CAS 5.2.0 RC4 Feature Release

The blog is managed and hosted on Github. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.1.0 GA was released on May 27th 2017. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.2.0. This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 5.2.0 series.

The in-development documentation of CAS 5.2.0 is available here. The release schedule is also available here. The release policy is available here.

You can read more about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. In order to start experimenting with release candidates, use the following strategies.

At any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Apache Maven

In the pom.xml of the overlay, adjust the following tag to match below:



In the of the overlay, adjust the following setting to match below:



  1. Thanks to @CobraFlow, delegated authentication using CAS is now able to correctly parse the CAS protocol setting.
  2. Cassandra authentication support is now able to correctly pick up the connection factory from the application context, and uses the correct setting for usernames when constructing authentication queries.
  3. Thanks to @marwatk, the password management webflow is now correctly registering an event to respond to Password Must Change scenarios.
  4. Documentation guidelines to explain how to deploy CAS as an OS service.
  5. Thanks to @acvcu, multifactor authentication bypass options now correctly take into account the principal attribute name.
  6. Small improvements in the way access strategy policies are enforced, specially when dealing attribute release policies that have semi complex mapping rules.
  7. Mapping attributes to be considered as CAS usernames now correctly takes into account multi-valued attributes.
  8. Thanks to @marwatk, validating security question answers are now made extensible to account for custom validation rules.
  9. Anchor fragments are now automatically preserved while redirecting back to the application with a ticket.
  10. MDUI elements for services found in the registry now correctly honor information and privacy URLs.
  11. Thanks to @bhohler, verification of credential’s password against Cloud Directory is now done properly.
  12. Signing certificates configured for WSFED delegated authentication are now made watchable.
  13. Thanks to @bsandiford, memcached serialization via Kryo now takes into account a few more ticket expiration policies and other components. It is also set to issue a warning if and when unregistered classes in the kryo registry are found.
  14. CAS as a Spring Boot Application can now be deployed as a fully-executable file.
  15. Thanks to @marwatk, extensible error handling logic is now built into the password management to ensure password update operations can correctly report back failure events.
  16. Slight cleanup to ensure MongoDb and Redis ticket registries are able to take advantage of crypto operations.
  17. Thanks to @sbearcsiro, servide registry auto-initialization from JSON services now is prevented from adding duplicate records.
  18. Minor improvements to the audit log message where super long messages are now abbreviated down to 125 characters.
  19. Thanks to @marwatk, ordering of security questions for password management is now preserved.
  20. Plenty of minor documentation improvements, such a few notes on how the service registry initialization works and what one might be able to do in order to disable CAS’ embedded logging configuration when using an external servlet container.
  21. Thanks to @NgSekLong, the signature block type produced in a SAML2 response is now controllable via settings to encode signatures in PEM or DER mode.
  22. Thanks to @frett, the payload produced by proxy validation event is now able to remain CAS Protocol v3 compatibble by releasing attributes.
  23. X509 principal resolution is now able to support EDIPI defined as part of the certificate’s CN.
  24. Remote Trusted authentication is now able to use a custom request header to extract the authenticated username.
  25. Delegated authentication is now able to support Keycloak.

Test Coverage

CAS is now integrated with to report back test coverage statistics. The propduced report will help to identify areas that need more attention in terms of QA and verification. As of this writing, CAS stands at 43% test coverage and that number will continue to grow in the coming months with the addition of test cases and fine-tuning of the reporting tool to skip and ignore relevant areas.

Attribute Resolution Dashboard

The attribute resolution interface presented as part of CAS dashboard now allows for one to test authentication and observe the CAS payload that might be released to a registered application in the CAS service registry, indicating various protocols.


Management Web Application


Authentication strategies for the CAS management web application have been improved to support a few more options. Similarly, authorization rules are now allowed to support JSON/YAML backends.


Thanks to @tsschmidt, the registered service definition model is now able to support contacts. Support for contacts is also made available in the management web application.


Attribute Value Filters

Thanks to @tsschmidt, attribute value filters are now also supported in the CAS management web application:


User Interface

Thanks to @tsschmidt, UX continues to see improvements and minor bug fixes. Time and availability permitting, we are working to include workflow and wizard functionality into the interface.

Redis Sentinel Support

Redis Sentinel provides high availability for Redis. In practical terms this means that using Sentinel you can create a Redis deployment that resists without human intervention to certain kind of failures. Redis Sentinel also provides other collateral tasks such as monitoring, notifications and acts as a configuration provider for clients.

Thanks to @ozayduman, components in CAS that integrate with Redis such the Redis Ticket Registry or the Redis Service Registry are now extended to support Sentinel for better HA configuration.

JMS Ticket Registry

A new ticket registry implementation is now available which based on JMS with support for a variety of messaging systems such as ActiveMQ, Artemis, etc.

OAuth User Profile Rendering

Additional options are now exposed that control the rendering of the OAuth user profile.

Attribute Hashing

This may be a breaking change. Consult the docs to learn more.

Attribute consent functionality no longer applies a SHA-512 hashing function to attribute names and values. The consent decisions are now limited to signing and encryption only. With the one-way hash removed, CAS now presents the functionality underneath to decrypt records and present them back to the user in form of administrative dashboards and user interfaces, allowing users to revoke or modify a decision.

Groovy Support

Attribute consent can now be managed via an externally-defined Groovy script for easier extensibility and customizations.

Service Expiration Policies

Service definitions are now given the ability to expire on a designated date.

Thanks to @tsschmidt, the management web application also supports this capability too:


Acceptable Usage Policy

MongoDb Storage

Acceptable Usage Policy is now slightly improved to support MongoDb for a storage option.

Groovy Password Encoders

CAS password encoders are now allowed to be defined as a Groovy script to assist with designing custom encoding schemes.

Configuration Metadata UI

Accessing CAS configuration metadata is now possible via the CAS dashboards:


Most if not all CAS properties are annotated with @RequiredProperty and @RequiredModule which are then picked up by the metadata generation process and translated for REST APIs, etc.



CAS metrics may be routed to varying types of databases for storage and analytics.

REST Service Registry

Managing service definitions may also be carried out via a REST implementation of your choice.

Library Upgrades

  • Spring Boot
  • Spring Webflow
  • Spring
  • jQuery
  • jQuery UI
  • Gradle
  • Hibernate
  • Apache Tomcat
  • Apache Http Client
  • Spring Data
  • Log4j
  • Spring MongoDb
  • Dropwizard Metrics
  • Swagger
  • Bootstrap Datepicker
  • AspectJ
  • MariaDb Driver
  • Google Maps
  • AWS Java SDK

Additionally, Javascript linting process is internally updated to support ECMAScript 6.

Get Involved

Das Ende

Big thanks to all who participate in the development of this release to submit patches, report issues and suggest improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.