CAS 5.3.0 RC3 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.2.0 GA was released on November 27th, 2017. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.3.0. This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the 5.3.0 series.

The in-development documentation of CAS 5.3.0 is available here. The release schedule is also available here. The release policy is available here.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. In order to start experimenting with release candidates, use the following strategies.

At any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Apache Maven

In the pom.xml of the overlay, adjust the following tag to match below:



In the of the overlay, adjust the following setting to match below:



  • CAS integration tests for Couchbase, DynamoDb and InfluxDb are now automated/enabled via relevant Docker images running as part of Travis CI.
  • Thanks to @frett, TGC domain names are once more sanitized; an oversight that snuck into CAS after adopting Project Lombok.
  • Thanks to @luis100, delegating authentication to SAML IdPs now is able to handle urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST bindings.
  • Thanks to @tsschmidt, loading CAS configuration properties is now made conditional.
  • Thanks to @sbearcsiro, overflows when calculating ticket expirations in MongoDb are now prevented.
  • Thanks to @frett, multifactor authentication triggers based on principal/authentication attributes are now allowed to proceed in the absence of a service parameter.
  • CAS builds managed by Travis CI are now broken into multiple jobs using a matrix to account for faster execution times. SNAPSHOT releases tend to publish around the 30 minute mark!
  • Thanks to @dodok1, multiple RADIUS servers can now be specified in CAS properties, separated by comma.
  • Thanks to @fmartelli, delegated SAML2 authentication gains a new settings to allow for the specification of the AttributeConsumingServiceIndex exposed by Pac4j.
  • CAS proxy-granting ticket definitions are now correctly registered in the ticket catalog.
  • Thanks to @sbearcsiro, a number of time units in CAS are now corrected to properly recognize seconds instead of milli-seconds.
  • CAS configuration metadata is corrected to properly generate the needed JSON metadata based on configuration settings.
  • Thanks to @sbearcsiro, the embedded Apache Tomcat instance is tweaked using a Customizer component provided by Spring Boot so that CAS implementations can override the factory themselves (eg to enable JNDI) whilst also benefitting from the CAS tomcat configuration properties.
  • Specification of required authentication handlers for a service now does not intefere with the execution of multifactor authentication.
  • Thanks to @hdeadman, the OpenID Connect discovery profile is now able to properly render all settings, and should be able to list all grant types supported by CAS.
  • Thanks to @frett, the REST API responsible for generating service tickets can now correctly audit the authentication object.
  • Thanks to @sbearcsiro, the embedded tomcat configuration is refactored and moved into its own component.
  • OAuth codes issued by CAS running as an OpenID Connect provider are now strictly scoped to the requesting service when exchanged for access tokens.
  • Thanks to @swlyons, the table names for the DynamoDb Ticket Registry can now be customized in CAS settings.

SAML Service Provider Metadata via REST

SAML2 service provider metadata can now be fetched from more traditional REST endpoints, as an alternative to deploying an MDQ server. See this guide for more info.

OAuth2 Audits

Thanks to @dima767, OAuth2 and OpenID Connect interactions (authentication requests and user profile responses) with CAS are now sent to the audit log.

SAML2 Service Providers

The following new SAML2 service providers are now supported by CAS out of the box:

  • Concur Solutions
  • PollEverywhere

Couchbase 5 Compatibility

Thanks to @dima767, CAS integration tests for service/ticket registries are now verified and made functional against Couchbase 5. Additional test cases are also added to verify Couchbase authentication.

Couchbase Authentication Attributes

Similar to above, authenticating credentials against a Couchbase data store in CAS now gains the ability to also fetch attributes as part of the returned data row.

Registered Service Access Strategy Audits

Thanks to @dima767, service access strategy events are now sent to the audit log in the event that the principal does not carry enough attributes to be granted access.

Impersonation Audits

Thanks to @dima767, CAS impersonation attempts. that were put through the access strategy rules are now audited as well.

Delegated Authentication Access Strategy Audits

While delegating authentication to an external identity provider, access strategy events that enforce the usage of the external identity provider are now sent to the audit log.

Audit API Improvements

In collaboration with @dima767, CAS components that are typically not managed as Spring @Beans are now put through a mini framework so that can become eligible for auditing purposes. The API changes in this area, while non-intrusive, allow CAS to audit the likes of the services access strategy events noted above.

Impersonation Groovy Access Strategy

Impersonation features of CAS gain access to a Groovy option to execute authorization rules for surrogate authentication.

X.509 Authentication via Request Headers

Thanks to @hdeadman, X509 authentication now optionally gains the ability to extract the certificate from a request header.

CAS Protocol Behavior

Certain aspects of the CAS protocol such as proxy or renewed authentication can be controlled via CAS settings.

Bootstrap 4

Thanks to @mindblender, CAS user interfaces begin to take advantage of Bootstrap v4 and FontAwesome v5. The thymeleaf templates are also transformed to be easier to maintain as natural/native views.

Google Authenticator Multifactor Account Registration

Multifactor athentication provided by Google Authenticator in CAS has the ability to register users and devices as part of the authentication flow. In this release candidate, device registration records are by default signed/encrypted before they are stored in the registration store.

This may be a breaking change. While the setting is on by default, you can certainly disable the signing/encryption operations of CAS that deal with device registration.

Multifactor Trusted Devices

Thanks to @frett, Multifactor Trusted Devices support has been extended to support custom device fingerprinting strategies.

This may be a breaking change. Adding custom device fingerprint support necessitated a schema update for trust records.

Furthermore, this feature gains the ability to determine device fingerprints in order to distinguish trusted devices from each other.

YubiKey Account Public ID Encryption

Thanks to @dima767, the YubiKey authentication facility gains the ability to store account’s public key in target destination stores in the encrypted form

Service Registry Multiplicity

Interal improvements are in place to allow each module the capablity of hosting its own service registry, making CAS effectively able to work with more one service registry at the same time. In theory, this provides the option of having, for instance, both JSON and YAML service registries work together. The real motivation for this change is to allow the introduction of internal immutable service registries that may be ephemeral, specially in view of how CAS handles multiple protocol support with callback services that were, before this change, expected to be inserted and found in the service registry.

Embedded Apache Tomcat Session Clustering

The embedded Apache Tomcat is now altered slightly using options to allow for session clustering and replication.

Delegated Authentication Non-Sticky Sessions

Delegated authentication in CAS has been re-designed in certain areas to remove the requirement of sticky sessions specially in clustered deployments. The internal changes to accomodate this behavior are rather significant, so please be sure to test and contribute back lest issues are discovered. This behavior is also extended to include and support delegating authentication to ADFS instances.

Library Upgrades

  • Couchbase Java Client
  • Amazon Java SDK
  • Mockito
  • SemVer
  • Swagger
  • Disruptor
  • Eureka
  • Ribbon
  • ActiveMQ
  • InfluxDb
  • Apache CXF
  • JavaParser
  • Guava
  • Azure KeyVault
  • Okio
  • Yubico
  • Authy
  • Google Zxing
  • Yubico U2F
  • Maxmind
  • Google Maps
  • UnboundID
  • Gradle
  • Twilio
  • Postgresql Driver
  • MariaDb Driver
  • Jose4j
  • Bootstrap & FontAwesome
  • Apache Cassandra Driver
  • Font Awesome
  • Hazelcast
  • Jackson
  • JQuery
  • Thymeleaf Dialect
  • HikariCP
  • Caffein

Get Involved

Das Ende

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.