Apereo Community Blog

CAS 6.2.0 RC3 Feature Release

Tuesday, Mar 3, 2020
7 minute read
Collaborate
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 6.1.0 GA was released in October 2019. Since then, the project has been moving forward with the development of the next feature release that is tagged as 6.2.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the third release candidate in the 6.2.0 series.

If you are looking for additional info on the previous release candidate, please see this post.

Apereo Membership

If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner. Funding will ensure support for the software you rely on and you gain an advantage and say in the way Apereo, and the CAS project at that, runs and operates. If you consider your CAS deployment to be a critical part of the identity and access management ecosystem, this is a viable option to consider.

Get Involved

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version in order to take advantage of snapshot builds as changes are made and published.

Resources

Overlay

In the gradle.properties of the overlay, adjust the following setting:

cas.version=6.2.0-RC3
System Requirements
There are no changes to the minimum system/platform requirements for this release.

New & Noteworthy

CAS Overlay

The bootRun Gradle build task is now restored and made functional for the CAS overlay.

Passwordless Authentication

Passwordless Authentication is now broken down to dedicated modules for LDAP, JPA, etc to handle user and/or token management.

WebAuthn Support

Initial baseline work on WebAuthn Support has begun, and while the changes are still in progress and have not landed in the codebase yet, there is a fair amount of progress made to make WebAuthn available as another form of multifactor authentication in CAS. It is expected for this feature to finalize before the final GA release.

Groovy Multifactor Authentication Trigger Per Service

A more advanced and easier-to-configure multifactor authentication is now available in form of a Groovy script to determine the multifactor authentication policy for a registered service. The old strategy using the GroovyRegisteredServiceMultifactorPolicy is now deprecated and will be removed in future releases.

Google Apps Integration

Integration with Google Apps is now deprecated and scheduled to be removed in future releases.

Open ID Protocol

The Open ID protocol is now deprecated and scheduled to be removed in future releases.

Not-So Passwordless Authentication

Passwordless Authentication can now conditionally skip the normal passwordless flow and fallback onto the usual cas authentication flow, challenging the user for a password.

Attribute Definitions Store

Attribute definitions can now be defined centrally with additional metadata relevant for each protocol.

Material Design

Thymeleaf templates and all other CAS views in general are transformed to use Material Design.

cas-login cas-login-success cas-logout-sidebar cas-duo cas-oidc-confirm cas-error

Multifactor Authentication Bypass

A new multifactor authentication bypass strategy is now available, where multifactor bypass can be activated for the registered application if the authenticated principal contains an attribute with the specified value(s).

Hazelcast v4

The Hazelcast library mainly used a ticket registry is now upgraded to version 4. Take a look at the release notes published by Hazelcast to learn more available features. The upgrade mainly affects the CAS configuration schema for Hazelcast features, specially when it comes to integrations with the Hazelcast management center.

Passwordless Authentication Integrations

Passwordless Authentication can now be combined with multifactor authentication and delegated authentication flows in CAS using standard multifactor triggers that are already available.

Spring Cloud Configuration via REST

The configuration server available in CAS and backed by Spring Cloud is now also able to fetch CAS settings using a REST API.

Thymeleaf Views

Thymeleaf views and related message bundles are moved onto a new dedicated module for cas-server-support-thymeleaf to allow for maximum reuse and modularization. This is purely an internal change and should not affect deployments or overlays.

Other Stuff

  • Audit actions are given the ability to be excluded from CAS audit logs via configuration.
  • The testcas script is altered to accept more than one test category type.
  • Bug fix to ensure OAuth’s state and nonce parameters are returned back to relying parties in their original value.
  • Small number of fixes to delegated authentication, specially when combined with follow-up multifactor flows.
  • Additional tests and validations across the codebase modules to try to reach 70% test coverage.
  • Fixes to the distributed session store facility to better handle logout ops.
  • Multifactor authentication tests are refactored into their own test category for better parallelism.
  • The Thymeleaf templating engine is now refactored and extracted from the codebase into its own sepa0rate module.
  • Token expiration value reported by OAuth/OIDC introspection is now correctly calculated.
  • Small fixes to expiration policies based on idle timeouts to work nicely with JWT-enabled tickets.
  • Small UI enhancements to allow Show Password functionality for input fields marked with type=password.
  • Corrections to service resolution strategies when dealing with SAML2 Unsolicited SSO flows.
  • Small API improvements to CAS Event tracking facilities to allow for filtering of events.
  • OAuth2 PKCE code_challenge is now corrected to use a SHA2 digest.
  • The hibernate framework is removed as a transitive dependency from modules, preventing it from sneaking out where unnecessary.
  • Small improvements to delegated authentication to SAML2 identity providers.
  • Integration with Duo Security for multifactor authentication can now conditionally be enabled/included only when relevant settings are defined.
  • Small internal improvements to allow the selection strategy of multiple multifactor authentication triggers to support both logical disjunction and conjunction (i.e. OR vs AND).

Library Upgrades

  • Guava
  • Checkstyle
  • Nimbus
  • Amazon SDK
  • Micrometer
  • Apache CXF
  • Commons Codec
  • Eureka Client
  • Oshi
  • Person Directory
  • Java Melody
  • Bucket4j
  • Azure DocumentDb
  • Apache Tomcat
  • Hazelcast
  • Google Maps
  • Twilio
  • Spring Data
  • Spring Integration
  • Spring Boot
  • Lombok
  • Cryptacular
  • Grouper Client
  • JUnit
  • ByteBuddy
  • Azure KeyVault
  • Gradle
  • Groovy

Credits

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Follow Apereo on Twitter.

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.