Home | content | q4-2012-cooperative-support-cas-update

Q4 2012 Cooperative Support for CAS Update

A quick post to publicly share the slides for today's Cooperative Support for CAS Update briefing.

Now a slidecast!. The above slide deck is now a "slidecast" in that it has audio associated with it. You can even skip ahead and the audio is mostly synced with the slides.

Rather than enjoying the above slidecast in its small form here on www.unicon.net, I encourage you to go view it in its native SlideShare.net environment, where it's bigger and more lovely.

A PDF of the slideware is attached to this blog post and the audio MP3 is available here.


The blog post narrative version of this briefing follows.

Welcome to this briefing

For this first time this December, Unicon evolved what had been a support-subscriber-only periodic “summit” into a public-invited “briefing” with observations about CAS as I see it, an update on progress and intentions in the development piece of our support program, and heads up about upcoming relevant conferences.

The slides from that briefing are attached to this page and are available via SlideShare as an audio-enhanced slidecast. The standalone mp3 is also available.

Unicon’s strategy around CAS services and support

Unicon’s strategy in providing support and services related to CAS is to participate directly in the CAS project through the lists, issue tracker, wiki, Jasig source control, and other source code shared via GitHub. We develop open source software on behalf of our clients and inform the maintenance development Unicon undertakes through support experiences.

You have to source your support somehow

Whenever you adopt software, open source or otherwise, you source support with it, implicitly or explicitly.

In typical proprietary vended software, support is tied up in licensing the software at all, that is, you source your support from some combination of the vendor (who typically has monopoly over access to the source code and ability to enhance the software) and local staff who interact with that vendor, consume documentation, perform local configuration, etc.

In open source software implementation, you have more degrees of freedom in sourcing support. You can rely on local staff, engage and participate in the community around the software (earning goodwill and “spending” it to get help from other adopters), and you can engage one or more of potentially many vendors of services around the software (with no one vendor enjoying monopoly over access to source code and ability to develop enhancements). In practice you’ll typically do a combination of these.

Unicon seeks to be an attractive option for the “source support services from a vendor” piece of your open source software support sourcing strategy.

One important part of that support that you need to source somehow is maintenance development that keeps software working, current, responding to discovered issues. Unicon participants in the maintenance development of supported free and open source software products on behalf of our support subscribers.

Unicon’s “Cooperative” Support program

What makes Unicon’s support program “Cooperative”?

Our support program is designed to complement and cooperate with direct participation in the community around the supported software.

We provide support directly for open source software as vended publicly by the community. When you rely on Unicon to provide support for your CAS server, you’re using the same CAS software, the same client libraries, that other non-Unicon-customers are using. We don’t sell licenses to proprietary add-ons for CAS not available to other CAS adopters. In this way, we’re “cooperating” with the CAS community in that to the extent that we have a patch to offer or a fix to make or an enhancement to advocate, it’s out there publicly, whether committed to the Jasig CAS repo, or pending in a pull request, or ready to adopt with CAS in cas-addons, depending on where it landed. This also makes you more able to “cooperate” with your fellow CAS adopters, even when they’re not Unicon customers, in that the questions they’re asking on the list are about the same software you have experience operating. You might engage directly on the public lists and answer their questions, and when you do so, you’re answering about the same software everyone else has access to. Likewise, just because you have access to Unicon support doesn’t mean you can’t ask your questions anywhere else you like as well, and when you do ask other CAS adotpers, they can immediately relate.

We produce exclusively open source patches. To the extent that a support issue yields a development task under Cooperative Support, that development task’s deliverable is to the public CAS community. By all means, we also want to help you, the individual support subscriber experiencing the pain that will be addressed with the patch. But we want to help you by helping you implement a patch or code that has been shared publicly and is available to the entire CAS community.

We produce public documentation in response to support experiences. Documentation is a perennial sore point. Maybe we’d make lots of money if we produced a proprietary body of documentation and made it available only to our customers. Too bad. To the extent that we have documentation for our support subscribers, that documentation is freely available and public, contributed through the modalities appropriate to the supported product. Into the Jasig wiki. As a blog post. Historically, as a knowledge base article on www.unicon.net, though we’re working to retire that “walled garden” in favor of other modalities.

Unicon’s support program is support, attending to your needs as a support subscriber, but we structure the program in a way that “cooperates” with the larger open source project context and with your other non-Unicon options for sourcing support for your usage of the software.

Thanks to our support subscribers

Our support subscribers make possible the Cooperative Support for CAS program, this quarterly update, and the progress discussed in this update. Thanks!

Highlights and observations

This section is meant to provide some background and context. What new software releases are available and what are their highlights? What events are coming up? What’s afoot in the community around CAS? Here are some observations and highlights answering those questions.

CAS server 3.5.1 released

CAS server 3.5.1 is a patch release in the CAS server 3.5 series.

CAS server 3.5 is the current latest stable CAS server release and is the version Unicon recommends all adopters upgrade to and new adopters implement. CAS 3.5 drew in extension features into the CAS server product itself, including features for reflecting account status in the UI (password expiring, expired; account locked), the ClearPass extension featureset, and the EhCache ticket registry.

CAS server 3.5 also adds features for OpenID and OAuth support.

CAS Server 3.5.1, released October 5th 2012, added numerous improvements including performance, monitoring, internationalization, SAML, and OAuth improvements and addressed an open redirects in logout redirect URL issue.

CAS Server 3.5.1 also enables per-service specification of which user attribute to use as the username in the CAS ticket validation protocol response. This turns out to be convenient for CAS-integrating applications that didn’t need full-fledged user attribute support but do key the user by an identifier different from that used by other applications.

cas-addons 1.0.5 released

Unicon offers free and open source add-ons for the CAS server via the cas-addons GitHub repository. These are licensed compatibly with the CAS server and are intended for adoption with the CAS server. cas-addons trends towards newer, less established, exploratory features that are not yet or may never be included with the CAS server itself.

You make cas-addons code available to your CAS server the same way you make other CAS modules available, by declaring it in your Maven overlay pom.xml file as a dependency.



CAS addons offers additional options for how to represent and store the service registry, i.e. as a JSON text file or in a MondoDB NoSQL database. CAS addons experiments with a new JSON CAS ticket validation response format.

CAS addons also includes a JSON Person Attribute DAO implementation handy for testing CAS server user attribute behaviors without relying on a live LDAP server.

CAS addons is also a place to experiment with new authentication handler implementations such as that to integrate with Stormpath.

cas-addons 1.0 added Spring Security ClearPass support such that applications using Spring Security can obtain the password from a Spring Security API rather than relying upon a ClearPass specific API or coding interaction with the CAS server directly.

cas-addons 1.0 added a per-service redirect switch causing the CAS server to redirect attempts to log into an application to a configured URL. This is intended to be handy for disabling CAS login to an application and sending users to an error landing page while leaving the application itself up for troubleshooting.

cas-addons 1.0 experiments with richer ticket registry APIs driving a JSON report on live end-user single sign on sessions and with richer authentication handler integration for validating passwords stored in a database (adding basic salting support).


The CAS 4 release will add level of assurance capabilities, the attendant protocol evolution to make those capabilities available to CAS-using applications, and the attendant authentication API evolution to support multiple credentials.

Also importantly, the CAS 4 release should catch up documented protocol to CAS server behavior and evident practices.

In short, CAS 4 will be a relatively modest new feature release in 2013.

Jasig + Sakai = Apereo

Jasig (the non-profit context for CAS, uPortal, Bedework, Student Success Plan, etc.) is consolidating with the Sakai Foundation (the non-profit context for Sakai CLE, etc.) The new combined organization is named “Apereo” and will continue to be a wholesome supportive context for CAS server and CAS client library collaboration.

Jasig-Sakai UnConference

The Jasig-Sakai UnConference will be taking place January 14th through 16th in scenic Mesa, Arizona. I hope to see you there for discussion of and collaboration upon all things CAS.

Unicon offering post-un-conference trainings

Unicon is offering a CAS and Shibboleth training and a uPortal Platform Training immediately after the UnConference. Please get in touch to learn more / sign up.

Apereo 2013 Conference

The Apereo 2013 Conference will be June 3rd through June 6th 2013 in scenic San Diego.

Cooperative Development Done this quarter

What is “Cooperative Development”?

“Cooperative Development” is sustaining engineering Unicon undertakes under the auspices of the Cooperative Support program. We apply maintenance development effort making the supported open source software more supportable and valuable to support subscribers. The intent is to find and complete feasible incremental efforts improving the software in the interest of support subscribers, of the CAS community, and of Unicon.

This development is “Cooperative” in the sense that it’s free and open source software publicly available to all CAS adopters and participating in (cooperating with) the process of developing and maintaining the free and open source CAS server and CAS client library products. Unicon’s Cooperative Development efforts is one way to get things done, local staff participating in the open source project is another, and all these ways of getting things done cooperate together to get things done.

Theme: Maintenance of CAS generally

One important effort stream under Cooperative Development is efforts that maintain CAS server generally. For instance, this quarter Misagh upgraded CAS server’s usage of Spring to Spring version 3.1.3.

Dmitriy’s work this quarter on automated tests (Spock tests, other functional tests) supporting CAS maintenance also fit into this theme.

Theme: Maintenance of Unicon-led features: ClearPass

Unicon especially likes to use Cooperative Development efforts to maintain Unicon-led CAS features, since these tend to be features that our clients rely upon that Unicon is especially well positioned within the CAS community to maintain. For instance, Unicon is largely responsible for ClearPass landing in the CAS server product and continues to maintain this feature. This quarter there was some maintenance of Maven dependency declarations around ClearPass.

Now that ClearPass is a feature of the CAS server product itself, it’s time to step through the CAS client libraries and see how ClearPass integrations can be made more convenient. This quarter Misagh tackled adding ClearPass integration to the .NET CAS Client library.

Dmitriy tackled creating a Spring Security extension adding ClearPass support. With this extension,

<sec:authentication-manager alias="casAuthnManager" erase-credentials="false">
  <sec:authentication-provider ref="casAuthnProvider"/>


Java developers using Spring Security can obtain the user’s password through a Spring Security API rather than a ClearPass-specific API (which means the resulting Spring-Security-using Java web application isn’t necessarily bound to CAS ClearPass as the required implementation of where that password is coming from.)

String password = UserDetails.class.cast(SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getPassword();


(See documentation).

Theme: Maintenance of Unicon-led features: LPPE

LPPE (“LDAP Password Policy Extensions”) is another CAS extension that’s been drawn into the CAS server product. Misagh applied a code quality / improvements pass to it this quarter, in part in preparation for further evolution of this feature as it grows to support more than LDAP in the CAS 4 release.

Theme: CAS Skinnability and Message Localization

Unicon does client-specific CAS skinnings/brandings pretty frequently and continues support the CAS server product being more easily skinnable and having a better out of the box responsive design for good quality experiences on mobile devices as well as on the desktop. Previous quarters have worked on this, and this quarter Misagh continued to work on this by making the theme able to specify a theme-specific location of the CAS JavaScript file.

This quarter Misagh also continued to work on CAS features for message localization, making the CAS server build report missing language keys, making the CAS server stop defaulting to the JVM system locale, and making the UI fall back to the English locale when a language key is not found in the otherwise preferred language localization bundle.

Theme: innovating in cas-addons

Besides working on the CAS server product itself, Unicon also innovates in cas-addons building free and open source features available for adoption in CAS and that may influence, are licensed compatibly with, and can be drawn into CAS server.

Service Registry improvements

Improving the CAS service registry features has been a theme for some time, with work going into CAS 3.5 to support regular expression matching of registrations to presenting service identifiers, work on the service management web-based administrative UI, etc. This quarter Dmitriy added the ability to have requests to log into a disabled service redirect to a URL (useful for sending users to a service-down temporary error page) and Misagh added a MongoDB service registry implementation.

API and implementation evolution

cas-addons is also a place to iterate on better AuthenticationHandler implementations. Work this quarter included exploring adding salting to password hash generation in a ShiroHashServicePasswordEncoder for use with e.g. the AuthenticationHandler that compares a presented password against that stored in a database. So far this supports a static salt but a natural further evolution is to support the username as a dynamic salt.

<bean id="passwordEncoder" class="net.unicon.cas.addons.authentication.handler.ShiroHashServicePasswordEncoder" 


This quarter cas-addons also gained an optional richer API for ticket registries and an Active SSO Sessions Report exercising that richer API.

Intentions for Cooperative Development for CAS in Q1 2013

In Cooperative Development for CAS we work to maintain CAS 3.5 (the current stable recommended release), work towards CAS 4 (the next release), maintain the supported client libraries, explore extensions and opportunities for the CAS products, and do all this work in a way that’s responsive to inputs from subscriber experiences. Those inputs are both explicit (emails, explicit requests, a cute issue voting mechanism through the www.unicon.net website, etc.) and implicit (learning from providing support, fixing CAS issues we notice or trip over, and empathizing with our subscribers’ needs and projects).

Maintain CAS 3.5

CAS 3.5 is the current stable release and Unicon intends to continue to be available to fix bugs and improve documentation about this release.

This is the stable conservative maintenance release line at this point. Unicon doesn’t have a lot of exciting intentions to add wild new features here. New features and daring efforts belong in the next CAS release beyond CAS 3.5 (CAS 4).

Work towards CAS 4

This next quarter we also intend to work towards CAS 4, participating in the CAS protocol update efforts, helping to evolve LPPE beyond LDAP, and participating in multi-factor authentication / level-of-assurance support development, leveraging Unicon’s experiences and free and open source code in cas-addons with these issues.

Next steps

Feedback welcome

By all means, please do get in touch.

Feedback is especially welcome from the support subscribers who make this program possible, and beyond hearing your feedback, Unicon would be glad of the opportunity to contextualize any of these improvements and happenings to your specific situation and needs.

The next of these updates

The next of these Cooperative Support for CAS Update briefings will be on March 27th 2013 at 8:30am Pacific == 11:30 am Eastern. Feel free to mark your calendar now; registration information will be available on www.unicon.net as the date approaches.

Documentation On-Demand

Return to the blog listing page