7.1.0-RC4 Release Notes

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

Apereo Membership

If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner.

Get Involved

• Start your CAS deployment today. Try out features and share feedback.
• Better yet, contribute patches.
• Suggest and apply documentation improvements.

Resources

• Release Schedule
• Release Policy
• Maintenance Policy

System Requirements

The JDK baseline requirement for this CAS release is and MUST be JDK 21. All compatible distributions such as Amazon Corretto, Zulu, Eclipse Temurin, etc should work and are implicitly supported.

New & Noteworthy

The following items are new improvements and enhancements presented in this release.

Spring Boot 3.3.x

The migration of the entire codebase to Spring Boot 3.3.x is now complete, and we’ll continue to watch for the wider ecosystem of supporting frameworks and libraries to catch up to changes.

Graal VM Native Images

A CAS server installation and deployment process can be tuned to build and run as a Graal VM native image. The collection of end-to-end browser tests based on Puppeteer have selectively switched to build and verify Graal VM native images and we plan to extend the coverage to all such scenarios in the coming releases.

Testing Strategy

The collection of end-to-end browser tests based via Puppeteer continue to grow to cover more use cases and scenarios. At the moment, total number of jobs stands at approximately 482 distinct scenarios. The overall test coverage of the CAS codebase is approximately 94%. Furthermore, a large number of test categories that group internal unit tests are now configured to run with parallelism enabled.

OpenID Connect CIBA Flow

Client-Initiated Backchannel Authentication (CIBA) is an OpenId Connect authentication flow in which RPs, that can obtain a valid identifier for the user they want to authenticate, will be able to initiate an interaction flow to authenticate their users without having end-user interaction from the consumption device. The flow involves direct communication from the Client to CAS without redirect through the user’s browser (consumption device).

CAS Initializr SBOM Support

CAS Initializr is now modified to generate a Software Bill of Materials (SBOM) using the CycloneDX format. This SBOM can be used to track and manage the open-source components used in your CAS deployment and may be examined via the sbom actuator endpoint.

Other Stuff

• CAS offers options to control SNI Host Checking for Jetty when used as an embedded container.
• Selecting an authentication source during login attempts will force CAS to use that source, disregarding other sources allowed via the application’s authentication policy.
• The dependency graph for CAS libraries and dependencies is now published to GitHub.
• Redis ticket registry can now support idle or moving ticket expiration policies.
• Device registration and management for multifactor authentication is disabled for YubiKey, Google Authenticator and WebAuthN providers during password reset operations.
• Trusted devices for multifactor authentication are now disabled and ignored during password reset operations.
• The password management flow is heavily reworked to better support multifactor authentication flows.
• Account management profile will no longer list duplicate multifactor authentication devices when multiple providers are in effect.
• Registering multiple WebAuthN devices in account management profile is now corrected to use the correct configuration property for activation.
• Calculation of the device fingerprint for multifactor authentication trusted devices can use client-side technology to build a browser fingerprint.
• Impersonation conditions can now be controlled via principal attributes to allow for more fine-grained control.
• CAS will forcefully not load services that might have been assigned a blank id, name or serviceId during service registration and loading.

Library Upgrades

• Gradle
• Spring Boot
• Spring
• Spring Retry
• Spring Data
• Spring WS
• Spring Security
• Spring Rabbit
• Spring Session
• Spring Integration
• Spring Kafka
• Apache Cassandra
• CosmosDb
• InfluxDb
• Undertow
• Amazon SDK
• Ldaptive
• NodeJS
• Nimbus JOSE
• Nimbus OIDC
• Node.js
• Jackson
• Swagger
• Hibernate
• ACME
• Oracle JDBC Driver
• Google Cloud Monitoring
• Google Firebase
• Jakarta Validation