CAS 4.0.1 Release

The CAS development team is pleased to announce the release of 4.0.1. The release includes many bug fixes, improvements and new features.

Sub-task

  • [CAS-1006] - Update CAS theme documentation
  • [CAS-1008] - Update Services Management UI
  • [CAS-1173] - LPPE: Incorrect handling of "password never expires" active directory flag
  • [CAS-1198] - LPPE: pwdReset attribute not preventing login/directing user to change password
  • [CAS-1214] - Disallow falling back to system locale when resolving message bundles

Bug

  • [CAS-890] - Logon with Invalid TGT and no service= goes to Success page
  • [CAS-1096] - NPE in DefaultTicketRegistryCleaner due to Null-Objects in Ticket-Collection
  • [CAS-1168] - After fix in CAS-1065, login form is not shown on error of Spnego
  • [CAS-1175] - Username field currently has attribute "autocomplete=false"
  • [CAS-1192] - Typo in X509CertificateCredentialsToSubjectPrinciplalResolver class name
  • [CAS-1195] - LPPE: account expired is very different from password expired
  • [CAS-1197] - LPPE breaking on the (ldap) domaint that don't have password policy
  • [CAS-1199] - log4j-over-slf4j.jar AND slf4j-log4j12.jar in CAS server webapp
  • [CAS-1213] - Disallow falling back to system locale when resolving message bundles
  • [CAS-1231] - Set content type to plain text for /accessToken in OAuth server mode
  • [CAS-1233] - cas.properties breaks clearpass config
  • [CAS-1234] - language resources in messages_fr.properties are invalid in download link but ok in git
  • [CAS-1241] - Changing Service URL from Ant-style Pattern to Regular Expression does not update db entry to correct discriminator value
  • [CAS-1253] - multiple versions of joda-time when including ldap support
  • [CAS-1259] - HealthCheckMonitor Needs Additional Error Checking
  • [CAS-1261] - Align HTML views with previously existing views.
  • [CAS-1275] - Upgrade to Spring 3.2.2
  • [CAS-1277] - Javascript error
  • [CAS-1278] - fluid reordering javascript throws js exception on add/edit service page
  • [CAS-1279] - 2 copies of jquery are loaded in the services manager
  • [CAS-1280] - Services management webapp doesn't work in French
  • [CAS-1293] - X509 module Unit Tests try to load SimpleTestUsernamePasswordAuthenticationHandler from main classpath
  • [CAS-1303] - Redirection from the password warning page should not consume the service parameter
  • [CAS-1310] - Complex attributes are not properly returned by the OAuth /profile url
  • [CAS-1311] - Add missing headers in protocol HTML specs
  • [CAS-1315] - wrong response content-type for /serviceValidate
  • [CAS-1318] - CAS Login Does not Overwrite expired/invalid Ticket Granting Cookie
  • [CAS-1320] - CAS server webapp fails to instantiate a EAPTTLSAuthenticator for each authentication request
  • [CAS-1333] - always throw FailedLoginException in cas-server-support-ldap
  • [CAS-1339] - Cannot build "CAS ClearPass Extension"
  • [CAS-1344] - restlet depends on org.springframework:spring-asm:jar:3.0.1.RELEASE
  • [CAS-1347] - Missing language keys prevents access; app should not cause a crash
  • [CAS-1348] - Proxy chain missing on proxy validate
  • [CAS-1352] - Usename attribute should not be required in the list of allowed attributes
  • [CAS-1371] - top.jsp session=true
  • [CAS-1380] - Module "cas-server-webapp-support" pulls in stale Spring dependencies that crash CAS
  • [CAS-1382] - D&D functionality of mgmt app is broken; Javascript version conflicts
  • [CAS-1383] - multiple versions of libraries in classpath
  • [CAS-1384] - AccountNotFoundException error bubbling up on the login form
  • [CAS-1385] - LPPE fails with lppe.dateAttribute = null
  • [CAS-1386] - Fix IV handling for ClearPass in clustered environments
  • [CAS-1393] - Memcached serialization fails when creating a proxy ticket
  • [CAS-1394] - pgtInit returns null pgtIou due to pgtUrl readTimeout (less than 1% occurrence)
  • [CAS-1396] - Incorrect message when attempting to proxy
  • [CAS-1410] - Failure to create pgtIOU/PGT should not result in successful validation
  • [CAS-1412] - TerminateWebSessionListener terminates web session at end of subflow
  • [CAS-1422] - SAMLUtils Should Restrict Itself to Not Allow External Entities or Inline Doctypes
  • [CAS-1424] - LDAP connection leak
  • [CAS-1447] - The {0} parameter is not properly replaced for the INVALID_PROXY_CALLBACK error message in French
  • [CAS-1448] - Simple attribute value with commas are considered as multi valued attribute

Improvement

  • [CAS-748] - Checkstyle Rules
  • [CAS-974] - Maintain CAS User Manual with Source
  • [CAS-1053] - Upgrade web flow(s) to use Spring EL
  • [CAS-1078] - User attribute mangling
  • [CAS-1114] - slow response to restlet when dns resolver is unavailable
  • [CAS-1121] - LPPE Improvements - Parent JIRA encapsulating sub tasks
  • [CAS-1134] - Increase truncation limit of Service URL in manage.jsp
  • [CAS-1169] - excessive logging when tickets expire
  • [CAS-1181] - LDAP Authentication Failures Produce Excessively Verbose Log Output
  • [CAS-1200] - Allow the English language bundle to be default, if a message key is missing
  • [CAS-1201] - Ehcache-core dependency is missing from the pom
  • [CAS-1202] - Allow the maven build to report back missing language keys from other bundles
  • [CAS-1203] - Allow login error messages to render HTML content
  • [CAS-1204] - Allow the theme to specify the location of the cas.js file
  • [CAS-1207] - Reslet Integration and cglib-all
  • [CAS-1208] - Support state parameter in OAuth server
  • [CAS-1211] - Upgrade surefire plugin version to 2.12.4
  • [CAS-1212] - Update README file
  • [CAS-1219] - Generic login (with no service) causes the webflow to erroneously report successul login even when no server side TGT is present
  • [CAS-1220] - Set content type to JSON for profile in OAuth server mode
  • [CAS-1222] - Upgrade scribe-up to 1.2.0
  • [CAS-1225] - Thunderbird UI updates
  • [CAS-1235] - Upgrade to scribe-up 1.3.1
  • [CAS-1236] - Allow EhCache Ticket Registry to support bulk retrieval of tickets
  • [CAS-1238] - Refactor Authentication APIs to Support Important Use Cases
  • [CAS-1239] - LdapPasswordPolicyEnforcer Produces Excessively Verbose Log Output When Password is Expired
  • [CAS-1245] - Update dependencies in the pom to the latest versions (where available)
  • [CAS-1247] - Allow the callback endpoint URL the option to specify a socket factory/hostname verifier
  • [CAS-1249] - IP Address Login Interceptors should be able to read IP Address from configured header
  • [CAS-1264] - Move OpenIdProviderController from webapp to OpenID module
  • [CAS-1265] - Improve log messages of CASImpl & ClearPass
  • [CAS-1267] - Remove the need to CAST the returned ticket from ticket registry
  • [CAS-1268] - Validate registered service before delegating TGT and authentication attempts
  • [CAS-1269] - Upgrade to EhCache 2.7
  • [CAS-1273] - Adjust clearPass configuration to encrypt passwords in its cache
  • [CAS-1283] - New p3 endpoints for service and proxy validation: Add attributes to the CAS validate response per update spec
  • [CAS-1302] - Allow the ResourceBundleMessageSource to use UTF-8 encoding explicitly.
  • [CAS-1304] - Allow the psw warning redirect timeout to be configurable and externalized
  • [CAS-1305] - Create cas-server-webapp-support module
  • [CAS-1306] - Dont Log the clientSecret in OAuth module. Ensure OAuth params are consistent in logs.
  • [CAS-1307] - Employ appropriate Spring namespaces in all context files
  • [CAS-1308] - Enable explicit registration of OAuth clients in service registry in OAuth server mode
  • [CAS-1309] - Update Farsi/Arabic translations; add missing keys to the bundles
  • [CAS-1327] - Bump ldaptive to version 1.0.1
  • [CAS-1328] - Allow the login ticket generators to include a suffix
  • [CAS-1329] - Retrieve the host.name property value from the actual node name
  • [CAS-1337] - Fix non-printable character definition
  • [CAS-1346] - Use MemcachedClientIF Instead of MemcachedClient
  • [CAS-1351] - Upgrade ehcache version to 2.7.2
  • [CAS-1354] - Upgrade to the last scribe-up version (1.3.5)
  • [CAS-1365] - Externalize access rules to the management webapp
  • [CAS-1392] - Support standardized Password Policy Control
  • [CAS-1411] - Protocol updates on security strength of validation requests
  • [CAS-1415] - Update jasig parent pom version to v39
  • [CAS-1433] - Account Locking feature
  • [CAS-1453] - Support passing principal information from AuthenticationHandler to PrincipalResolver

New Feature

  • [CAS-598] - Account Management System
  • [CAS-1257] - Allow support for custom attribute filters when validating a service
  • [CAS-1270] - Extend service registry to allow authentication handlers per service
  • [CAS-1284] - Validate and adopt CAS3 protocol rev
  • [CAS-1292] - Front Channel SLO

Security Bug

  • [CAS-1113] - Password visible in plain text of logs
  • [CAS-1209] - Default ClearPass Configuration Allows Circumventing Allowed Proxy Chains
  • [CAS-1298] - cas-server-support-generic contains transitive dependency on commons-httpclient 3.1 which contains known security flaws
  • [CAS-1335] - Disallow and reject empty service registry configurations
  • [CAS-1356] - java.util.Random is used when java.security.SecureRandom should be used

Task

  • [CAS-1106] - Update Logging Statements for slf4j
  • [CAS-1145] - Expose protocol level constants in CAS core
  • [CAS-1183] - Move out the services management webapp
  • [CAS-1188] - Make SAML support as an optional module for CAS server
  • [CAS-1196] - CASImpl:grantServiceTicket() Javadocs are misleading
  • [CAS-1210] - Upgrade the spring dependency to 3.1.3
  • [CAS-1215] - Upgrade AspectJ plugin version to 1.4
  • [CAS-1216] - Remove unused imports
  • [CAS-1217] - Add missing serialVersionUID; Update misformatted Javadocs
  • [CAS-1221] - Remove deprecated JdbcLockingStrategy
  • [CAS-1224] - Remove deprecated JpaDaoSupport from JpaServiceRegDaoImpl
  • [CAS-1229] - Provide support for better site generation of the project
  • [CAS-1250] - Remove uPortal dependency from clearPass module
  • [CAS-1262] - Clean up AbstractTicket: Remove dependency on TicketGrantingTicketImpl
  • [CAS-1263] - Cloning a RegisteredService should not have to require a cast
  • [CAS-1271] - Utilize the maven checkstyle plugin to enforce coding conventions
  • [CAS-1272] - Switch the SimpleTestUserNamePassword handler with a more complicated handler
  • [CAS-1281] - Switch to ldaptive for LDAP integration
  • [CAS-1286] - Extract the OAuth client support in its own module and upgrade to pac4j
  • [CAS-1381] - CAS4 RC2 integration testing with CAS clients
  • [CAS-1390] - Update ldaptive version
  • [CAS-1401] - Getters/Setters dont match for ldapDateConvert of PasswordPolicyConfiguration
  • [CAS-1417] - Complete Github Pages documentation
  • [CAS-1418] - Generalize Password Expiration Support
  • [CAS-1428] - Update language properties for 4.0
  • [CAS-1454] - Little documentation issue to activate remember me