CAS 6.0.0 RC2 Feature Release

This post is not official yet and may be heavily edited as CAS development makes progress. Watch for further updates.
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.3.0 GA was released on June 29th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as 6.0.0. Note that this is a major release of the CAS software which may present significant changes in architecture, configuration or behavior. Please review the release policy to learn more about the scope of the release.

This post intends to highlight some of the improvements and enhancements packed into the second release candidate in the 6.0.0 series.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.


In the of the overlay, adjust the following setting:



New & Noteworthy

JDK 10

Work continues to ensure CAS can support and build on top of JDK 11. At this time, a number of supporting libraries that handle code generation, test coverage and static analysis are not quite ready for JDK 11, and a few more foundational frameworks such as Spring and Spring Boot have yet to be upgraded to a release friendly to JDK 11. In this release, the JDK requirement continues to stay at 10 with the hopes that said core components would be ready for JDK 11 around the time of the next release candidate.

WAR Overlay

The Maven WAR overlay template is now deprecated and moved aside. The reference overlay project simply resides here and is transformed to use the Gradle build tool instead. This is done to reduce maintenance overhead and simplify the deployment strategy while allowing future attempts to make auto-generation of the overlay as comfortable as possible.

OAuth2 UMA

A first pass at OAuth2 User-Managed Access is now available. This is very much a rough take and will require some fine-tuning and tweaking in future iterations to fully make it spec-compliant and functional.

Authentication Source Selection

In the event that there is more than one (primary) authentication source defined, CAS is given the ability to present the user with a choice in the login screen to select the appropriate credential source before authenticating. This capability can also be automated using credential predicates if a pattern can formulated and linked to a specific authentication source. This variation here is the less-automated way of selecting an authentication source, taking into account user input directly.

Forgot Username

The Forgot your username? scenario is now supported by the CAS password management facility.

OAuth2 Token Management

Specific endpoints are provided as part of CAS monitoring toolkit to manage and revoke OAuth2 access and refresh tokens.

Small Stuff

  • Expired registered service definitions are now blocked by CAS as always, but are not strictly modified in the service registry as disabled services.
  • A ton of improvements to the Travis CI integration tests to ensure performance and compliance. This area continues to improve.
  • Release of authentication-level attributes, typically those related to protocols or those captured by metadata populators is now controlled via a central policy.
  • Generation of CAS configuration metadata is massaged to take into account enumerations and nested inner classes.
  • REST API authentication using X509 is now capable of TLS client authentication.
  • Delegated authentication gains the ability to use path variables for client names instead of query parameters, for identity providers such as Azure.
  • CAS documentation integrates with Angolia for its search capabilities.
  • Minor bug fixes to database schema handling, log messages and OATH validations.
  • CAS OpenID Connect support gains a better handle on logout and session management.
  • OAuth2 grant type selection is now enforced for relying parties, etc.

Library Upgrades

  • Inspektr
  • Pac4j


Get Involved


Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS 6.0.0 RC1 Feature Release which I present an overview of CAS 6.0.0 RC1 release.

Apereo CAS Delegated Authentication with ADFS

Learn how your Apereo CAS deployment may be configured to delegate authentication to Microsoft ADFS.

Apereo CAS Swag with Swagger

Enable Swagger integration with your Apereo CAS APIs.

Get Productive with Shell Aliases

A collection of useful shell aliases, gathered over the years to help increase one's productivity and developer happiness.

feat(conventional_commits): signal breaking changes in commit titles

In which I suggest Conventional Commits should be enhanced to reflect the breakingness of commits in their commit message titles.

uPortal annual report, June 2018 edition

Ecoysystem. Releases. Community. Fiscal responsibility.

One Can Only Hope in Buchistan

A true story inspired by real events. Seriously. Bryan Cranston has been approached for the role of "Some".

Apereo CAS - Extending Webflows

Learn and master extending CAS 5 Spring Webflow definitions.

Apereo CAS - Administrative Endpoints & Monitoring

Gain insight into your running Apereo CAS deployment in production. Learn how to monitor and manage the server by using HTTP endpoints and gather metrics to diagnose issues and improve performance.

Apereo CAS - Custom Authentication & Attribute Sources

Master writing custom authentication handlers/schemes in CAS and learn how to design custom data sources that can produce user claims and attributes.