CAS 5.3.0 RC2 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.2.0 GA was released on November 27th, 2017. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.3.0. This post intends to highlight some of the improvements and enhancements packed into the second release candidate in the 5.3.0 series.

The in-development documentation of CAS 5.3.0 is available here. The release schedule is also available here. The release policy is available here.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. In order to start experimenting with release candidates, use the following strategies.

At any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Apache Maven

In the pom.xml of the overlay, adjust the following tag to match below:



In the of the overlay, adjust the following setting to match below:



  1. The embedded Apache Tomcat container is now given the ability to support basic authentication.
  2. Caching attributes fetched from external attribute repositories is now corrected to handle caching more efficiently.
  3. Thanks to @leleuj, MFA bypass via REST is corrected to format parameters properly for the REST request.
  4. Thanks to @alexdp, the Apache Ignite cache is corrected to include the right cache names for proxy tickets.
  5. Thanks to @rrenomeron, better error handling is put into place while parsing YAML property files.
  6. Thanks to @leleuj, better error handling is put in place for email notifications specially when no principal attribute is found to indicate the target email address.
  7. The DynamoDb table name used to hold CAS’ registered service definitions can now be customized via CAS settings.
  8. The logout webflow/view is now able to correctly recognize and activate the required code snippet for Google Analytics.
  9. Thanks to @marqc,the condition that controls the issuing of ticket-granting tickets is improved to take into account identical usernames found in multiple account sources.
  10. Thanks to @johnlister, better error handling is put in place during the password management reset flows when an invalid username is provided.
  11. Thanks to @plajko, ordering of the authentication handlers selected for the current transaction is correctly enforced.
  12. Thanks to @deel77, the Slovak language bundles are updated.
  13. Thanks to @3cdota,delegated authentication using Pac4j will attempt to preserve the requested URL upon CAS logout.
  14. Thanks to @dima767, the ranking logic that affected variegated multifactor providers such as Duo Security is now corrected.
  15. Thanks to @tienthanh2509, a new language pack for Vietnamese is now included in CAS.
  16. The LDAP service registry is able to correctly import JSON definition files where specified.
  17. Thanks to @dacurry-tns, handling of MongoDb connection strings specified by client URIs is now improved.
  18. Thanks to @arbner, consent view pages now have access to the authenticated principal.
  19. Thanks to @alexdp, Google Apps integration in CAS is improved to properly load the given certificates.
  20. Thanks to @hdeadman, the SSL valve for the embedded Apache Tomcat is now correctly registered with the servlet container.
  21. Thanks to @dima767, the log viewer available as part of the CAS dashboard gets a number of performance improvements internally.
  22. Thanks to @fjollberg, authenticating to Couchbase buckets receives a number of bug fixes.
  23. Thanks to @plajko, a number of MongoDb performance and configuration improvements are included in this release candidate. Additionally, the default size of the embedded Apache Tomcat’s thread pool is now increased.
  24. Thanks to @plajko, JWT ids generated with CAS as OpenId Connect OP are set to the service ticket identifier to account for proper session mapping when dealing with SLO.
  25. Minor bug fix in the way attributes are resolved and fetched from REST endpoints.

Hazelcast Discovery

CAS is now able to leverage Apache jclouds and Microsoft Azure, when it comes to Hazelcast and auto-discovery.

Apache Syncope Authentication

As yet another method of authentication, CAS is now able to leverage Apache Syncope to locate user accounts.

Operation Lombok

CAS begins to adopt Project Lombok in order to reduce noise and boilerplate code used to obtain logger objects, generate getter/setter methods, etc. This is part of a bigger gradual step at possibly converting the codebase relevant modules over to Kotlin to further improve readability and reduce LOC.

Before the migration, total number of lines for Java classes stood at 207,002. Today, after the migration the number of lines is reduced down to 190,398.

HTTP Security Headers per Service

Injection of HTTP security headers into the response can now be controlled on a per-service basis. See this guide for more info.

Registered Services REST API

For some time, CAS has had support for a REST-like API allowing one to add service definitions into the registry. This API was quite limited in accepting different properties of a given service definition or different types of services for various protocols. In this release candidate, this API is improved slightly to accept all types of service definitions in the API request body and making it slightly easier to execute such requests with proper authentication and authorization enforcements.

This is a breaking change. Please revisit the API requests and reformulate them accordingly.

Configuration Discovery

The Configuration Discovery endpoint in CAS is now able to report back configured and supported clients used in the context of delegated authentication.

SAML2 Service Providers

The following new SAML2 service providers are now supported by CAS out of the box:

  • Amazon

JSON Whitelist Authentication

A JSON-based authentication strategy is now included that allows one to mimic user account details, mostly useful for development and testing.

REST Protocol Credential Extraction

The CAS REST protocol in this release candidate is given the ability to extract multiple sets of credentials from the request body and prep them for authentication. In practice this means that various modules, such as YubiKey and Google Authenticator, may be allowed to insert a special credential extractor into the REST engine automatically when detected in order to let the REST request achieve MFA.

AWS Credential Fetching

For components that tightly integrate with AWS such as Cloud Directory Authentication or CloudWatch, etc CAS is now given the ability to fetch credentials from a variety of sources as part of an ordered chain. Sources include system properties, environment variables, EC2 instance metadata, etc.

This is a breaking change. As part of this change, a number of module names for CloudWatch logging, etc have changed their names to belong to the support category of CAS modules rather than core. Review the documentation and adjust accordingly.

Mapped Attribute Value Filters

A new attribute value filter is added whose main ability is to filter attribute values by a collection of patterns and then supplant the value dynamically based on the results of the regex match.

Authenticate Credentials via REST Protocol

A new REST endpoint is now exposed that is tasked to only verify the validity of the provided credentials without dealing with the ticket API.

REST Protocol Enhancements

The CAS REST protocol is now enhanced internally to be able to accept other types of protocols and parameters in order to issue a response (i.e. service ticket). As a first candidate, the REST protocol is now able to issue SAML1 tickets just as well as the normal web-based SSO flows.

REST-based Audits

CAS audit data and logs may now be POSTed to a REST endpoint of your choosing.

SAML2 Attribute Friendly Names

CAS acting as a SAML2 identity provider is given the ability to individually configure friendly names for attributes released to service providers.

Configuration Binding Behavior

Starting with this release candidate, the configuration binding operations start to be a bit less forgiving when it comes to detecting unknown CAS settings found in property sources such as the file. If you have existing settings that are no longer accepted or recognized, CAS will present you with an error at runtime and on startup forcing you clean up the configuration and find the correct replacements where relevant.

As part of this change, please note that the following settings that deal with CAS standalone configuration resolution have been renamed:

  • cas.standalone.config to cas.standalone.configurationDirectory
  • cas.standalone.config.file to cas.standalone.configurationFile
  • to cas.standalone.configurationSecurity
This is done to ensure configuration settings recognized by CAS are kept up-to-date, accurate and relevant throughout upgrades. As yet another reminder, it is unnecessary to copy an entire collection of CAS settings and values into property sources without fully knowing their application and impact. Per the usual recommendation, you are to keep the entire overlay construct clean, precise and laser-focused on behavior you do in fact need.

New Command-line Shell Commands

The CAS command-line shell is now given the following capabilities:

  • Export database schemas and DDLs
  • Generate SAML IdP metadata and related keystores and certificates
  • Jasypt-related commands to test available cipher algorithms and providers used to secure CAS properties, thanks to @hdeadman.

SAML2 Audits

SAML2 requests and responses accepted and produced by CAS while running as a SAML2 identity provider are now routed to the audit log. As part of this change, the auditing functionality in CAS is slightly improved to allow for dynamic registration of audit action and resource resolution events that may be carried out by any CAS module at runtime and typically on startup.

OAuth2 Audits

OAuth2 user profiles produced by CAS while running as an OAuth2 identity provider are now routed to the audit log.


Interactions with the CAS REST API that would allow one to obtain ticket-granting tickets and/or service tickets are now also sent to the audit log.

Audit Trail Management

Audit record management in CAS is given the abllity to work with multiple managers, storing audit data in many destinations at the same time. The auditing library is also given the ablity to fetch audit data based on a starting date whose value may be controlled in CAS settings.

As part of this change, a number of settings that specifically controlled the behavior of audit functionality based on log files and Slf4j have changed location, moving over to a slf4j category. Review the documentation for all settings and adjust accordingly if you have included any of those settings in your property sources.

Authentication Throttling

Authentication throttling configuration is slightly simplified to skip creating NoOp throttlers when throttling is disabled. As part of this change, other components that take advantage of throttling such as REST and OAuth protocols are affected to use the same throttler and configuration that would is used for other areas of the system namely the usual login endpoints.

As part of this change, the throttler setting that REST and OAuth module settings carried is now removed in favor of the default throttler functionality.

MongoDb Authentication Throttling

In addition to recording audit records in MongoDb databases, CAS also offers the authentication throttling functionality based on MongoDb that is tightly integrated with the same auditing facility.

Library Upgrades

  • Kotlin
  • Checkstyle
  • Spring Webflow
  • Commons Pool
  • Spring Boot
  • Apache Tomcat
  • Pac4j
  • Gradle
  • Person Directory
  • Apache HttpClient
  • HikariCP
  • Inspektr
  • Spring
  • Java CAS Client (version 3.5.0 is now available)

Get Involved

Das Ende

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.