CAS 6.1.0 RC4 Feature Release


Collaborate
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 6.0.0 GA was released on December 28th, 2018. Since then, the project has been moving forward with the development of the next feature release that is tagged as 6.1.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the fourth release candidate in the 6.1.0 series.

You can read about the previous release candidate here.

Get Involved

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version specified in order to take advantage of snapshot builds as changes are made and published.

Resources

Overlay

In the gradle.properties of the overlay, adjust the following setting:

casVersion=6.1.0-RC4
System Requirements
There are no changes to the minimum system/platform requirements for this release.

New & Noteworthy

Required Services for Single SignOn

CAS may be configured to require the user to authenticate from an application before access can be granted to all other registered services. See this for more info.

Acceptable Usage Policy Audits

Acceptable Usage Policy choices and results are now passed to the Audit Log.

Jasypt Configuration Security

WATCH OUT!
This is a breaking change. You will need to make sure relevant configuration values are updated to remain functional.

Configuration properties secured and encrypted via Jasypt are required to be prefixed with {cas-cipher} instead of {cipher} so as to avoid conflicts with Spring Cloud way of encrypting and decrypting values.

Multifactor Provider Selection

In the event that more than multifactor authentication provider qualifies to satisfy the authentication request, CAS may be configured to present a choice and menu to the user where one would interactively pick the provider that works best at a given time. This mode is off by default, and complements existing selection strategies that are based on ranking strategies and weights or custom logic implemented in Groovy scripts, etc.

Jasypt Encryption with CAS Commandline Shell

A new decrypt-value command is added to CAS Commandline Shell to verify encrypted values.

SAML2 Skew Allowance per Service

SAML2 registered services can now define a skew-allowance value in seconds used to skew dates in the final response, such as valid-from, issue-instant, etc.

DynamoDb Audit Logs

Audit data can now be routed to and stored in DynamoDb.

Registered Services Actuator Endpoint

The registeredServices actuator endpoint gains a DELETE operation to remove registered services from CAS.

Acceptto Multifactor Integration

Acceptto is now supported as a CAS multifactor authentication provider. The integration adds support for both multifactor authentication and QR login codes.

Java 12 Compatibility

Though not required, CAS is able to build and run successfully against the latest versions of JDK 12.

Graal Compiler Compatibility

Additional tests are carried out to ensure CAS can remain functional while running with the Graal Compiler. If you’d like to experiment with this to gain possible performance improvements, start your CAS deployment with the following VM options:

  • -XX:+UnlockExperimentalVMOptions
  • -XX:+EnableJVMCI
  • -XX:+UseJVMCICompiler

Dependency Updates via Renovate

The process of updating CAS dependencies is somewhat automated through Travis CI, taking advantage of the renovate bot.

SAML2 Encryption Configuration per Service

CAS, running as a SAML2 identity provider, gains a few extra settings to control and override the encryption configuration of objects on a per service provider. Services can also be tagged to consider encryption as optional in case compatible keys are not found in the service provider metadata.

OpenID Connect Dynamic Registration

Many incremental improvements to support OpenID Connect dynamic registration of RPs with richer metadata in the registration request, such as handling of policy_uri, tos_uri, logo_uri, etc.

Access Strategy for Delegated Authentication

The access strategy for delegated authentication events can now enforce the collection of allowed providers even in the presence of an existing single signon session. The strategy also gains an exclusive mode to limit the authentication methods to only those providers allowed.

SAML2 Signing Configuration per Service

CAS, running as a SAML2 identity provider, gains a few extra settings to control and override the signing configuration of objects on a per service provider. Additional documentation improvements are also available in this space to provide more examples for signing configuration, name id selection, etc.

OpenID Connect UserInfo Response Signing & Encryption

User profiles produced by CAS as an OpenID Connect Provider can now optionally be signed and/or encrypted on a per-relying party basis. This capability may also be defined during dynamic registration of a relying party.

OAuth Token Expiration Policy

The expiration policy of OAuth tokens (code, access token, etc) can now conditionally be defined on a per relying-party basis, when CAS is running as an OAuth identity provider.

Redis Authentication Throttling

Audit logs could certainly be stored in Redis databases; in this release candidate, the same database could also be used for throttling authentication attempts.

OpenID Connect Discovery Response

The OpenID Connect Discovery Response is beefed up a bit to outline all supported modes and values when it comes to signing and encryption of tokens, as well as handling and management of subject types, display values, etc.

CAS Docker Deployments

In addition to the jib plugin built into the CAS overlay to produce docker images, the overlay project now also presents a Dockerfile with some additional notes to build a CAS image via native Docker tooling. The build script is optimized slightly to take advantage of multi-stage builds and leaner alpine base images. The CAS Docker repository is now deprecated and archived

Other Stuff

  • Assigning identifiers to registered services is modified to not produce negative numeric ids.
  • Password policy warning messages should now be recognized by Memcached and the Kryo serialization engine.
  • Trivial fix to CAS commandline shell ensure the runtime can recognize CAS configuration settings internally.
  • Password management functionality is correct to properly pass along the policy patten into webflow.
  • Hazelcast integrations with CAS can now be connected to the Hazelcast management center via additional settings.
  • The Google Analytics cookie gains an extra setting to filter out attributes values before they are put into the cookie.
  • WebJARs included in CAS to provide jQuery and other JS libraries are modified to exclude unwanted transitive dependencies.

Library Upgrades

  • OpenSAML
  • JavaParser
  • Oshi
  • Spring
  • MongoDb Driver
  • Ribbon
  • Spring Boot
  • Lombok
  • Spring Data
  • Apache Tomcat
  • Jetty
  • Twilio
  • Groovy
  • Jackson
  • Spring Data MongoDb

Credits

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.