Apache Fortress
- Spring Boot Admin
- Hibernate Validator
- MongoDb Driver
- Amazon SDK
- Google Maps
- MariaDb Driver
- Apache Ignite
- Couchbase Driver
- Dropwizard Metrics
We are all working to make sure the CAS
5.2.0 release is on schedule.
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!