The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS
5.2.0 GA was released on November 27th, 2017. Since then,
the project has been moving forward with development of the next feature release
that is tagged as
5.3.0. This post intends to highlight some of the improvements
and enhancements packed into the fourth release candidate in the
You can read about the previous release candidate here.
- Shake Well Before Use
- Delegated Authentication & MFA
- Password Management Email Notifications
- Interrupt Notifications
- SAML2 Service Providers
- Multifactor Authentication Trusted Devices
- Passwordless Authentication
- Custom CAS Settings
- AWS ElastiCache for Memcached
- AWS Simple Notification Service for SMS
- JWT Service Tickets
- AWS Secrets Manager
- RESTful View Resolution
- AWS S3 Buckets
- Command-line Shell Commands
- SAML 1.1 Validations
- Library Upgrades
- Get Involved
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
In order to start experimenting with release candidates, at any given time, you should be able to append
-SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
pom.xml of the overlay, adjust the following tag to match below:
gradle.properties of the overlay, adjust the following setting to match below:
- Thanks to @leleuj, validation of OAuth and OpenID Connect requests gain improvements in terms of protocol compatibility.
- The rendering syntax of CAS attributes in the validation response can now be controlled using CAS settings to enable inline rendering. (i.e.
<cas:attribute name="givenName" value="John"></cas:attribute>)
- Thanks to @frett, the initialization of the login webflow is fixed to only execute once.
- Refreshing CAS configuration should allow for re-initialization of the service registry, if CAS is configured to populate the service registry database from JSON service files.
- Thanks to @NgSekLong, the validation of the OAuth
client_secretparameter is made optional if it’s left undefined for the OAuth service.
- CAS test coverage has improved slightly with a number of additional tests where now coverage is at
- Auditing a password change operation using the CAS password management features is fixed to correctly catalog failures.
- Static analysis is now turned on CAS CI builds using FindBugs by default as well as Checkstyle. The builds are also taking advantage of the OWASP Dependency Check plugin for Gradle to auto-scan libraries used by CAS and fail the build in case a relevant CVE is found in the CAS distribution.
- Thanks to @williame-uah, the
encryptionSecretSizeparameter is fixed in CAS command-line shell to remove the duplicate name.
- Handling LDAP account states to process warnings, etc can now be separately turned on via CAS configuration, as part of the password policy settings.
- Thanks to @tsschmidt, the strategy for calculating service registry file names can now be customized in a pluggable way. This in particular has a benefit of allowing the management web application to provide customized naming strategies for resources as they are tracked in source control and Git, etc.
- A number of internal changes to SAML2 metadata resolution in order to improve performance and memory use.
- Annotation processing behavior has been restored to account for CAS extensions of Log4j, as well as correctly generating configuration metadata.
- Thanks to @sbearcsiro, a number of bugs that affect Twitter’s OAuth1 requests and responses when dealing with delegated authentication in CAS are now fixed.
- Logout management in CAS is modified to be able to internally handle submitting logout notifications to multiple URLs associated with a single application.
- A Groovy implementation is now made available for
PrincipalFactoryobjects that may be used inside custom configuration classes in areas where principal resolution needs unusual changes.
- Thanks to @tduehr, various number of improvements are applied to the CAS internal Gradle build to ensure tests can be run in categories.
- Thanks to @tsschmidt, the pattern to recognize domains in registered services is now improved.
- Thanks to @ringmaster217, the
iatfield in JWTs generated for OpenID Connect when tokens are introspected is fixed to be based on seconds instead of milliseconds.
- A series of minor improvements to the Surrogate authentication functionality when surrogate accounts are looked up from LDAP.
- SAML2 metadata resolution caching strategies are better improved in this release to improve performance and reduce memory use.
- Thanks to @fcrespel, token revocation features of CAS running in OpenID Connect mode are made more compliant with the specification.
- Delegated authentication can now directly build the final authenticated principal using an attribute from the provided user profile.
- JAAS authentication is given the ability in settings to handle password policy enforcements. Furthermore, both JAAS and Surrogate authentication are given dedicated settings to control how a CAS authenticated principal should be constructed. This behavior was typically controlled more globally before via Person Directory settings.
- Thanks to @sbearcsiro, delegated authentication is able to properly reconstruct the service authentication request, once the flow has returned from the provider and CAS is getting ready to produce a response.
CipherExecutorcomponents are added to handle signing and encryption decoding/encoding operations using RSA key-pairs.
- Thanks to @fcrespel, french translations of the CAS message bundles are now made up-to-date.
- The configuration file for JAAS-based authentications may now be loaded directly from CAS settings.
- When preparing SAML2 responses, the subject locality field is fixed to include the address of the CAS server instead of the service provider.
- Anonymous username identifiers are now set to correctly encode and digest values that may be used for persistent identifiers.
- Thanks to @sbearcsiro, delegated authentication to Twitter gains support to retrieve and process the profile email address.
- Database authentication in query mode can now process and accept named sql parameters in the SQL query.
- Thanks to @bdavids1, the Duo Security iframe is improved to display properly specially on mobile devices per the recommendations available here.
Delegated Authentication & MFA
Delegating authentication events to ADFS as well as all other external identity providers are now revisited to handle multifactor authentication flows better, once the flow travels back from the identity provider to CAS after authentication.
Password Management Email Notifications
This is a breaking change. Review your settings and be sure to adjust.
Settings that control email notifications for password reset operations are placed under a
CAS Interrupt Notifications can now be triggered using authentication/principal attributes using regular expression patterns. Furthermore, notifications may now be skipped on a per-service basis by assigning tags and properties to the service definition.
SAML2 Service Providers
The following new SAML2 service providers are now supported by CAS out of the box:
Multifactor Authentication Trusted Devices
You may need to adjust the underlying schema used to store trusted device records to handle the new date type. The change affects all storage options that support keeping track of trusted device records.
Handling trusted devices for multifactor authentication receives a number of fixed to handle device expiration time units better. As a result of this change, the trusted device record date is switched from
LocalDateTime in order to support hours, minutes and seconds.
An initial draft of Passwordless Authentication is now available. This is a form of authentication in CAS where passwords take the form of tokens that expire after a configurable period of time, and are sent to users using email, text messages, etc.
Custom CAS Settings
In order to extend the collection of CAS settings, most adopters might have had to introduce a new configuration namespace into CAS and have it be recognized using a custom
@ConfigurationProperties type of component. In this release candidate, a
custom category is introduced as a
Map that can house all arbitrary settings. Furthermore, the entire collection of CAS settings including the
custom category of course is made available to all components, webflow states and CAS views in particular, so that views can be customized or altered using any of the defined CAS configuration properties.
AWS ElastiCache for Memcached
For memcached integrations, CAS is now able to provide a native module that is able to seamlessly integrate with AWS ElastiCache. This is mostly a drop-in replacement for the spymemcached.
The memcached support modules in CAS no longer take the opinionated approach of presenting a memcached client library. The choices are now presented as separated modules that you are to choose and then stuff into your overlay. If you are unsure what to choose, choose spymemcached.
AWS Simple Notification Service for SMS
Support is now included to take advantage of AWS SNS for sending SMS messages.
As par of this change, the configuration of various SMS providers is now moved into a parent
cas.smsProviderscategory. Please review your settings and adjust.
JWT Service Tickets
Encryption and signing keys use to allow CAS to encode a JWT as a service ticket may now be defined on a per-service basis. Furthermore, extra test cases are added to ensure the generated JWT is not doubly encoded in base64 syntax.
AWS Secrets Manager
CAS configuration settings may now be managed and located using AWS Secrets Manager.
RESTful View Resolution
CAS views can now be resolved using an external URL in RESTful ways.
AWS S3 Buckets
Command-line Shell Commands
CAS command-line shell receives a few additional commands in order to verify connectivity to LDAP servers and to test connections to endpoints useful for verifying SSL configuration, etc. The endpoint validation is further enhanced by @jtgasper3 to include details that can be used to troubleshoot failed https client connection.
SAML 1.1 Validations
SAML1.1 ticket validation is cleaned up to parse and extract the validation payload from the request body more accurately, relying less on manual parsing of input. The extraction logic also includes a small bit of caching of the request body in order to allow upstream components to process a given http request’s body for other types of functionality, essentially making the request body reusable and re-parseable for the entire transaction.
- Amazon SDK
- Commons Text
- Spring Boot
- Apache Tomcat
- Apache Ignite
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!