Apereo Community Blog

CAS 6.2.0 RC2 Feature Release

Friday, Dec 27, 2019
7 minute read
Collaborate
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 6.1.0 GA was released in October 2019. Since then, the project has been moving forward with the development of the next feature release that is tagged as 6.2.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the second release candidate in the 6.2.0 series.

If you are looking for additional info on the previous release candidate, please see this post.

Apereo Membership

If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner. Funding will ensure support for the software you rely on and you gain an advantage and say in the way Apereo, and the CAS project at that, runs and operates. If you consider your CAS deployment to be a critical part of the identity and access management ecosystem, this is a viable option to consider.

Get Involved

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version in order to take advantage of snapshot builds as changes are made and published.

Resources

Overlay

In the gradle.properties of the overlay, adjust the following setting:

cas.version=6.2.0-RC2
System Requirements
There are no changes to the minimum system/platform requirements for this release.

New & Noteworthy

CAS Overlay

The CAS overlay is updated to use Gradle 6. The most notable difference is that dependencies in the build are now recommended to use the implementation syntax instead of the compile configuration, which is set to be removed in Gradle 7. The CAS documentation is also modified to reflect this change for the appropriate CAS versions. While this is not a breaking change (yet), you should begin to use and prefer the implementation syntax to avoid surprises in the future and reduce build warnings.

Okta Authentication

CAS is now able to validate credentials and fetch user attributes from Okta.

LDAP Password Management

LDAP Password Management is now given the ability to support multiple LDAP servers to locate and update accounts or to fetch security questions.

WATCH OUT!
This is a breaking change. Consult the CAS documentation and adjust your settings accordingly to refer to cas.authn.pm.ldap[0] instead.

Ehcache v3 Ticket Registry

The Ehcache integration is now updated to present support for Ehcache v3. The integration with Ehcache v2 is now deprecated and scheduled to be removed at a future date.

Likewise, cache-based operations for X.509 authentication are also updated to use Ehcache v3.

Configuration Unknown Fields

The ignoreUnknownFields = false flag from CAS configuration validation has been removed in favor of Spring configuration metadata. This field is deprecated by the Spring Boot framework and will be eventually removed. We are taking preemptive action to stay compatible with future upgrades of Spring Boot, and also provide a more pleasant experience as far as migration of CAS properties is concerned, with reports on deprecations, replacements, etc on startup.

Configuration Validation

Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema.

Azure Active Directory Authentication

Following up on the previous release candidate, the Azure Active Directory integration is now moved to a standalone module that is capable of both authenticating users using Azure Active Directory and fetching attributes separately as an independent attribute repository.

Ldaptive v2 Upgrade

This release candidate bumps the ldaptive library version to 2.0.0-RC1, which brings forward the following changes to impact CAS settings:

  • useSSL property removed; LDAPS scheme is used to specify SSL.
  • providerClass property removed.
  • DEFAULT connection strategy is removed.
  • attributeValue setting replaces attributeValues for LDAP validators.

We are hoping to get test feedback before the final release of the ldaptive library, which will most likely ship with subsequent releases candidates. To provide feedback, please look for support options on the ldaptive website.

Surrogate Authentication via REST

Surrogate Authentication can now be activated and used as part of CAS REST protocol.

Multifactor Authentication via YubiKey

Multifactor authentication with Yubikey is now enhanced to be able to handle multiple devices per user account.

WATCH OUT!
This is a breaking change as the internal data structures used to track YubiKey device registrations are now modified to handle multiple device records.

Authentication Handler Resolution

Resolution of authentication handlers can now be done using Groovy scripts to further narrow down the collection of candidate authentication handlers for transactions dynamically.

LDAP Acceptable Usage Policy

Acceptable Usage Policy backed by LDAP is now given the ability to support multiple LDAP servers to locate and update accounts with the results of the policy acceptance submission.

WATCH OUT!
This is a breaking change. Consult the CAS documentation and adjust your settings accordingly to refer to cas.acceptable-usage-policy.ldap[0] instead.

YubiKey Device Storage via Redis

YubiKey Authentication can now manage device registrations inside a Redis database.

Other Stuff

  • Better test coverage for components that automate Spring Webflow configuration.
  • Code cleanup and better maintenance of the codebase using an upgraded version of the error-prone compiler.
  • Minor fixes to OAuth functionality in handling conditions that decide whether refresh tokens should be issued.
  • Various documentation improvements and typo fixes.
  • Managing U2F devices via Groovy is given the ability to monitor and watch the Groovy script.
  • Auto-configuration of multifactor trusted devices is now fixed to properly activate and configure the webflow when enabled.
  • OAuth PKCE flows receive a fix to correctly calculate hashes for code verifications when using S256 as the hash algorithm.
  • Several improvements to the distributed session store, when handling delegated authentication to external identity providers.
  • Annotation processing is turned on for Splunk and CloudWatch logging facilities to ensure CAS appenders are recognized in logging configurations.

Library Upgrades

  • ErrorProne
  • Spring
  • Spring Boot
  • Apache Tomcat
  • Spring Data
  • Micrometer
  • Bootstrap
  • Mockito
  • AspectJ
  • Bucket4j
  • Log4j
  • Azure KeyVault
  • Spring Retry
  • Nimbus SDK
  • Spring Integration
  • InfluxDb
  • Spring Kafka
  • Amazon SDK
  • MariaDb Driver
  • Apache Fortress
  • Jose4j
  • UnboundID LDAP
  • Google Maps
  • Apache Commons Pool
  • ByteBuddy
  • Twilio
  • FontAwesome
  • PostgreSQL Driver
  • Groovy
  • JGit
  • MongoDb Driver

Credits

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Follow Apereo on Twitter.

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.