CAS 6.2.0 RC5 Feature Release


Collaborate
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

The official CAS 6.1.0 GA was released in October 2019. Since then, the project has been moving forward with the development of the next feature release that is tagged as 6.2.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the fifth release candidate in the 6.2.0 series.

If you are looking for additional info on the previous release candidate, please see this post.

Apereo Membership

If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner. Funding will ensure support for the software you rely on and you gain an advantage and say in the way Apereo, and the CAS project at that, runs and operates. If you consider your CAS deployment to be a critical part of the identity and access management ecosystem, this is a viable option to consider.

Get Involved

Shake Well Before Use

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

In order to start experimenting with release candidates, at any given time, you should be able to append -SNAPSHOT to the CAS version in order to take advantage of snapshot builds as changes are made and published.

Resources

Overlay

In the gradle.properties of the overlay, adjust the following setting:

cas.version=6.2.0-RC5
System Requirements
There are no changes to the minimum system/platform requirements for this release.

New & Noteworthy

Test Coverage via CodeCov

CAS test coverage across all modules in the codebase has now reached 76% and continues to climb. Additional validation rules are also applied to fail all pull requests that fall below this threshold. This area will be closely monitored and improved as progress is made with the goal of hopefully reaching at least 80% before the final GA release. Of course, this will not be a blocker for the final release.

Couchbase Driver v3

Support for Couchbase, as it affects service, ticket, attribute, authentication and audit management in CAS, is now upgraded to use the latest Couchbase Java client. As part of this upgrade, the property namespaces for couchbase are revamped to align with the Couchbase client library. Please review the CAS documentation to see a list of available settings and adjust your changes accordingly.

Apache Cassandra Driver v4

Support for Apache Cassandra, as it affects service, ticket, and authentication management in CAS, is now upgraded to use the latest Couchbase Java client. As part of this upgrade, the property namespaces for Apache Cassandra are revamped to align with the Cassandra client library. This is made possible via upgrading to the latest Spring Data release. Please review the CAS documentation to see a list of available settings and adjust your changes accordingly.

MongoDb Driver v4

Upgrades to the latest Spring Data release (3.0.0.RELEASE) also bumps the MongoDb integrations in CAS to use the MongoDb driver v4. As part of this upgrade, the property namespaces for MongoDb are revamped to align with the MongoDb client library. Please review the CAS documentation to see a list of available settings and adjust your changes accordingly.

Passwordless Authentication w/ MongoDb

Support for Passwordless Authentication is now extended to MongoDb to locate qualifying accounts and policies.

Travis CI to GitHub Actions

The CAS build and continuous integration environment has now moved off of Travis CI and onto GitHub Actions. The new environment is much more flexible in terms of available hardware resources, number of concurrent jobs and the general configuration and syntax when it comes caching, different versions of JDKs, etc. The new environment also presents CAS builds on three separate platforms for both JDK 11 and JDK 14, allowing the project to continually test new JDK releases as they come out to prepare for platform upgrades in the future.

Performance Tests

Following the move, GitHub Actions environment now includes modest Locust-based performance tests against CAS-provided embedded application servers such as Apache Tomcat, Jetty and Undertow. This is mainly done to validate the Locust setup and configuration that is provided by CAS as dependencies are updated and to allow for basic benchmarks between releases. A similar batch of tests based on Apache JMeter may be added in the future.

Releasing Encrypted Attributes

A new attribute release policy is now available that is able to encrypt and encode allowed attributes using the public key assigned to the registered service definition.

Encryptable Attribute Definitions

Similar to the above item, attribute definitions can also be marked as encryptable so they can be ciphered and encoded using the public key assigned to the registered service definition.

Password Management & reCAPTCHA Integration

The password management facility in CAS is now able to [optionally] integrate with Google reCAPTCHA for password reset requests. reCAPTCHA must be specified in CAS properties, and the password management component should be taught to turn on the integration via the enable-captcha property.

Configuration Syntax

CAS properties, as managed by Spring Boot and Spring Cloud, can be specified using a relaxed binding in a variety of formats such as:

# Kebab Case (Recommended)
cas.my-project.person.first-name=...

# Camel Case
cas.myProject.person.firstName=...

# Underscore Case
cas.my_project.person.first_name=...

# Upper Case
CAS_MYPROJECT_PERSON_FIRSTNAME=...

While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

The general recommendation is this:

When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.

Most if not all CAS properties in the reference documentation are updated to use and show this format. While we do not anticipate this to be a breaking change for upgrades, we do recommend that you stick to the format outlined above and change syntax where appropriate, specially to allow proper activation of components and features whose behavior is controlled via @ConditionalOnProperty.

As an example, your old confguration might look like:

# cas.serviceRegistry.initFromJson=true
# cas.serviceRegistry.json.location=file:/etc/cas/config/services

# cas.authn.mfa.duo[0].duoSecretKey=...
# cas.authn.mfa.duo[0].duoApplicationKey=...
# cas.authn.mfa.duo[0].duoIntegrationKey=...
# cas.authn.mfa.duo[0].duoApiHost=...

Following the above recommendation, your configuration is preferred to be:

# cas.service-registry.init-from-json=true
# cas.service-registry.json.location=file:/etc/cas/config/services

# cas.authn.mfa.duo[0].duo-secret-key=...
# cas.authn.mfa.duo[0].duo-application-key=...
# cas.authn.mfa.duo[0].duo-integration-key=...
# cas.authn.mfa.duo[0].duo-api-host=...

Other Stuff

  • Configuration of Redis Pooling is now conditionally activated using an enabled property.
  • Configuration settings for Google Authenticator can now be refreshed and reloaded.
  • Person Directory is now able to properly resolve and understand binary attributes from LDAP/AD directories.
  • Delegated authentication is now able to auto-configure the cookie path used for session distribution.
  • Loaded database drivers are now properly shutdown once the CAS web application context is destroyed.
  • CAS overlay is updated to use the latest Gradle and Spring Boot version.
  • A comprehensive effort to ensure all LDAP-related components properly clean up and close connection factories.

Library Upgrades

  • SpotBugs
  • MongoDb Driver
  • Amazon SDK
  • H2 Driver
  • Spring Boot
  • Spring Security
  • Spring Integration
  • InfluxDb
  • HikariCP
  • Gradle
  • Couchbase Java Client
  • MongoDb Java Client
  • Dom4j
  • Yubico U2F Server
  • Checkstyle
  • Person Directory
  • Spring Boot
  • Hibernate
  • Infinispan
  • Nimbus
  • Guava
  • Pac4j
  • Spring Session
  • jQuery

Credits

Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!

Misagh Moayyed

Related Posts

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.