Merge branch 'release/v7.2.6-1'

Author: dnschwarzer

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v7.2.6-1] - 2025-08-26
+### Changed
+- [#279] Changed Jenkins-Build to be able to start the integration tests more reliably
+- [#281] Upgraded CAS to 7.2.6
+- [#281] Upgraded Sprint Boot to 3.4.4
+
 ## [v7.1.6-6] - 2025-08-14
 ### Fixed
 - [#276] Fix typo in cas configuration

Dockerfile

@@ -39,9 +39,8 @@ RUN apk update && apk add wget && wget -O  "apache-tomcat-${TOMCAT_VERSION}.tar.
 
 # registry.cloudogu.com/official/cas
 FROM registry.cloudogu.com/official/java:21.0.5-1 AS cas
-
 LABEL NAME="official/cas" \
-      VERSION="7.1.6-6" \
+      VERSION="7.2.6-1" \
       maintainer="[email protected]"
 
 ARG TOMCAT_VERSION
@@ -56,7 +55,8 @@ RUN set -o errexit \
   && apk upgrade \
   && apk add --no-cache --update \
     wget \
-    jq
+    jq \
+    curl
 
 # configure environment
 ENV TOMCAT_VERSION=${TOMCAT_VERSION} \

Jenkinsfile

@@ -197,13 +197,29 @@ parallel(
                             timeout(15) {
                                 ecoSystem.waitForDogu("nginx")
                                 ecoSystem.waitForDogu("cas")
+
+                                // The http health check is not yet implemented, so this is the manual workaround.
+                                waitForCondition(20, 10) {
+                                    def status = sh(
+                                        script: """
+                                        wget --spider -S --tries=1 --timeout=10 --no-check-certificate http://${ecoSystem.externalIP}/cas/actuator/health 2>&1 \
+                                        | awk '/^  HTTP/{print \$2}' | tail -1
+                                        """,
+                                        returnStdout: true
+                                    ).trim()
+
+                                    echo "HTTP status: ${status}"
+                                    return status == "200"
+                                }
                             }
                         }
 
                         stage('Integration Tests') {
                             echo "Create custom dogu to access OAuth endpoints for the integration tests"
                             ecoSystem.vagrant.ssh "sudo docker cp /dogu/integrationTests/services/ cas:/etc/cas/services/production/"
                             ecoSystem.vagrant.sshOut "sudo docker exec cas ls /etc/cas/services/production"
+                            // Wait for Service-Watch start delay (see: cas.service-registry.schedule.start-delay)
+                            sleep time: 30, unit: 'SECONDS'
 
                            ecoSystem.runCypressIntegrationTests([
                                     cypressImage     : "cypress/included:13.13.2",
@@ -284,4 +300,18 @@ void gitWithCredentials(String command) {
                 returnStdout: true
         )
     }
-}
+}
+
+def waitForCondition(maxRetries = 10, sleepSeconds = 5, checkClosure) {
+    def retries = 0
+    while (retries < maxRetries) {
+        if (checkClosure()) {
+            echo "Condition met after ${retries} attempt(s)"
+            return true
+        }
+        echo "Condition not met, retrying... (${retries + 1}/${maxRetries})"
+        sleep time: sleepSeconds, unit: 'SECONDS'
+        retries++
+    }
+    error "Condition not met after ${maxRetries} attempts"
+}

app/build.gradle

@@ -32,7 +32,7 @@ buildscript {
 
         classpath "de.undercouch:gradle-download-task:${project.gradleDownloadTaskVersion}"
         classpath "org.apereo.cas:cas-server-core-api-configuration-model:${project.'cas.version'}"
-        classpath "org.apereo.cas:cas-server-core-configuration-metadata-repository:${project.'cas.version'}"
+        classpath "org.apereo.cas:cas-server-support-configuration-metadata-repository:${project.'cas.version'}"
     }
 }
 
@@ -120,7 +120,6 @@ test {
 
 dependencies {
     implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
-    implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
 
     // Other CAS dependencies/modules may be listed here...
     implementation "org.apereo.cas:cas-server-core-api-protocol"
@@ -192,26 +191,15 @@ dependencies {
     developmentOnly "org.springframework.boot:spring-boot-devtools:${project.springBootVersion}"
     runtimeOnly("org.springframework.boot:spring-boot-properties-migrator")
 
+    implementation "org.apereo.cas:cas-server-core-scripting:${project.'cas.version'}"
+
     implementation "org.pac4j:pac4j-cas"
     implementation "org.pac4j:pac4j-oidc"
     implementation "org.pac4j:pac4j-config"
-
-    implementation "org.apereo.cas:cas-server-core-scripting:${project.'cas.version'}"
+    implementation "org.apereo.cas:cas-server-core-multitenancy"
 }
 
 configurations.all {
     resolutionStrategy {
-        force 'org.apache.logging.log4j:log4j-core:2.23.1'
-        force 'org.apache.logging.log4j:log4j-api:2.23.1'
-
-        force 'org.springframework.security:spring-security-core:6.3.4'
-        force 'org.springframework.security:spring-security-web:6.3.4'
-        force 'org.springframework.security:spring-security-config:6.3.4'
-        force 'org.springframework.security:spring-security-oauth2-core:6.3.4'
-        force 'org.springframework.security:spring-security-oauth2-client:6.3.4'
-        force 'org.springframework.security:spring-security-oauth2-jose:6.3.4'
-        force 'org.springframework.security:spring-security-oauth2-resource-server:6.3.4'
-        force 'org.springframework.security:spring-security-crypto:6.3.4'
-        force 'org.springframework.security:spring-security-rsa:1.1.1' 
     }
 }

app/gradle.properties

@@ -1,10 +1,10 @@
 # CAS server version
-cas.version=7.1.6
+cas.version=7.2.6
 
 ###############################
 # Spring versions
 ###############################
-springBootVersion=3.3.9
+springBootVersion=3.4.4
 
 ###############################
 # Tomcat versions
@@ -21,7 +21,7 @@ gradleFreeFairPluginVersion=8.6
 gradleDependencyManagementPluginVersion=1.1.5
 
 # The version of this overlay project
-version=7.1.6
+version=7.2.6
 group=org.apereo.cas
 artifactId=cas-overlay
 sourceCompatibility=21

app/gradle/springboot.gradle

@@ -114,31 +114,6 @@ bootWar {
             excludes = [
                     "WEB-INF/lib/servlet-api-6*.jar",
                     "WEB-INF/lib/tomcat-*-10.1.31.jar", // as we use an external tomcat server we can remove the embedded on
-
-
-                    // Exclude outdated security libs if they exist in overlay WAR
-                    "WEB-INF/lib/spring-security-web-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-web-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-core-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-config-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-crypto-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-oauth2-core-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-oauth2-client-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-oauth2-jose-6.2.4.jar",
-                    "WEB-INF/lib/spring-security-oauth2-resource-server-6.2.4.jar",
-
-                    "WEB-INF/lib/spring-security-web-6.3.3.jar",
-                    "WEB-INF/lib/spring-security-core-6.3.3.jar",
-                    "WEB-INF/lib/spring-security-config-6.3.3.jar",
-                    "WEB-INF/lib/spring-security-crypto-6.3.3.jar",
-                    "WEB-INF/lib/spring-security-oauth2-core-6.3.3.jar",
-                    "WEB-INF/lib/spring-security-oauth2-client-6.3.3.jar",
-                    "WEB-INF/lib/spring-security-oauth2-jose-6.3.3.jar",
-                    "WEB-INF/lib/spring-security-oauth2-resource-server-6.3.3.jar",
-
-                    "WEB-INF/lib/spring-web-6.2.3.jar",
-                    "WEB-INF/lib/spring-web-6.2.5.jar",
-                    "WEB-INF/lib/spring-web-6.1.12.jar",
             ]
         }
     }

app/gradle/tasks.gradle

@@ -31,7 +31,7 @@ buildscript {
     }
     dependencies {
         classpath "org.apache.ivy:ivy:${project.ivyVersion}"
-        classpath "org.apereo.cas:cas-server-core-configuration-metadata-repository:${project.'cas.version'}"
+        classpath "org.apereo.cas:cas-server-support-configuration-metadata-repository:${project.'cas.version'}"
     }
 }
 apply plugin: "de.undercouch.download"

app/src/main/java/de/triology/cas/authentication/LegacyDefaultAuthenticationEventExecutionPlan.java

@@ -0,0 +1,92 @@
+package de.triology.cas.authentication;
+
+import org.apereo.cas.authentication.handler.ByCredentialSourceAuthenticationHandlerResolver;
+import org.apereo.cas.authentication.handler.DefaultAuthenticationHandlerResolver;
+import org.apereo.cas.authentication.principal.PrincipalResolver;
+import org.apereo.cas.util.CollectionUtils;
+import org.apereo.cas.util.spring.beans.BeanSupplier;
+import lombok.NonNull;
+import lombok.extern.slf4j.Slf4j;
+import lombok.val;
+import org.apache.commons.lang3.StringUtils;
+import org.jooq.lambda.Unchecked;
+import org.springframework.core.annotation.AnnotationAwareOrderComparator;
+import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+import org.apereo.cas.authentication.AuthenticationHandlerResolver;
+import org.apereo.cas.authentication.DefaultAuthenticationEventExecutionPlan;
+import org.apereo.cas.authentication.AuthenticationHandler;
+import org.apereo.cas.authentication.AuthenticationTransaction;
+import org.apereo.cas.authentication.MultifactorAuthenticationHandler;
+import org.apereo.cas.authentication.AuthenticationException;
+
+import org.apereo.cas.multitenancy.TenantExtractor;
+
+@Slf4j
+public class LegacyDefaultAuthenticationEventExecutionPlan extends DefaultAuthenticationEventExecutionPlan {
+
+    private final Map<AuthenticationHandler, PrincipalResolver> authenticationHandlerPrincipalResolverMap = new LinkedHashMap<>(0);
+
+    public LegacyDefaultAuthenticationEventExecutionPlan(
+            AuthenticationHandlerResolver defaultAuthenticationHandlerResolver, TenantExtractor tenantExtractor) {
+        super(defaultAuthenticationHandlerResolver, tenantExtractor);
+    }
+
+    /**
+     * Only override the handler resolution. Everything else stays as-is.
+     */
+    @Override
+    public @NonNull Set<AuthenticationHandler> resolveAuthenticationHandlers(final AuthenticationTransaction transaction) throws Throwable {
+        // Use the public API of the parent
+        val handlers = super.getAuthenticationHandlers();
+        LOGGER.debug("Candidate/Registered authentication handlers for this transaction [{}] are [{}]", transaction, handlers);
+
+        val handlerResolvers = super.getAuthenticationHandlerResolvers(transaction);
+        LOGGER.debug("Authentication handler resolvers for this transaction are [{}]", handlerResolvers);
+
+        val resolvedHandlers = handlerResolvers.stream()
+            .filter(BeanSupplier::isNotProxy)
+            .filter(Unchecked.predicate(r -> r.supports(handlers, transaction)))
+            .map(Unchecked.function(r -> r.resolve(handlers, transaction)))
+            .flatMap(Set::stream)
+            .collect(Collectors.toCollection(LinkedHashSet::new));
+
+        // Fallback to a fresh DefaultAuthenticationHandlerResolver instance
+        if (resolvedHandlers.isEmpty()) {
+            LOGGER.debug("Resolvers produced no candidates. Using the default resolver fallback...");
+            var fallback = new DefaultAuthenticationHandlerResolver();
+            if (fallback.supports(handlers, transaction)) {
+                resolvedHandlers.addAll(fallback.resolve(handlers, transaction));
+            }
+        }
+
+        // Optional: filter by credential source, but *don’t* assume access to parent internals
+        val byCredential = new ByCredentialSourceAuthenticationHandlerResolver();
+        if (byCredential.supports(resolvedHandlers, transaction)) {
+            val credentialHandlers = byCredential.resolve(resolvedHandlers, transaction);
+            if (!credentialHandlers.isEmpty()) {
+                LOGGER.debug("Handlers resolved by credential source are [{}]", credentialHandlers);
+                resolvedHandlers.removeIf(handler ->
+                    !(handler instanceof MultifactorAuthenticationHandler)
+                    && credentialHandlers.stream().noneMatch(credHandler ->
+                        StringUtils.equalsIgnoreCase(credHandler.getName(), handler.getName())));
+            }
+        }
+
+        if (resolvedHandlers.isEmpty()) {
+            throw new AuthenticationException("No authentication handlers could be resolved to support the authentication transaction");
+        }
+        LOGGER.debug("Resolved and finalized authentication handlers for this transaction are [{}]", resolvedHandlers);
+        return resolvedHandlers;
+    }
+
+    @Override
+    public Set<AuthenticationHandler> getAuthenticationHandlers() {
+        val handlers = authenticationHandlerPrincipalResolverMap.keySet().toArray(AuthenticationHandler[]::new);
+        AnnotationAwareOrderComparator.sortIfNecessary(handlers);
+        return new LinkedHashSet<>(CollectionUtils.wrapList(handlers));
+    }
+}

app/src/main/java/de/triology/cas/oidc/config/CesOidcConfiguration.java

@@ -1,7 +1,10 @@
 package de.triology.cas.oidc.config;
 
+import de.triology.cas.authentication.LegacyDefaultAuthenticationEventExecutionPlan;
+import org.apereo.cas.authentication.AuthenticationEventExecutionPlan;
 import de.triology.cas.ldap.LdapOperationFactory;
 import de.triology.cas.ldap.UserManager;
+import de.triology.cas.oidc.beans.CesOAuthProfileRenderer;
 import de.triology.cas.oidc.beans.CesOidcClientRedirectActionBuilder;
 import de.triology.cas.oidc.beans.delegation.AttributeMapping;
 import de.triology.cas.oidc.beans.delegation.CesCustomDelegatedAuthenticationClientLogoutAction;
@@ -14,12 +17,14 @@
 import org.apereo.cas.configuration.CasConfigurationProperties;
 import org.apereo.cas.configuration.model.support.ldap.LdapAuthenticationProperties;
 import org.apereo.cas.support.oauth.web.response.OAuth20CasClientRedirectActionBuilder;
+import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
 import org.apereo.cas.authentication.principal.provision.DelegatedClientUserProfileProvisioner;
 import org.apereo.cas.util.LdapUtils;
 import org.ldaptive.PooledConnectionFactory;
 import org.pac4j.core.client.BaseClient;
 import org.pac4j.core.client.Client;
 import org.pac4j.core.client.Clients;
+import org.pac4j.core.context.WebContext;
 import org.pac4j.core.context.session.SessionStore;
 import org.pac4j.oidc.client.OidcClient;
 import org.pac4j.oidc.config.OidcConfiguration;
@@ -34,6 +39,10 @@
 import org.springframework.context.annotation.Primary;
 import org.springframework.webflow.execution.Action;
 import org.apereo.cas.config.CasOidcAutoConfiguration;
+import org.apereo.cas.authentication.principal.Service;
+import org.apereo.cas.multitenancy.TenantExtractor;
+import org.apereo.cas.authentication.AuthenticationHandlerResolver;
+import org.springframework.beans.factory.annotation.Qualifier;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -93,6 +102,23 @@ public CesDelegatedOidcClientsProperties cesDelegatedOidcClientsProperties() {
         return new CesDelegatedOidcClientsProperties();
     }
 
+    @Bean
+    @RefreshScope
+    public OAuth20UserProfileViewRenderer oauthUserProfileViewRenderer() {
+        return new CesOAuthProfileRenderer();
+    }
+    
+    @Bean
+    @Primary
+    @RefreshScope
+    public AuthenticationEventExecutionPlan authenticationEventExecutionPlan(
+        @Qualifier("defaultAuthenticationHandlerResolver")
+        AuthenticationHandlerResolver authenticationHandlerResolver, 
+        TenantExtractor tenantExtractor) {
+        return new LegacyDefaultAuthenticationEventExecutionPlan(authenticationHandlerResolver, tenantExtractor);
+    }
+
+
     /**
      * Creates OIDC client objects dynamically from the loaded properties.
      *
@@ -187,6 +213,11 @@ public List<Client> findAllClients() {
                 }
                 return new ArrayList<>(baseClients);
             }
+
+            @Override
+            public List<Client> findAllClients(Service service, WebContext context) {
+                return findAllClients();
+            }
 
             @Override
             public Optional<Client> findClient(String name) {

app/src/main/java/de/triology/cas/pm/CesLdapPasswordManagementService.java

@@ -39,8 +39,7 @@ public CesLdapPasswordManagementService(
             final PasswordHistoryService passwordHistoryService,
             final Map<String, ConnectionFactory> connectionFactoryMap) {
         super(cipherExecutor,
-        casProperties.getServer().getPrefix(),
-        casProperties.getAuthn().getPm(),      
+        casProperties,
         passwordHistoryService,
         connectionFactoryMap);