CAS 6.0.0 RC4 Feature Release


Collaborate
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 5.3.0 GA was released on June 29th, 2018. Since then, the project has been moving forward with development of the next feature release that is tagged as 6.0.0. Note that this is a major release of the CAS software which may present significant changes in architecture, configuration or behavior. Please review the release policy to learn more about the scope of the release.

This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 6.0.0 series.

You can read about the previous release candidate here.

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Overlay

In the gradle.properties of the overlay, adjust the following setting:

casVersion=6.0.0-RC4

Changes

Known Issues

The cas.admin-pages-security.ip property has been renamed to cas.monitor.endpoints.endpoint.defaults.access[0] but due to an issue, a NullPointerException will occur on startup if you use that property (in canonical form or relaxed, etc) rather than pointing at the new property name. Change the property name or don’t use the property in order to avoid the issue.

New & Noteworthy

Actuator Endpoint Ids

CAS actuator endpoints are named to be more consistent with Spring Boot guidelines, to remove startup warnings and prevents errors in future upgrades to Spring Boot 2.2.x. Previous endpoints that were created using kebab-case identifiers such as spring-webflow are now switched over to use camel-case instead, such as springWebflow.

SMS via Groovy & REST

Sending SMS messages is now also possible via Groovy scripts or a REST API.

Dockerized CAS Overlay

The CAS WAR Overlay is equipped to build Docker images using jib.

Command-line Shell

The CAS Command-line Shell gets a few upgrades to stay compatible with the most recent changes to the build, as well as a few new commands to generate crypto keys or encrypt/sign data, etc.

Service Environments

Each registered application in the registry may be assigned a set of environment names.

reCAPTCHA v3

Support for reCAPTCHA v3 is now added to CAS.

Bucket4j Integration

Authentication throttling support can now integrate with Bucket4j to handle capacity throttling for authentication requests.

Amazon Cognito Authentication

CAS is able to leverage Amazon Cognito for authentication.

SOAP Authentication

CAS is able to leverage SOAP APIs for authentication.

JDBC Naming Strategy

Additional options are exposed to help remap database virtual table names to logical names either via static settings or Groovy scripts, when database schemas and queries are created. This allows one to translate CAS-provided table names to those that might work better with older or less forgiving database platforms that have restrictions on naming, etc.

Reviewing consent decisions is now possible using the new consentReview endpoint that acts as a Spring Boot actuator endpoint.

Small Stuff

  • Small number of bug fixes to handle authorization correctly for delegated authentication.
  • The configuration settings for Spring Cloud configuration modules for MongoDb, DynamoDb, JDBC, etc should properly be recognized by CAS again.
  • The background job to reload CAS registered service is made conditional to only execute in case a reloadable storage option is registered.
  • A number of additional test cases for AWS S3 functionality.
  • Improvements to the crypto algorithm selection used to generate secure random numbers.
  • CAS configuration can now be recognized via Groovy closures.
  • Security response headers can support all CAS registered service definition types.
  • Minor improvements to database attribute fetching and processing of SQL Array objects.
  • CAS configuration watch can operate on both the configuration directory and the standalone direct configuration file.
  • CAS multifactor authentication via RADIUS gains the ability to enforce a limit on the number of allowed authentication attempts.
  • Secret keys used for various signing and encryption operations can now properly be recognized via CAS settings.
  • SAML2 SLO functionality receives a number of improvements to handle various forms of bindings.
  • CAS configuration properties that are renamed or moved to a new location should be reported on startup when used.
  • Most if not all custom shell commands used by the CAS overlay are moved into the Gradle build script.
  • Authentication throttling backed by Hazelcast gains its own independant set of properties.

Library Upgrades

  • Spring Boot
  • Spring
  • Gradle
  • Lombok
  • Micrometer
  • Spring Integration
  • Apache Tomcat
  • Person Directory
  • CAS Security Filter
  • Amazon SDK
  • JUnit
  • Nexmo
  • Spring Data

Resources

Get Involved

Credits

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.