7.3.0-RC2 Release Notes

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

Apereo Membership

If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner.

Get Involved

Resources

System Requirements

The JDK baseline requirement for this CAS release is and MUST be JDK 21. All compatible distributions such as Amazon Corretto, Zulu, Eclipse Temurin, etc should work and are implicitly supported.

New & Noteworthy

The following items are new improvements and enhancements presented in this release.

Spring Boot 3.5

The migration of the entire codebase to Spring Boot 3.5 is now complete and CAS is now running on Spring Boot 3.5.x.

OpenRewrite Recipes

CAS continues to produce and publish OpenRewrite recipes that allow the project to upgrade installations in place from one version to the next. See this guide to learn more.

Graal VM Native Images

A CAS server installation and deployment process can be tuned to build and run as a Graal VM native image. We continue to polish native runtime hints. The collection of end-to-end browser tests based on Puppeteer have selectively switched to build and verify Graal VM native images and we plan to extend the coverage to all such scenarios in the coming releases.

Testing Strategy

The collection of end-to-end browser tests based on Puppeteer continue to grow to cover more use cases and scenarios. At the moment, total number of jobs stands at approximately 519 distinct scenarios. The overall test coverage of the CAS codebase is approximately 94%. Furthermore, a large number of test categories that group internal unit tests are now configured to run with parallelism enabled.

Java 24

As described, the JDK baseline requirement for this CAS release is and MUST be JDK 21. CAS is now able to build and run using Java 24. Once more, remember that the baseline requirement will remain unchanged and this is just a preparatory step to ensure CAS is ready for the next version of Java.

Multitenancy

Multitenancy support is improved to support attribute resolution per each tenant. Supported modules include:

Furthermore, tenant properties now support CAS configuration security and Spring expression language.

There is dedicated routing support to allow CAS to route requests to the appropriate tenant internally based on the Host http header, in scenarios where CAS is deployed behind a reverse proxy.

Other Stuff

  • A new Heimdall authorization policy for SQL databases.
  • We have laid the groundwork to begin supporting OpenID Connect federations. Support for this topic will gradually mature as federations begin to operate and remain functional.
  • Apache Tomcat’s RewriteValve can be added as an engine valve.
  • A visual representation of the CAS authentication flows, as a state diagram, is now available in the Palantir admin console.
  • CAS is publishing events internally when webflow actions are executed. Such events are recorded into the CAS event repository and are also available in the Palantir admin console.
  • Redis integration tests are upgraded to use the latest Redis 8.0 server.
  • Apache Syncope integration tests are upgraded to use the latest Syncope 4.0 server.
  • Support for ACME Integration is deprecated.
  • GitHub Actions CI workflows check for code spelling mistakes and typos.
  • Redis ticket registry is to tuned to apply an LZ4 compression routine to stored documents.
  • The CAS server host name can be accessed via the user interface and is displayed in the footer.
  • The usage criteria of a ticket-granting ticket is updated when OpenID Connect access tokens are exchanged for a user profile.
  • Activation of Remember-Me functionality now explicitly looks for the rememberMe parameter in the request with a truthy value.
  • Puppeteer tests have the ability to verify CAS functionality using an external Apache Tomcat server.
  • The entire CAS configuration catalog is indexed and published online to offer search functionality.
  • The BlackDot IP Intelligence functionality is corrected to create the correct component instance.
  • Webflow transitions for multifactor device registration requests are re-organized to allow for this functionality in the user account profile.
  • User account profile gains the ability to delete registered multifactor authentication devices.
  • CAS endpoints are grouped and tagged for better visibility in the Swagger UI.
  • A large collection of documentation improvements and fixes to remove typos and grammatical errors.
  • Using advanced static analysis tools, a large number of leaking IO streams are closed properly.
  • CAS documentation is built with YJIT enabled, and the build time is cut down by approximately 6 minutes.
  • When processing logout requests for OpenID Connect, the iss claim of the ID token hint is now cross-checked against the idTokenIssuer property of the registered client application.
  • A series of small user interface improvements to assist with accessibility and usability.