CAS 6.0.0 RC2 Feature Release

The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.3.0 GA was released on June 29th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as 6.0.0. Note that this is a major release of the CAS software which may present significant changes in architecture, configuration or behavior. Please review the release policy to learn more about the scope of the release.

This post intends to highlight some of the improvements and enhancements packed into the second release candidate in the 6.0.0 series.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.


In the of the overlay, adjust the following setting:



New & Noteworthy

JDK 10

Work continues to ensure CAS can support and build on top of JDK 11. At this time, a number of supporting libraries that handle code generation, test coverage and static analysis are not quite ready for JDK 11, and a few more foundational frameworks such as Spring and Spring Boot have yet to be upgraded to a release friendly to JDK 11. In this release, the JDK requirement continues to stay at 10 with the hopes that said core components would be ready for JDK 11 around the time of the next release candidate.

Note that this release candidate builds on top of Spring framework 5.1 and Spring Boot 2.1. The upgrade should provide improvements for CAS startup time and be ready in anticipation of the upcoming JDK 11 release.

WAR Overlay

The Maven WAR overlay template is now deprecated and moved aside. The reference overlay project simply resides here and is transformed to use the Gradle build tool instead. This is done to reduce maintenance overhead and simplify the deployment strategy while allowing future attempts to make auto-generation of the overlay as comfortable as possible.

OAuth2 UMA

A first pass at OAuth2 User-Managed Access is now available. This is very much a rough take and will require some fine-tuning and tweaking in future iterations to fully make it spec-compliant and functional.

Authentication Source Selection

In the event that there is more than one (primary) authentication source defined, CAS is given the ability to present the user with a choice in the login screen to select the appropriate credential source before authenticating. This capability can also be automated using credential predicates if a pattern can formulated and linked to a specific authentication source. This variation here is the less-automated way of selecting an authentication source, taking into account user input directly.

Forgot Username

The Forgot your username? scenario is now supported by the CAS password management facility.

OAuth2 Token Management

Specific endpoints are provided as part of CAS monitoring toolkit to manage and revoke OAuth2 access and refresh tokens.

Hazelcast Discovery Strategies

CAS is now able to take advantage of Kubernetes for Hazelcast auto discovery of nodes. Support for discovery strategies based on Docker Swarm is also included and available.

Small Stuff

  • Expired registered service definitions are now blocked by CAS as always, but are not strictly modified in the service registry as disabled services.
  • A ton of improvements to the Travis CI integration tests to ensure performance and compliance. This area continues to improve.
  • Release of authentication-level attributes, typically those related to protocols or those captured by metadata populators is now controlled via a central policy.
  • Generation of CAS configuration metadata is massaged to take into account enumerations and nested inner classes.
  • Delegated authentication now attempts to check for SSO status before handing off the request to a provider.
  • REST API authentication using X509 is now capable of TLS client authentication.
  • Delegated authentication gains the ability to use path variables for client names instead of query parameters, for identity providers such as Azure.
  • CAS documentation integrates with Angolia for its search capabilities.
  • SAML2 support in CAS begins to support encrypted attributes as well as name ids.
  • Minor bug fixes to database schema handling, log messages, MFA context validation, ticket serialization, and OATH validations.
  • CAS OpenID Connect support gains a better handle on logout and session management.
  • OAuth2 grant type selection is now enforced for relying parties, etc.
  • Kryo for memcached continues to auto-register a few more components, specially with CAS has turned on MFA or delegated authentication.
  • Session replication can now be done using a JDBC backend.
  • Yaml Service Registry is able to recognize both .yml and .yaml files.
  • Delegated authentication to SAML identity providers gains a few bug fixes when resolving SP or IdP metadata over URLs. The service provider metadata generated by CAS can now optionally be signed using metadata signing keys.

Library Upgrades

  • Inspektr
  • Pac4j
  • Spring
  • Spring Boot
  • Spring Security
  • Spring Security RSA
  • Spring Data
  • Spring Session
  • Spring Cloud
  • Oshi
  • ActiveMQ
  • jClouds
  • JavaParser
  • Commons Lang
  • Commons Configuration
  • Amazon AWS
  • Google Maps
  • UnboundID LDAP
  • Twilio
  • Nexmo
  • Gradle
  • Nimbus
  • Apache Tomcat
  • Hibernate


Get Involved


Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

Apereo CAS - Microsoft Office 365 SAML2 Integration

Learn how to integrate Microsoft Office 365 with Apereo CAS running as a SAML2 identity provider.

Apereo CAS - HappyFox SAML2 Integration

Learn how to integrate HappyFox with Apereo CAS running as a SAML2 identity provider.

Apereo CAS - Cisco Webex SAML2 Integration

Learn how to integrate Cisco Webex with Apereo CAS running as a SAML2 identity provider.

Apereo CAS - VMware Identity Manager SAML2 Integration

Learn how to integrate VMware Identity Manager with Apereo CAS running as a SAML2 identity provider.

CAS 6.0.0 RC4 Feature Release which I present an overview of CAS 6.0.0 RC4 release.

Apereo CAS - Scripting Multifactor Authentication Triggers

Learn how Apereo CAS may be configured to trigger multifactor authentication using Groovy conditionally decide whether MFA should be triggered for internal vs. external access, taking into account IP ranges, LDAP groups, etc.

Apereo CAS 6.0.x - Building CAS Feature Modules

An overview of how various CAS features modules today can be changed and tested from the perspective of a CAS contributor working on the codebase itself to handle a feature request, bug fix, etc.

CAS 6.0.x Deployment - WAR Overlays

Learn how to configure and build your own CAS deployment via the WAR overlay method, get rich quickly, stay healthy indefinitely and respect family and friends in a few very easy steps.

Apereo CAS - Jib at CAS Docker Images

Learn how you may use Jib, an open-source Java containerizer from Google, and its Gradle plugin to build CAS docker images seamlessly without stepping too deep into scripting Dockerfile commands.

Apereo CAS 6 - Administrative Endpoints & Monitoring

Gain insight into your running Apereo CAS 6 deployment in production. Learn how to monitor and manage the server by using HTTP endpoints and gather metrics to diagnose issues and improve performance.