CAS 5.2.0 RC3 Feature Release

This post is not official yet and may be heavily edited as CAS development makes progress. Watch for further updates.

The official CAS 5.1.0 GA was released on May 27th 2017. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.2.0. This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the 5.2.0 series.

The in-development documentation of CAS 5.2.0 is available here. The release schedule is also available here. The release policy is available here.

You can read more about the previous release candidate here.

Test Drive

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. In order to start experimenting with release candidates, use the following strategies.

At any given time, you should be able to -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Apache Maven

In the pom.xml of the overlay, adjust the following tag to match below:



In the of the overlay, adjust the following tag to match below:



  • MongoDb authentication is improved to honor the MongoDb connection pool and threads which monitor that pool.
  • The default port for the management web application when run in embedded mode is now switched to 8444 to avoid conflicts with the main CAS web application server when both are run in the same environment.
  • The default ability of defining Spring beans in XML inside the management web application has been removed.
  • The default ability of defining Spring beans in XML/Groovy inside the CAS web application has been removed.
  • The management web application is now able to advertise readiness in logs via ascii art.
  • Thanks to @scalding, generating persistent ids in a Shibboleth-friendly way now correctly takes into account the salt and more.
  • Thanks to @robertoschwald, generating primary keys for hibernate schemas is improved to take on a more native approach with some caveats documented that affect MySQL while running in a Galera cluster.
  • Thanks to @tduehr, generating random secure strings falls back to a more performant though ever-so-slightly less secure strategy and algorithm until Java 9 is released.
  • The multifactor trusted device functionality for Google Authenticator and Swivel now correctly registers the relevant MFA flow into the CAS webflow engine at runtime.
  • Thanks to @SRieckhoff, a possible NPE with SPNEGO authentication is now prevented.
  • SAML1 validation response is now updated in the documentation to ensure it matches the structure produced by CAS.
  • Thanks to @tduehr, Apache Ignite support is given the ability to run in client mode.
  • Thanks to @kingjared, generating SAML1 assertions gains an issueLength property to set the interval between the NotBefore and NotOnOrAfter timestamps.

Caffein for Guava Caching

Most if not all internal caching strategies and policies have switched from using the Guava library to Caffein. This is for the most part a transparent and invisible change, yet the swich allows CAS to dictate more granular expiration policies for caches that apply to each individual entry in the cache, rather then the cache itself as a whole.

Authentication Interrupt

CAS has the ability to pause and interrupt the authentication flow to reach out to external services and resources, querying for status and setings that would then dictate how CAS should manage and control the SSO session. Interrupt services are able to present notification messages to the user, provide options for redirects to external services, etc. A common use case of this functionality deals with presenting a bulletin board during the authentication flow to present messages and announcements to select users and then optionally require that audience to complete a certain task before CAS is able to honor the authentication request and establish a session.

See this guide for more info.

OpenID Connect Pairwise Subject Identifiers

OpenID Connect support in CAS now presents the ability to support different subject types. This specifically includes support for pairwise subject id generation. See this guide for more info.

Handling attribute consent now takes on a more wholesome API approach where there exists a consentPolicy that can dictate how attribute are selected and qualified for consent. See this guide for more info.

Time-based Multifactor Authentication Trigger

Adaptive authentication can also be configured to trigger multifactor based on specific days and times.

See this guide for more info.

Surrogate Authentication Improvements

× Beware
This may be a breaking change. Consult the docs to learn more.

Surrogate authentication (Impersonation) gains the ability to dictate an expiration policy assigned to a surrogate session. Additionally, surrogate account storage and querying can now be done via a REST resource as well.

Note that the baseline module to include in the overlay has changed in this release candidate to clearly separate core and webflow functionality. Consult this guide for more info.

Library Upgrades

  • Spring Shell
  • Spring Cloud Sleuth
  • Apache Fediz
  • Apache Fortress
  • Spring Boot Admin
  • Hibernate Validator
  • MongoDb Driver
  • Guava
  • Caffein
  • Amazon SDK
  • Google Maps
  • Twillio
  • Kryo
  • PostgreSQL
  • MariaDb Driver
  • Jose4J
  • Apache Ignite
  • Couchbase Driver
  • Thymeleaf
  • Infinispan
  • Dropwizard Metrics

What’s Next?

We are all working to make sure the CAS 5.2.0 release is on schedule.

Get Involved

Das Ende

A big hearty thanks to all who participated in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS 5.2.0 RC2 Feature Release which I present an overview of CAS 5.2.0 RC2 release.

July 2017 uPortal Slack summary

Summarizing Slack traffic about uPortal in July 2017.

June 2017 uPortal Slack summary

Summarizing Slack traffic about uPortal in June 2017.

Apereo CAS - Contribution Guidelines

A quick hands-on guide for one to get started with contributing to the development and prosperity of the Apereo CAS project.

CAS 5.2.0 RC1 Feature Release which I present an overview of CAS 5.2.0 RC1 release.

CAS 5 - Maintaining Protocol Compatibility

A short and sweet CAS 5 guide on how to get CAS Protocol v2 to act as v3.

MyUW in 2016 - by the numbers

Reflecting upon MyUW in 2016 as framed by metrics.

CAS Codebase Overview

An overview of the CAS codebase organization and layout in which I also dig into the rationale behind project's efforts on modularization and code decomposition.

CAS 5 Load Tests by Lafayette College

Lafayette College shares the results of stress tests executed against a recent CAS 5.0.x deployment.

Shibbolizing Apereo CAS

Learn about a rather fancy Apereo CAS server deployment, sitting behind the Shibboleth Service Provider.