This post is not official yet and may be heavily edited as CAS development makes progress. Watch for further updates.
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS
5.3.0 GA was released on June 29th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as
6.0.0. Note that this is a major release of the CAS software which may present significant changes in architecture, configuration or behavior. Please review the release policy to learn more about the scope of the release.
This post intends to highlight some of the improvements and enhancements packed into the second release candidate in the
You can read about the previous release candidate here.
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
In order to start experimenting with release candidates, at any given time, you should be able to append
-SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
gradle.properties of the overlay, adjust the following setting:
- New & Noteworthy
- Small Stuff
- Library Upgrades
- Get Involved
New & Noteworthy
Work continues to ensure CAS can support and build on top of JDK 11. At this time, a number of supporting libraries that handle code generation, test coverage
and static analysis are not quite ready for JDK 11, and a few more foundational frameworks such as Spring and Spring Boot have yet to be upgraded to a release friendly
to JDK 11. In this release, the JDK requirement continues to stay at
10 with the hopes that said core components would be ready for JDK 11 around the time of
the next release candidate.
The Maven WAR overlay template is now deprecated and moved aside. The reference overlay project simply resides here and is transformed to use the Gradle build tool instead. This is done to reduce maintenance overhead and simplify the deployment strategy while allowing future attempts to make auto-generation of the overlay as comfortable as possible.
A first pass at OAuth2 User-Managed Access is now available. This is very much a rough take and will require some fine-tuning and tweaking in future iterations to fully make it spec-compliant and functional.
Authentication Source Selection
In the event that there is more than one (primary) authentication source defined, CAS is given the ability to present the user with a choice in the login screen to select the appropriate credential source before authenticating. This capability can also be automated using credential predicates if a pattern can formulated and linked to a specific authentication source. This variation here is the less-automated way of selecting an authentication source, taking into account user input directly.
The Forgot your username? scenario is now supported by the CAS password management facility.
OAuth2 Token Management
Specific endpoints are provided as part of CAS monitoring toolkit to manage and revoke OAuth2 access and refresh tokens.
- Expired registered service definitions are now blocked by CAS as always, but are not strictly modified in the service registry as disabled services.
- A ton of improvements to the Travis CI integration tests to ensure performance and compliance. This area continues to improve.
- Release of authentication-level attributes, typically those related to protocols or those captured by metadata populators is now controlled via a central policy.
- Generation of CAS configuration metadata is massaged to take into account enumerations and nested inner classes.
- REST API authentication using X509 is now capable of TLS client authentication.
- Delegated authentication gains the ability to use path variables for client names instead of query parameters, for identity providers such as Azure.
- CAS documentation integrates with Angolia for its search capabilities.
- Minor bug fixes to database schema handling, log messages and OATH validations.
- CAS OpenID Connect support gains a better handle on logout and session management.
- OAuth2 grant type selection is now enforced for relying parties, etc.
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!