- NEW:
* Implemented single-sign-out functionality as specified in CAS 3.3. See
http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out.
* It is now possible to configure Authenticators to return extra attributes
to CAS clients alongside the username. For an example of how to do this see
the included SQL authenticator. Also have a look at:
http://groups.google.com/group/rubycas-server/browse_thread/thread/5eade3793cb590e9
Note that extra attributes of type other than String or Numeric are serialized
into YAML format before being sent along to the client.
* Added an MD5-password version of the SQL authenticator for Drupal and any other
database that stores its passwords in hashed form (thanks malcolmm).
* Added new Google authenticator for authenticating against Google/GMail
accounts.
- CHANGED:
* Service URIs are now automatically normalized. For example, if the service
URI given to the server has a 'ticket' parameter, the ticket will now be
automatically stripped. This is to avert any possible issues raised by
misbehaving CAS clients (the CAS ticket should never be part of the service
URI). Same goes for other CAS-related parameters like 'service', 'renew',
and 'gateway'. Additionally, the trailing '/' and '?' characters are
automatically stripped from URLs, since, for example, "http://google.com/"
is almost certainly equivalent to "http://google.com".
* The expire_sessions config variable is now respected -- ticket granting
ticket cookies are set with an expiry datetime, so that the SSO session
is effectively terminated once the ticket_granting_ticket_expiry period
is reached.
* If present, the HTTP_X_FORWARDED_FOR header is used for recording the
client's address. This is useful when the server is running behind a reverse
proxy, but it should not be considered authoritative since it can be
easily spoofed.
* The 'service' field in the 'casserver_st' table has been changed from
VARCHAR(255) to TEXT in order to accomodate service URIs longer than 255
characters (fixes issue #46).
* The CAS XML responses are no longer whitespace-formatted (i.e. Markaby's
auto-indentation has been turned off). Apparently the whitespace was
causing problems with mod_auth_cas. See:
http://groups.google.com/group/rubycas-server/browse_thread/thread/e482fe09999b73d3
* When used without pre-authentication, the LDAP authenticator now tries to
bind by searching for the given username in the LDAP directory based on the
configured username_attribute. Prior to this change the authenticator
attempted to bind with the LDAP server by assuming that the username credential
matches the user's CN. This is no longer the case.
* CAS responses to invalid requests (for example where required parameters
are missing or incorrect) will now have HTTP status code 422. Internal server
errors (where the server rather than the client is at fault) have error 500.
Previously most responses had error code 200, regardless of their contents.
- FIXED:
* Fixed logout action to work properly with ActiveRecord 2.1 (eager loading behaviour
was changed upstream forcing a change to the way we look for ProxyGrantingTickets
to delete on logout).
* When running under Mongrel, the USR2 signal should now restart the server as
expected -- however currently this only works when the server is running
in the foregaround. When daemonized, USR2 will shut down the server without
restarting (see issue #58).
* Fixed activerecord/activesupport gem load problems, hopefully once and for all
(however picnic-0.7.0 is now required).
- Much of the supporting functionality that makes RubyCAS-Server
act as a well-behaved Linux service has been abstracted out
into its own library. This new library is called Picnic and is
now a gem dependency for RubyCAS-Server. You can find out more about
it at http://code.google.com/p/camping-picnic/.
- The logout action will now accept a ‘destination’ parameter in
lieu of
'service'. This means that if a 'destination' parameter is given with
some URL, the logout action will show the login form, allowing the user
to immedietly log back in to the service specified by 'destination'.
- The logout action will now accept a ‘url’ parameter. If given,
the logout
page will show a message indicating that the CAS session has been terminated
and instructing the user to click on a link to follow the given URL. If the
'url' parameter is given, the login form will NOT be shown on the logout
page (see above).
- When an authentication failure occurs (because the user submitted
invalid credentials or the login ticket is missing), the server
now returns a 401 (Unauthorized) response instead of 200.
- An encryption-enabled version of the SQL authenticator is now
available. For more info have a look at:
http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
- Better compatibility with Oracle databases. The database migration
no longer tries to create tables with long names when long
table names are not supported by the underlying database connector
(issue #15).
- The server now automatically removes leading and trailing whitespace from
the username entered by users. Passwords however are left intact, with no
whitespace removed.
- The server can now be configured to automatically downcase the
username entered by users (dowcase_username option). So if a user
enters "JSmith", the system will convert it to "jsmith" if the
downcase_username option is set to true.
- The server can now be made to bind to a specific address. See the
:bind_address option in the config.example.yml file.
- Fixed bug with ActiveRecord 2.0.2 where service tickets were not
being given a type (issue #37).
- Gateway requests should now be handled correctly. When the request to the
login page is made with gateway=true as one of the parameters, the CAS
server will immediately redirect back to the target service along with
a service ticket if an SSO session exists for the user (or without a
service ticket if there is no pre-existing SSO session).
Note that if you are using RubyCAS-Client and want gatewaying, you will
need to upgrade it to 1.1.0 as gatewaying was broken in prior versions.
- If gateway=true is specified as part of the logout URI, the server will
log the user out and immediately redirect them back to the specified
service. In other words, you can now do "gatewayed logouts" as well
as logins.
- A login ticket can now be remotely requested from the server by placing
a POST request to '/loginTicket'.
- The login view can now be made to return only the login form. This is
done by adding the 'onlyLoginForm' parameter to the '/login' request.
Optionally, a 'submitToURI' parameter can be supplied to force the login
form to submit to the given URI (otherwise the server will try to figure
out the full URI to its own login controller). This functionality may be
useful when you want to embed the login form in some external page, as
an IFRAME otherwise.
- Custom views can now be used to override the default Markaby templates
by specifying a 'custom_views_file' option in the configuration. See
custom_views.example.rb. [jzylks]
- Table names have been shortened to work with Oracle. A migration has
been added that should do the shortening for you the first time you run
this new RubyCAS-Server version.
- Multiple authenticators can now be specified. During authentication,
credentials are presented to the first authenticator, then the second,
and so on, until the user is validated by any one authenticator or fails
validation for all of them. [jzylks]
- When using webrick, you can now run with SSL disabled by omitting the
ssl_cert and ssl_key parameters.
- Changed incorrect MySQL example database configuration — option
should
be 'host:' not 'server:' (issue #22).
- Fixed glaring security problem with LDAP/AD Authenticator where under some
circumstances blank passwords were accepted as valid.
- Autocomplete has been turned off on the password field for better security.
In the future we may allow autocomplete to be re-enabled using a
configuration setting.
- When the user visits the login page and is already authenticated (i.e. they
have a valid ticket granting cookie), a message is shown at the top
indicating that they are already logged in.
- sqlite3-ruby is no longer required by the gem as a dependency. The user
must now install it manually prior to installing rubycas-server. The
building of sqlite3 native extensions appears to be somewhat flakey
and probably defeats the original purpose of using it (which was
to have a CAS server up and running with no additional DB configuration).
We will use MySQL as the default database adapter instead, since it does
not require additional libraries and many users will have a MySQL server
already available.
- Fixed bug that was causing all proxy-granting tickets to be deleted
whenever
any user logged out. Only the PGTs for the user that is logging out are now
being deleted.
- Trailing slashes in service URLs are now ignored when validating service
and proxy tickets (e.g. "http://www.google.com" and "http://www.google.com/"
are now considered to be the same service URL).
- Authenticators now raise AuthenticatorError exceptions when encountering
a problem/error. This makes it easier to send feedback to the user.
However, other exceptions should still be raised when errors ought
not be recoverable (i.e. programming errors).
- Fixed serious vulnerability in LDAP authenticator where under some
cirumstances the user could just enter '*' as their username to match
any username. The LDAP authenticator will now refuse to process logins
with usernames that contain the characters * ( ) \ / and the NULL
character \0.
- Views are no longer xhtml-validated. Markaby‘s auto-validation was
turned
off to allow for use of the autocomplete property on inputs, since this is
the only viable way of turning off password storage in IE and Firefox at
the page level.
- You can now limit the maximum length of a login session by setting the
expire_sessions config setting to true.
- Fixed some minor bugs in the login view.