The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
The official CAS
6.1.0 GA was released in October 2019. Since then, the project has been moving forward with the development of the next feature release that is tagged as
6.2.0. Please review the release policy to learn more about the scope of the release. This post intends to highlight some of the improvements and enhancements packed into the fifth release candidate in the
If you are looking for additional info on the previous release candidate, please see this post.
- Apereo Membership
- Get Involved
- New & Noteworthy
- Test Coverage via CodeCov
- Couchbase Driver v3
- Apache Cassandra Driver v4
- MongoDb Driver v4
- Passwordless Authentication w/ MongoDb
- Travis CI to GitHub Actions
- Performance Tests
- Releasing Encrypted Attributes
- Encryptable Attribute Definitions
- Password Management & reCAPTCHA Integration
- Configuration Syntax
- Other Stuff
- Library Upgrades
If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner. Funding will ensure support for the software you rely on and you gain an advantage and say in the way Apereo, and the CAS project at that, runs and operates. If you consider your CAS deployment to be a critical part of the identity and access management ecosystem, this is a viable option to consider.
- Start your CAS deployment today. Try out features and share feedback.
- Better yet, contribute patches.
- Suggest and apply documentation improvements.
Shake Well Before Use
We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a
GA release is only going to set you up for unpleasant surprises. A
GA is simply a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.
In order to start experimenting with release candidates, at any given time, you should be able to append
-SNAPSHOT to the CAS version in order to take advantage of snapshot builds as changes are made and published.
gradle.properties of the overlay, adjust the following setting:
There are no changes to the minimum system/platform requirements for this release.
New & Noteworthy
Test Coverage via CodeCov
CAS test coverage across all modules in the codebase has now reached
76% and continues to climb. Additional validation rules are also applied to fail all pull requests that fall below this threshold. This area will be closely monitored and improved
as progress is made with the goal of hopefully reaching at least
80% before the final GA release. Of course, this will not be a blocker for the final release.
Couchbase Driver v3
Support for Couchbase, as it affects service, ticket, attribute, authentication and audit management in CAS, is now upgraded to use the latest Couchbase Java client. As part of this upgrade, the property namespaces for couchbase are revamped to align with the Couchbase client library. Please review the CAS documentation to see a list of available settings and adjust your changes accordingly.
Apache Cassandra Driver v4
Support for Apache Cassandra, as it affects service, ticket, and authentication management in CAS, is now upgraded to use the latest Couchbase Java client. As part of this upgrade, the property namespaces for Apache Cassandra are revamped to align with the Cassandra client library. This is made possible via upgrading to the latest Spring Data release. Please review the CAS documentation to see a list of available settings and adjust your changes accordingly.
MongoDb Driver v4
Upgrades to the latest Spring Data release (
3.0.0.RELEASE) also bumps the MongoDb integrations in CAS to use the MongoDb driver v4. As part of this upgrade, the property namespaces for MongoDb are revamped to align with the MongoDb client library. Please review the CAS documentation to see a list of available settings and adjust your changes accordingly.
Passwordless Authentication w/ MongoDb
Support for Passwordless Authentication is now extended to MongoDb to locate qualifying accounts and policies.
Travis CI to GitHub Actions
The CAS build and continuous integration environment has now moved off of Travis CI and onto GitHub Actions. The new environment is much more flexible in terms of available hardware resources, number of concurrent jobs and the general configuration and syntax when it comes caching, different versions of JDKs, etc. The new environment also presents CAS builds on three separate platforms for both JDK 11 and JDK 14, allowing the project to continually test new JDK releases as they come out to prepare for platform upgrades in the future.
Following the move, GitHub Actions environment now includes modest Locust-based performance tests against CAS-provided embedded application servers such as Apache Tomcat, Jetty and Undertow. This is mainly done to validate the Locust setup and configuration that is provided by CAS as dependencies are updated and to allow for basic benchmarks between releases. A similar batch of tests based on Apache JMeter may be added in the future.
Releasing Encrypted Attributes
A new attribute release policy is now available that is able to encrypt and encode allowed attributes using the public key assigned to the registered service definition.
Encryptable Attribute Definitions
Similar to the above item, attribute definitions can also be marked as encryptable so they can be ciphered and encoded using the public key assigned to the registered service definition.
Password Management & reCAPTCHA Integration
The password management facility in CAS is now able to [optionally] integrate with Google reCAPTCHA for password reset requests. reCAPTCHA must be specified in CAS properties, and the password management component should be taught to turn on the integration via the
CAS properties, as managed by Spring Boot and Spring Cloud, can be specified using a relaxed binding in a variety of formats such as:
# Kebab Case (Recommended) cas.my-project.person.first-name=... # Camel Case cas.myProject.person.firstName=... # Underscore Case cas.my_project.person.first_name=... # Upper Case CAS_MYPROJECT_PERSON_FIRSTNAME=...
While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.
The general recommendation is this:
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.
Most if not all CAS properties in the reference documentation are updated to use and show this format. While we do not anticipate
this to be a breaking change for upgrades, we do recommend that you stick to the format outlined above and change syntax where appropriate, specially to allow proper activation of components and features whose behavior is controlled via
As an example, your old confguration might look like:
# cas.serviceRegistry.initFromJson=true # cas.serviceRegistry.json.location=file:/etc/cas/config/services # cas.authn.mfa.duo.duoSecretKey=... # cas.authn.mfa.duo.duoApplicationKey=... # cas.authn.mfa.duo.duoIntegrationKey=... # cas.authn.mfa.duo.duoApiHost=...
Following the above recommendation, your configuration is preferred to be:
# cas.service-registry.init-from-json=true # cas.service-registry.json.location=file:/etc/cas/config/services # cas.authn.mfa.duo.duo-secret-key=... # cas.authn.mfa.duo.duo-application-key=... # cas.authn.mfa.duo.duo-integration-key=... # cas.authn.mfa.duo.duo-api-host=...
- Configuration of Redis Pooling is now conditionally activated using an
- Configuration settings for Google Authenticator can now be refreshed and reloaded.
- Person Directory is now able to properly resolve and understand binary attributes from LDAP/AD directories.
- Delegated authentication is now able to auto-configure the cookie path used for session distribution.
- Loaded database drivers are now properly shutdown once the CAS web application context is destroyed.
- CAS overlay is updated to use the latest Gradle and Spring Boot version.
- A comprehensive effort to ensure all LDAP-related components properly clean up and close connection factories.
- MongoDb Driver
- Amazon SDK
- H2 Driver
- Spring Boot
- Spring Security
- Spring Integration
- Couchbase Java Client
- MongoDb Java Client
- Yubico U2F Server
- Person Directory
- Spring Boot
- Spring Session
Big thanks to all who participate in the development of this release to submit patches and contribute improvements. Keep’em coming!