CAS 6.0.0 RC2 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.3.0 GA was released on June 29th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as 6.0.0. Note that this is a major release of the CAS software which may present significant changes in architecture, configuration or behavior. Please review the release policy to learn more about the scope of the release.

This post intends to highlight some of the improvements and enhancements packed into the second release candidate in the 6.0.0 series.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.


In the of the overlay, adjust the following setting:



New & Noteworthy

JDK 10

Work continues to ensure CAS can support and build on top of JDK 11. At this time, a number of supporting libraries that handle code generation, test coverage and static analysis are not quite ready for JDK 11, and a few more foundational frameworks such as Spring and Spring Boot have yet to be upgraded to a release friendly to JDK 11. In this release, the JDK requirement continues to stay at 10 with the hopes that said core components would be ready for JDK 11 around the time of the next release candidate.

Note that this release candidate builds on top of Spring framework 5.1 and Spring Boot 2.1. The upgrade should provide improvements for CAS startup time and be ready in anticipation of the upcoming JDK 11 release.

WAR Overlay

The Maven WAR overlay template is now deprecated and moved aside. The reference overlay project simply resides here and is transformed to use the Gradle build tool instead. This is done to reduce maintenance overhead and simplify the deployment strategy while allowing future attempts to make auto-generation of the overlay as comfortable as possible.

OAuth2 UMA

A first pass at OAuth2 User-Managed Access is now available. This is very much a rough take and will require some fine-tuning and tweaking in future iterations to fully make it spec-compliant and functional.

Authentication Source Selection

In the event that there is more than one (primary) authentication source defined, CAS is given the ability to present the user with a choice in the login screen to select the appropriate credential source before authenticating. This capability can also be automated using credential predicates if a pattern can formulated and linked to a specific authentication source. This variation here is the less-automated way of selecting an authentication source, taking into account user input directly.

Forgot Username

The Forgot your username? scenario is now supported by the CAS password management facility.

OAuth2 Token Management

Specific endpoints are provided as part of CAS monitoring toolkit to manage and revoke OAuth2 access and refresh tokens.

Hazelcast Discovery Strategies

CAS is now able to take advantage of Kubernetes for Hazelcast auto discovery of nodes. Support for discovery strategies based on Docker Swarm is also included and available.

Small Stuff

  • Expired registered service definitions are now blocked by CAS as always, but are not strictly modified in the service registry as disabled services.
  • A ton of improvements to the Travis CI integration tests to ensure performance and compliance. This area continues to improve.
  • Release of authentication-level attributes, typically those related to protocols or those captured by metadata populators is now controlled via a central policy.
  • Generation of CAS configuration metadata is massaged to take into account enumerations and nested inner classes.
  • Delegated authentication now attempts to check for SSO status before handing off the request to a provider.
  • REST API authentication using X509 is now capable of TLS client authentication.
  • Delegated authentication gains the ability to use path variables for client names instead of query parameters, for identity providers such as Azure.
  • CAS documentation integrates with Angolia for its search capabilities.
  • SAML2 support in CAS begins to support encrypted attributes as well as name ids.
  • Minor bug fixes to database schema handling, log messages, MFA context validation, ticket serialization, and OATH validations.
  • CAS OpenID Connect support gains a better handle on logout and session management.
  • OAuth2 grant type selection is now enforced for relying parties, etc.
  • Kryo for memcached continues to auto-register a few more components, specially with CAS has turned on MFA or delegated authentication.
  • Session replication can now be done using a JDBC backend.
  • Yaml Service Registry is able to recognize both .yml and .yaml files.
  • Delegated authentication to SAML identity providers gains a few bug fixes when resolving SP or IdP metadata over URLs. The service provider metadata generated by CAS can now optionally be signed using metadata signing keys.

Library Upgrades

  • Inspektr
  • Pac4j
  • Spring
  • Spring Boot
  • Spring Security
  • Spring Security RSA
  • Spring Data
  • Spring Session
  • Spring Cloud
  • Oshi
  • ActiveMQ
  • jClouds
  • JavaParser
  • Commons Lang
  • Commons Configuration
  • Amazon AWS
  • Google Maps
  • UnboundID LDAP
  • Twilio
  • Nexmo
  • Gradle
  • Nimbus
  • Apache Tomcat
  • Hibernate


Get Involved


Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS Log4J Vulnerability Disclosure

Disclosure of a security issue with the CAS software as a consumer of the Log4j logging framework.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Publish Private CAS Releases

GitHub Actions workflows allow publishing to private repositories.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Multifactor Authentication with U2F and Bypass

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using U2F and default bypass rule.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Release Notes Moved

CAS Release Notes are moved to the CAS site.

CAS 6.2.0 RC5 Feature Release which I present an overview of CAS 6.2.0 RC5 release.

CAS 6.2.0 RC4 Feature Release which I present an overview of CAS 6.2.0 RC4 release.