The following items are proposed to fit the scope of the CAS 4.1 release. We are just focusing on the big picture here. Other smaller issues may also be fit candidates depending on the nature of the change.
...
| Info | ||
|---|---|---|
| ||
This is just a draft and may be heavily edited as development moves on. Items that will not fit the release schedule and timeline will be removed from this list. We are just trying gather and collect proposals for the release. |
Open Items
Secure release of client credential, PGT and (optionally) CAS attributes
...
Encrypt/Hash the ticket registry as appropriate to avoid people either stealing or tampering with the registry, either in the wire, in memory or on disk. Proposed by Proposals to mitigate security risks under SEC-9.
Proposed by Jérôme LELEU
Role-based Access Control and Authorization - DONE
Provide a facility to enable role-based access control that would attempt to decide service access rules based on user attributes. By Misagh Moayyed
Management App Facelift
The CAS services management webapp is in dire need of attention. Improvements to UI, display of fields as well as support for OAuth services, attribute filters, and other service settings and types would be considered.
Done Items
Role-based Access Control and Authorization
Provide a facility to enable role-based access control that would attempt to decide service access rules based on user attributes. By Misagh Moayyed
Deprecation of uber-webapp and jboss-cache modules
...
Neither of the two modules have received any attention really, (other than to make sure they don’t have breaking APIs) and we have hardly ever had a question on the mailing list on either. Subsequent CAS versions may choose to fully drop the module. By Misagh Moayyed
Refactoring of attributes filters, and attributes per service
...
Attribute filters in CAS can be configured per service. We'd like to take that one step further, and describe attributes release policies in conjunction with filters, such that policies can figure out the set of allowed attributes per service, that can be renamed virtually. Proposed by Misagh Moayyed
Proxy config per service should authorize callback urls
...
The proxying feature of a given service in CAS does not currently "authorize" the service, other than to ensure it can be reached via SSL. At the recommendation of the AppSec group, and well articulated by Jérôme LELEU and David Ohsie, improvments can be made so that the pgtUrl can be controlled and authorized by the CAS config, so we know who really is allowed to received the PGT, in addition to the proxy.
CAS-specific truststore for proxycalls and handling SSL certs
...
CAS currently uses the JDK's default truststore to establish ssh handshakes specially for proxy calls. This can be improved by providing a CAS specific truststore, that would be empty by default. Untrusted proxies can be imported inside this particular store. Separating the store from Java's default always helps with platform upgrades that may cause prev changes to be overwritten.
...
Note that the default keystore would possibly be used in addition to the already available certs in Java. We simply just want to avoid polluting the default,and allow adopters to carry over their store, irrelevant of jdk version.
Client-side Spring Webflow session management
...
The spring webflow's conversation state is managed by the server, which causes issue due to web session timeouts. lets move the management of this session over to the browser. Marvin Addison has developed a perfectly suitable solution. By Misagh Moayyed
Retiring JIRA and using Github Issues for task tracking
...
JIRA seems too heavyweight for what it's now being used for, which is mainly tracking issues and improvements. Github issues provides a more pleasant alternative. We have to do a little bit of work to create some appropriate tags that correspond to our existing JIRA issue types, but that’s quite simple to do, takes very little time and the process is in fact quite customizable. Every issue can be assigned to a milestone, and may be tagged with many other decorations that JIRA provides. Issues can be assigned to developers, can have “Affects Version” and “Fixed in Version” and many other tags that we feel may be more relevant. By Misagh Moayyed
GitHub CAS Downloads
...
Rather than providing binary downloadable artifacts per release on the jasig website, it seems like the release engineer for a given CAS release has all the right permissions and tools to take advantage of the Github’s releases feature, where the binary artifact, cas-webapp as well as release notes can directly be hosted and uploaded there. The jasig website could then perhaps just include a link to the latest release, or to the download area. Proposed by Misagh Moayyed
CAS Protocol on Docs Site
...
Moving the CAS protocol off the Jasig website and onto the GH pages docs site: I had a lot of trouble keeping to the syntax of the WYSIWYG editor, which truly was necessary work. So in the spirit of synchronicity, I’d like to include the protocol doc in the documentation somewhere, so that it stays with the version of the CAS software that is released. Proposed by Misagh Moayyed
JSON Service Registry
...
Persistence of service definitions into a JSON file. Marvin Addison and Unicon have both solutions that could be merged and consolidated into one awesome registry! By Misagh Moayyed and Marvin Addison
...