CHANGELOG.md

Change Log

All notable changes to this project will be documented in this file.

1.1.0 - 06 jul 2022

• Apply pom code convention (https://maven.apache.org/developers/conventions/code.html#pom-code-convention)
• Use java 11
• Use spring-boot 2.6.9

1.0.6 - 26 nov 2020

• Add support for CAS client >= 3.6 (#147)

1.0.5 - 04 sept 2020

• Fix java 11 build error due to incompatibility between lombok and javadoc (#146)

1.0.4 - 04 sept 2020

• Replace @PostConstruct to avoid mess with JDK8 / JDK11 (#145)

1.0.3 - 30 jul 2020

• Add new interface ProxyCallbackUrlAwareTicketValidator if you'd like to create your own TicketValidator but do not want to extend Cas20ServiceTicketValidator (or others) because they added final everywhere and so is impossible to extends...

1.0.2 - 12 mar 2020

• Update dependencies for security fixes

1.0.1 - 31 jan 2020

• Happy new year 🎉
• Move some method to become public in order to facilate customization (https://github.com/kakawait/cas-security-spring-boot-starter/pull/135/commits/02e1e805998f92216753cc87c6f3e99d6f6ff17e)

1.0.0 - 5 sept 2019

• First release that supporting Spring boot 2 (#32)
• Remove deprecated module cas-security-dynamic-service-resolver (#35)
• Open some api to facilitate extensibility (#122, #109)

Breaking changes

• Related to #35 Remove cas-security-dynamic-service-resolver module, you must use spring-security-cas-extension instead.
• Related to #33 Rename package com.kakawait.spring.boot.security.cas to com.kakawait.spring.boot.security.cas.autoconfigure, you must rewrite your import statements to append .autoconfigure..
• Property security.cas.authorize-mode has been renamed security.cas.authorization.mode
• CasHttpSecurityConfigurer.cas().configure(http) will no secure paths, only configure CAS authentication
• Autoconfiguration java class package was moved from com.kakawait.spring.boot.security.cas to com.kakawait.spring.boot.security.cas.autoconfigure

Spring boot 2 support breaking changes

By supporting Spring Boot 2, you should understand that some security features has been removed on Spring Boot 2 regarding Spring Boot 1 (see official documentations Spring boot 2 migration guide - security and Spring boot 2 security migration).

No more basic auth by default on Spring boot 2

Some behaviors will not be able on Spring Boot 2 for example excepting getting Basic Auth support in addition to Cas Auth if you put security.basic.enabled=true (which is default). You must re-add Basic Auth by yourself like on cas-security-spring-boot-sample.

No more default ROLE_USER and ROLE based authentication by default

In addition, no more default role ROLE_USER will be added to any authenticated user.

Thus default security.cas.authorization.mode (formerly security.cas.authorization.mode) value is now authenticated instead of role.

However if you want to re-add default ROLE_ on every authenticated user you could use:

security:
  cas:
    user:
      default-roles: USER

Where security.cas.user.default-roles accepts list of roles.

And if you comes back to ROLE based authentication instead of just authenticated, you should:

security:
  cas:
    user:
      default-roles: USER
    authorization:
      mode: role
      roles: USER

Where security.cas.authorization.roles (which only useful when using security.cas.authorization.mode=ROLE) is list of roles that use must have to be accepted.