The blog is managed and hosted on Github. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS
5.1.0 GA was released on May 27th 2017. Since then,
the project has been moving forward with development of the next feature release
that is tagged as
5.2.0. This post intends to highlight some of the improvements
and enhancements packed into the fourth release candidate in the
The in-development documentation of CAS
5.2.0 is available here.
The release schedule is also available here. The release policy
is available here.
You can read more about the previous release candidate here.
- Shake Well Before Use
- Test Coverage
- Attribute Resolution Dashboard
- Management Web Application
- Redis Sentinel Support
- JMS Ticket Registry
- OAuth User Profile Rendering
- Attribute Consent
- Service Expiration Policies
- Acceptable Usage Policy
- Groovy Password Encoders
- Configuration Metadata UI
- REST Service Registry
- Library Upgrades
- Get Involved
- Das Ende
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. In order to start experimenting with release candidates, use the following strategies.
At any given time, you should be able to append
-SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
pom.xml of the overlay, adjust the following tag to match below:
gradle.properties of the overlay, adjust the following setting to match below:
- Thanks to @CobraFlow, delegated authentication using CAS is now able to correctly parse the CAS protocol setting.
- Cassandra authentication support is now able to correctly pick up the connection factory from the application context, and uses the correct setting for usernames when constructing authentication queries.
- Thanks to @marwatk, the password management webflow is now correctly registering an event to respond to Password Must Change scenarios.
- Documentation guidelines to explain how to deploy CAS as an OS service.
- Thanks to @acvcu, multifactor authentication bypass options now correctly take into account the principal attribute name.
- Small improvements in the way access strategy policies are enforced, specially when dealing attribute release policies that have semi complex mapping rules.
- Mapping attributes to be considered as CAS usernames now correctly takes into account multi-valued attributes.
- Thanks to @marwatk, validating security question answers are now made extensible to account for custom validation rules.
- Anchor fragments are now automatically preserved while redirecting back to the application with a ticket.
- MDUI elements for services found in the registry now correctly honor information and privacy URLs.
- Thanks to @bhohler, verification of credential’s password against Cloud Directory is now done properly.
- Signing certificates configured for WSFED delegated authentication are now made watchable.
- Thanks to @bsandiford, memcached serialization via Kryo now takes into account a few more ticket expiration policies and other components. It is also set to issue a warning if and when unregistered classes in the kryo registry are found.
- CAS as a Spring Boot Application can now be deployed as a fully-executable file.
- Thanks to @marwatk, extensible error handling logic is now built into the password management to ensure password update operations can correctly report back failure events.
- Slight cleanup to ensure MongoDb and Redis ticket registries are able to take advantage of crypto operations.
- Thanks to @sbearcsiro, servide registry auto-initialization from JSON services now is prevented from adding duplicate records.
- Minor improvements to the audit log message where super long messages are now abbreviated down to
- Thanks to @marwatk, ordering of security questions for password management is now preserved.
- Plenty of minor documentation improvements, such a few notes on how the service registry initialization works and what one might be able to do in order to disable CAS’ embedded logging configuration when using an external servlet container.
- Thanks to @NgSekLong, the signature block type produced in a SAML2 response is now controllable via settings to encode signatures in
- Thanks to @frett, the payload produced by proxy validation event is now able to remain CAS Protocol v3 compatibble by releasing attributes.
- X509 principal resolution is now able to support EDIPI defined as part of the certificate’s CN.
- Remote Trusted authentication is now able to use a custom request header to extract the authenticated username.
- Delegated authentication is now able to support Keycloak.
CAS is now integrated with coveralls.io to report back test coverage statistics. The propduced report will help to identify areas that need more attention in terms of QA and verification. As of this writing, CAS stands at 43% test coverage and that number will continue to grow in the coming months with the addition of test cases and fine-tuning of the reporting tool to skip and ignore relevant areas.
Attribute Resolution Dashboard
The attribute resolution interface presented as part of CAS dashboard now allows for one to test authentication and observe the CAS payload that might be released to a registered application in the CAS service registry, indicating various protocols.
Management Web Application
Authentication strategies for the CAS management web application have been improved to support a few more options. Similarly, authorization rules are now allowed to support JSON/YAML backends.
Thanks to @tsschmidt, the registered service definition model is now able to support contacts. Support for contacts is also made available in the management web application.
Attribute Value Filters
Thanks to @tsschmidt, attribute value filters are now also supported in the CAS management web application:
Thanks to @tsschmidt, UX continues to see improvements and minor bug fixes. Time and availability permitting, we are working to include workflow and wizard functionality into the interface.
Redis Sentinel Support
Redis Sentinel provides high availability for Redis. In practical terms this means that using Sentinel you can create a Redis deployment that resists without human intervention to certain kind of failures. Redis Sentinel also provides other collateral tasks such as monitoring, notifications and acts as a configuration provider for clients.
Thanks to @ozayduman, components in CAS that integrate with Redis such the Redis Ticket Registry or the Redis Service Registry are now extended to support Sentinel for better HA configuration.
JMS Ticket Registry
A new ticket registry implementation is now available which based on JMS with support for a variety of messaging systems such as ActiveMQ, Artemis, etc.
OAuth User Profile Rendering
Additional options are now exposed that control the rendering of the OAuth user profile.
This may be a breaking change. Consult the docs to learn more.
Attribute consent functionality no longer applies a SHA-512 hashing function to attribute names and values. The consent decisions are now limited to signing and encryption only. With the one-way hash removed, CAS now presents the functionality underneath to decrypt records and present them back to the user in form of administrative dashboards and user interfaces, allowing users to revoke or modify a decision.
Attribute consent can now be managed via an externally-defined Groovy script for easier extensibility and customizations.
Service Expiration Policies
Service definitions are now given the ability to expire on a designated date.
Thanks to @tsschmidt, the management web application also supports this capability too:
Acceptable Usage Policy
Acceptable Usage Policy is now slightly improved to support MongoDb for a storage option.
Groovy Password Encoders
CAS password encoders are now allowed to be defined as a Groovy script to assist with designing custom encoding schemes.
Configuration Metadata UI
Accessing CAS configuration metadata is now possible via the CAS dashboards:
Most if not all CAS properties are annotated with
@RequiredModule which are then picked up by the metadata generation process and translated for REST APIs, etc.
CAS metrics may be routed to varying types of databases for storage and analytics.
REST Service Registry
Managing service definitions may also be carried out via a REST implementation of your choice.
- Spring Boot
- Spring Webflow
- jQuery UI
- Apache Tomcat
- Apache Http Client
- Spring Data
- Spring MongoDb
- Dropwizard Metrics
- Bootstrap Datepicker
- MariaDb Driver
- Google Maps
- AWS Java SDK
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Big thanks to all who participate in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!