WORKERS AHEAD!

You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.

8.0.0-RC4 Release Notes

We strongly recommend that you take advantage of the release candidates as they come out. Waiting for a GA release is only going to set you up for unpleasant surprises. A GA is a tag and nothing more. Note that CAS releases are strictly time-based releases; they are not scheduled or based on specific benchmarks, statistics or completion of features. To gain confidence in a particular release, it is strongly recommended that you start early by experimenting with release candidates and/or follow-up snapshots.

Apereo Membership

If you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. Note that all development activity is performed almost exclusively on a voluntary basis with no expectations, commitments or strings attached. Having the financial means to better sustain engineering activities will allow the developer community to allocate dedicated and committed time for long-term support, maintenance and release planning, especially when it comes to addressing critical and security issues in a timely manner.

Get Involved

Start your CAS deployment today. Try out features and share feedback.
Better yet, contribute patches.
Suggest and apply documentation improvements.

Resources

System Requirements

The JDK baseline requirement for this CAS release is and MUST be JDK 25. All compatible distributions such as Amazon Corretto, Zulu, Eclipse Temurin, etc should work and are implicitly supported.

New & Noteworthy

The following items are new improvements and enhancements presented in this release.

OpenRewrite Recipes

CAS continues to produce and publish OpenRewrite recipes that allow the project to upgrade installations in place from one version to the next. See this guide to learn more.

Graal VM Native Images

A CAS server installation and deployment process can be tuned to build and run as a Graal VM native image. We continue to polish native runtime hints. The collection of end-to-end browser tests based on Puppeteer have selectively switched to build and verify Graal VM native images and we plan to extend the coverage to all such scenarios in the coming releases.

Testing Strategy

The collection of end-to-end browser tests based on Puppeteer continue to grow to cover more use cases and scenarios. At the moment, total number of jobs stands at approximately 545 distinct scenarios. The overall test coverage of the CAS codebase is approximately 94%.

Spring Boot 4.1

CAS is now built with Spring Boot 4.1.x. This is a major platform upgrade that affects almost all aspects of the codebase including many of the third-party core libraries used by CAS as well as some CAS functionality.

Gradle 9.5

CAS is now built with Gradle 9.5.x and the build process has been updated to use the latest Gradle features and capabilities.

Maven Central Publications

Javadoc artifacts packaged as {cas-server-module}-javadoc.jar are no longer published to Maven Central, in order to reduce the final upload size and speed up the process. If you require Javadoc artifacts, you may need to build them locally from the source code. Skipping such artifacts reduces the final upload size by approximately 1.6GB.

Pay Attention

This is unlikely to affect you, but if you have a development/deployment environment that builds or relies on Javadoc artifacts or wants to link to them via an external dashboard, you may need to take action to produce Javadocs on your own.

JSpecify & NullAway

CAS codebase is now annotated with JSpecify annotations to indicate nullness contracts on method parameters, return types and fields. We will gradually extend the coverage of such annotations across the entire codebase in future releases and will integrate the Gradle build tool with tools such as NullAway to prevent nullness contract violations during compile time.

OpenId Connect & Verifiable Credentials

An initial implementation of OpenID Connect Verifiable Credentials (OIDC4VCI) is now available in CAS.

OpenID Connect Federation

The OpenID Federation server support is now in its own dedicated module. Functionality here will eventually be expanded to allow CAS to participate in OpenID connect federations.

Furthermore, when it comes to OpenID Connect client support and delegation, there are now small improvements in place to OpenID Federation protocol and its support for authentication delegation for OIDC clients. See this guide for more details.

Account Registration

Account registration flow will automatically establish a single sign-on session once the process and flow is complete. It may also redirect back to the original application if the registration process was initiated from a protected resource.

Delegated Authentication & Impersonation

Delegated authentication flows now support impersonation of the authenticated user, allowing the user to go through the impersonation account selection process after having successfully authenticated with the external identity provider. This behavior, off by default, needs to be enabled in CAS configuration settings.

See this guide for more details.

reCAPTCHA per Application

Previously, reCAPTCHA support was only available at the global level and could only be turned off for specific applications. Starting with this release, reCAPTCHA can also now be enabled and configured on a per-application basis without requiring the server to enable the feature globally, allowing for more granular control over when and where reCAPTCHA challenges are presented to users.

Palantir Admin Dashboard

Palantir is given the ability to create, edit or delete attribute definitions. Furthermore, there is now limited support for password management operations such as reset requests and password history management with additional REST-based endpoints to support such operations for the dashboard user interface.

Other Stuff

Claims assigned to OpenID Connect custom scopes can now be overridden per client application.
Minor Gradle build improvements to better handle cacheability of build artifacts.
Internal refactoring of attribute definitions, allowing participating stores to honor attribute definition expiration policies.
Minor enhancements to FIDO2 WebAuthn support to better parse FIDO metadata when additional fields are present in the metadata response.