CAS 5.3.0 RC4 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.2.0 GA was released on November 27th, 2017. Since then, the project has been moving forward with development of the next feature release that is tagged as 5.3.0. This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 5.3.0 series.

The in-development documentation of CAS 5.3.0 is available here. The release schedule is also available here. The release policy is available here.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Apache Maven

In the pom.xml of the overlay, adjust the following tag to match below:



In the of the overlay, adjust the following setting to match below:



  • Thanks to @leleuj, validation of OAuth and OpenID Connect requests gain improvements in terms of protocol compatibility.
  • The rendering syntax of CAS attributes in the validation response can now be controlled using CAS settings to enable inline rendering. (i.e. <cas:attribute name="givenName" value="John"></cas:attribute>)
  • Thanks to @frett, the initialization of the login webflow is fixed to only execute once.
  • Refreshing CAS configuration should allow for re-initialization of the service registry, if CAS is configured to populate the service registry database from JSON service files.
  • Thanks to @NgSekLong, the validation of the OAuth client_secret parameter is made optional if it’s left undefined for the OAuth service.
  • CAS test coverage has improved slightly with a number of additional tests where now coverage is at 67% and growing.
  • Auditing a password change operation using the CAS password management features is fixed to correctly catalog failures.
  • Static analysis is now turned on CAS CI builds using FindBugs by default as well as Checkstyle. The builds are also taking advantage of the OWASP Dependency Check plugin for Gradle to auto-scan libraries used by CAS and fail the build in case a relevant CVE is found in the CAS distribution.
  • Thanks to @williame-uah, the encryptionSecretSize parameter is fixed in CAS command-line shell to remove the duplicate name.
  • Handling LDAP account states to process warnings, etc can now be separately turned on via CAS configuration, as part of the password policy settings.
  • Thanks to @tsschmidt, the strategy for calculating service registry file names can now be customized in a pluggable way. This in particular has a benefit of allowing the management web application to provide customized naming strategies for resources as they are tracked in source control and Git, etc.
  • A number of internal changes to SAML2 metadata resolution in order to improve performance and memory use.
  • Annotation processing behavior has been restored to account for CAS extensions of Log4j, as well as correctly generating configuration metadata.
  • Thanks to @sbearcsiro, a number of bugs that affect Twitter’s OAuth1 requests and responses when dealing with delegated authentication in CAS are now fixed.
  • Logout management in CAS is modified to be able to internally handle submitting logout notifications to multiple URLs associated with a single application.
  • A Groovy implementation is now made available for PrincipalFactory objects that may be used inside custom configuration classes in areas where principal resolution needs unusual changes.
  • Thanks to @tduehr, various number of improvements are applied to the CAS internal Gradle build to ensure tests can be run in categories.
  • Thanks to @tsschmidt, the pattern to recognize domains in registered services is now improved.
  • Thanks to @ringmaster217, the iat field in JWTs generated for OpenID Connect when tokens are introspected is fixed to be based on seconds instead of milliseconds.
  • A series of minor improvements to the Surrogate authentication functionality when surrogate accounts are looked up from LDAP.
  • SAML2 metadata resolution caching strategies are better improved in this release to improve performance and reduce memory use.
  • Thanks to @fcrespel, token revocation features of CAS running in OpenID Connect mode are made more compliant with the specification.
  • Delegated authentication can now directly build the final authenticated principal using an attribute from the provided user profile.
  • JAAS authentication is given the ability in settings to handle password policy enforcements. Furthermore, both JAAS and Surrogate authentication are given dedicated settings to control how a CAS authenticated principal should be constructed. This behavior was typically controlled more globally before via Person Directory settings.
  • Thanks to @sbearcsiro, delegated authentication is able to properly reconstruct the service authentication request, once the flow has returned from the provider and CAS is getting ready to produce a response.
  • Special CipherExecutor components are added to handle signing and encryption decoding/encoding operations using RSA key-pairs.
  • Thanks to @fcrespel, french translations of the CAS message bundles are now made up-to-date.
  • The configuration file for JAAS-based authentications may now be loaded directly from CAS settings.
  • When preparing SAML2 responses, the subject locality field is fixed to include the address of the CAS server instead of the service provider.
  • Anonymous username identifiers are now set to correctly encode and digest values that may be used for persistent identifiers.
  • Thanks to @sbearcsiro, delegated authentication to Twitter gains support to retrieve and process the profile email address.
  • Database authentication in query mode can now process and accept named sql parameters in the SQL query.
  • Thanks to @bdavids1, the Duo Security iframe is improved to display properly specially on mobile devices per the recommendations available here.

Delegated Authentication & MFA

Delegating authentication events to ADFS as well as all other external identity providers are now revisited to handle multifactor authentication flows better, once the flow travels back from the identity provider to CAS after authentication.

Password Management Email Notifications

This is a breaking change. Review your settings and be sure to adjust.

Settings that control email notifications for password reset operations are placed under a mail setting to be consistent with all other properties. As a result, the email notification operations of password reset gain small improvements to honor CC and BCC flags defined in configuration.

Interrupt Notifications

CAS Interrupt Notifications can now be triggered using authentication/principal attributes using regular expression patterns. Furthermore, notifications may now be skipped on a per-service basis by assigning tags and properties to the service definition.

SAML2 Service Providers

The following new SAML2 service providers are now supported by CAS out of the box:

  • WarpWire
  • BlackBaud
  • GiveCampus
  • RocketChat

Multifactor Authentication Trusted Devices

You may need to adjust the underlying schema used to store trusted device records to handle the new date type. The change affects all storage options that support keeping track of trusted device records.

Handling trusted devices for multifactor authentication receives a number of fixed to handle device expiration time units better. As a result of this change, the trusted device record date is switched from LocalDate to LocalDateTime in order to support hours, minutes and seconds.

Passwordless Authentication

An initial draft of Passwordless Authentication is now available. This is a form of authentication in CAS where passwords take the form of tokens that expire after a configurable period of time, and are sent to users using email, text messages, etc.

Custom CAS Settings

In order to extend the collection of CAS settings, most adopters might have had to introduce a new configuration namespace into CAS and have it be recognized using a custom @ConfigurationProperties type of component. In this release candidate, a custom category is introduced as a Map that can house all arbitrary settings. Furthermore, the entire collection of CAS settings including the custom category of course is made available to all components, webflow states and CAS views in particular, so that views can be customized or altered using any of the defined CAS configuration properties.

AWS ElastiCache for Memcached

For memcached integrations, CAS is now able to provide a native module that is able to seamlessly integrate with AWS ElastiCache. This is mostly a drop-in replacement for the spymemcached.

The memcached support modules in CAS no longer take the opinionated approach of presenting a memcached client library. The choices are now presented as separated modules that you are to choose and then stuff into your overlay. If you are unsure what to choose, choose spymemcached.

AWS Simple Notification Service for SMS

Support is now included to take advantage of AWS SNS for sending SMS messages.

As par of this change, the configuration of various SMS providers is now moved into a parent cas.smsProviders category. Please review your settings and adjust.

JWT Service Tickets

Encryption and signing keys use to allow CAS to encode a JWT as a service ticket may now be defined on a per-service basis. Furthermore, extra test cases are added to ensure the generated JWT is not doubly encoded in base64 syntax.

AWS Secrets Manager

CAS configuration settings may now be managed and located using AWS Secrets Manager.

RESTful View Resolution

CAS views can now be resolved using an external URL in RESTful ways.

AWS S3 Buckets

CAS configuration properties can now also be fetched from AWS S3 buckets. Similarly, SAML metadata documents for various service providers may also be managed using AWS S3 buckets.

Command-line Shell Commands

CAS command-line shell receives a few additional commands in order to verify connectivity to LDAP servers and to test connections to endpoints useful for verifying SSL configuration, etc. The endpoint validation is further enhanced by @jtgasper3 to include details that can be used to troubleshoot failed https client connection.

SAML 1.1 Validations

SAML1.1 ticket validation is cleaned up to parse and extract the validation payload from the request body more accurately, relying less on manual parsing of input. The extraction logic also includes a small bit of caching of the request body in order to allow upstream components to process a given http request’s body for other types of functionality, essentially making the request body reusable and re-parseable for the entire transaction.

Library Upgrades

  • Amazon SDK
  • Commons Text
  • Mockito
  • AspectJ
  • JavaParser
  • Jool
  • CosmosDb
  • Jackson
  • Spring
  • HikariCP
  • Spring Boot
  • Apache Tomcat
  • Hibernate
  • Caffeine
  • Guava
  • Kryo
  • Pac4j
  • Apache Ignite
  • Log4j

Get Involved


Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.