The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS 6.0.0 GA was released on December 28th, 2018. Since then, the project has been moving forward with the development of the next feature release that is tagged as 6.1.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 6.1.0 series.
You can read about the previous release candidate here.
- Get Involved
- Resources
- Overlay
- New & Noteworthy
- Required Services for Single SignOn
- Acceptable Usage Policy Audits
- Jasypt Configuration Security
- Multifactor Provider Selection
- Jasypt Encryption with CAS Commandline Shell
- SAML2 Skew Allowance per Service
- DynamoDb Audit Logs
- Registered Services Actuator Endpoint
- Acceptto Multifactor Integration
- Java 12 Compatibility
- Graal Compiler Compatibility
- Dependency Updates via Renovate
- SAML2 Encryption Configuration per Service
- OpenID Connect Dynamic Registration
- Access Strategy for Delegated Authentication
- SAML2 Signing Configuration per Service
- OpenID Connect UserInfo Response Signing & Encryption
- OAuth Token Expiration Policy
- Redis Authentication Throttling
- OpenID Connect Discovery Response
- CAS Docker Deployments
- Other Stuff
- Library Upgrades
- Credits
Get Involved
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.
Resources
Overlay
In the gradle.properties of the overlay, adjust the following setting:
casVersion=6.1.0-RC4
There are no changes to the minimum system/platform requirements for this release.
New & Noteworthy
Required Services for Single SignOn
CAS may be configured to require the user to authenticate from an application before access can be granted to all other registered services. See this for more info.
Acceptable Usage Policy Audits
Acceptable Usage Policy choices and results are now passed to the Audit Log.
Jasypt Configuration Security
This is a breaking change. You will need to make sure relevant configuration values are updated to remain functional.
Configuration properties secured and encrypted via Jasypt are required to be prefixed with
{cas-cipher} instead of {cipher} so as to avoid conflicts with Spring Cloud way of encrypting
and decrypting values.
Multifactor Provider Selection
In the event that more than multifactor authentication provider qualifies to satisfy the authentication request, CAS may be configured to present a choice and menu to the user where one would interactively pick the provider that works best at a given time. This mode is off by default, and complements existing selection strategies that are based on ranking strategies and weights or custom logic implemented in Groovy scripts, etc.
Jasypt Encryption with CAS Commandline Shell
A new decrypt-value command is added to CAS Commandline Shell to verify encrypted values.
SAML2 Skew Allowance per Service
SAML2 registered services can now define a skew-allowance value in seconds used to skew dates in the final response, such as valid-from, issue-instant, etc.
DynamoDb Audit Logs
Audit data can now be routed to and stored in DynamoDb.
Registered Services Actuator Endpoint
The registeredServices actuator endpoint gains a DELETE operation to remove registered services from CAS.
Acceptto Multifactor Integration
Acceptto is now supported as a CAS multifactor authentication provider. The integration adds support for both multifactor authentication and QR login codes.
Java 12 Compatibility
Though not required, CAS is able to build and run successfully against the latest versions of JDK 12.
Graal Compiler Compatibility
Additional tests are carried out to ensure CAS can remain functional while running with the Graal Compiler. If you’d like to experiment with this to gain possible performance improvements, start your CAS deployment with the following VM options:
-XX:+UnlockExperimentalVMOptions-XX:+EnableJVMCI-XX:+UseJVMCICompiler
Dependency Updates via Renovate
The process of updating CAS dependencies is somewhat automated through Travis CI, taking advantage of the renovate bot.
SAML2 Encryption Configuration per Service
CAS, running as a SAML2 identity provider, gains a few extra settings to control and override the encryption configuration of objects on a per service provider. Services can also be tagged to consider encryption as optional in case compatible keys are not found in the service provider metadata.
OpenID Connect Dynamic Registration
Many incremental improvements to support OpenID Connect dynamic registration of RPs with richer metadata
in the registration request, such as handling of policy_uri, tos_uri, logo_uri, etc.
Access Strategy for Delegated Authentication
The access strategy for delegated authentication events can now enforce the collection of allowed providers even in the presence of an existing single signon session. The strategy also gains an exclusive mode to limit the authentication methods to only those providers allowed.
SAML2 Signing Configuration per Service
CAS, running as a SAML2 identity provider, gains a few extra settings to control and override the signing configuration of objects on a per service provider. Additional documentation improvements are also available in this space to provide more examples for signing configuration, name id selection, etc.
OpenID Connect UserInfo Response Signing & Encryption
User profiles produced by CAS as an OpenID Connect Provider can now optionally be signed and/or encrypted on a per-relying party basis. This capability may also be defined during dynamic registration of a relying party.
OAuth Token Expiration Policy
The expiration policy of OAuth tokens (code, access token, etc) can now conditionally be defined on a per relying-party basis, when CAS is running as an OAuth identity provider.
Redis Authentication Throttling
Audit logs could certainly be stored in Redis databases; in this release candidate, the same database could also be used for throttling authentication attempts.
OpenID Connect Discovery Response
The OpenID Connect Discovery Response is beefed up a bit to outline all supported modes and values when it comes to signing and encryption of tokens, as well as handling and management of subject types, display values, etc.
CAS Docker Deployments
In addition to the jib plugin built into the CAS overlay to produce docker images,
the overlay project now also presents a Dockerfile with some additional notes to build a CAS image
via native Docker tooling. The build script is optimized slightly to take advantage of multi-stage builds
and leaner alpine base images. The CAS Docker repository
is now deprecated and archived
Other Stuff
- Assigning identifiers to registered services is modified to not produce negative numeric ids.
- Password policy warning messages should now be recognized by Memcached and the Kryo serialization engine.
- Trivial fix to CAS commandline shell ensure the runtime can recognize CAS configuration settings internally.
- Password management functionality is correct to properly pass along the policy patten into webflow.
- Hazelcast integrations with CAS can now be connected to the Hazelcast management center via additional settings.
- The Google Analytics cookie gains an extra setting to filter out attributes values before they are put into the cookie.
- WebJARs included in CAS to provide jQuery and other JS libraries are modified to exclude unwanted transitive dependencies.
Library Upgrades
- OpenSAML
- JavaParser
- Oshi
- Spring
- MongoDb Driver
- Ribbon
- Spring Boot
- Lombok
- Spring Data
- Apache Tomcat
- Jetty
- Twilio
- Groovy
- Jackson
- Spring Data MongoDb
Credits
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!