Hi Paul,
With one and a half year upgrading and maintaining our company CAS, I think
I will share some of my experience on your questions there:
1. Do CAS are flexible enough to extend to cater for future authentication
requirement?
- If your requirement is a standard requirement, you usually can see
that implemented in CAS 5 or above
- In my case, I have SAML2, CAS and OAuth2 together in both
mobile and web, and they can still all do SSO no problem
- If you have some really custom authentication / authorization
requirements (like us!), you can always use the custom authentication
handler to customize your own stuff
https://apereo.github.io/2017/02/02/cas51-authn-handlers/
- I can't say about the future, but I can give you some experience
about the past:
- The upgrade from CAS 4 to CAS 5 was very painful because CAS
change a lot of from 4 to 5, the change from 4 to 5 is much greater than
the one from 5 to 6.
- However, after upgrading from 4 to 5, everything is still working
completely fine (Our company starts with CAS 3), so the dev team in CAS
definitely make sure service are backward compatible
2. For high availability, in my company, the CAS service need at least
deployed to 2 or more datacenters
- Our server is very stable with our own high availability setup, you
might see some opinion of other people on this thread too (
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/david$20high$20availability%7Csort:date/cas-user/tCk7jJz5pnE/7cXWmHd0BgAJ
)
3. After adoption of CAS, all systems will make use of it/depends on it, i
am worry about the system update/patching as we cannot have a period to
shutdown all CAS instances for upgrade/patching
- We also cannot have downtime during maintenance, you (most of the
time) don't need to shutdown all CAS instances for upgrade most of the
time.
- However user might get logout after the upgrade if the ticketing
system (like Hazelcast) have upgraded
4. Where can i find unknow security issue/vulnerability of each CAS
version? i am just able to find this and the CAS security mailing list.
- Don't quote me on that, but security mailing list is also the only one
place I found CAS vulnerability.
- With CAS being using a lot of libraries, it might be very difficult to
keep track of all the vulnerability of all the libraries, in this regards I
myself would just trust the CAS team and upgrade my server as frequently as
possible
5. Unlike commercial product that we can't request to backport fix from a
newer version to an older version, but upgrade CAS seems not easy, how do
you cater for that? Do you have a good strategy?
- See this: https://apereo.github.io/cas/developer/Maintenance-Policy.html
- If you use an old version of CAS (e.g. CAS 4), the dev team usually
will not fix them
- And... Since CAS is an open source project, if you found some bug that
need fixing and is not in the priority list of the CAS dev team, usually
they would ask you to help do the PR yourself
- Or, you can just fix your own stuff using this guide here if your
fix mostly only applies to your project:
https://apereo.github.io/cas/5.3.x/installation/Configuration-Management-Extensions.html
6. for authorization (like, who can perform what function in which system)
with OpenID Connect JWT token, anybody tried to put the permissions in the
scope field and check for that for authorization? How to you enforce
authorization? Use of Oauth 2.0 UMA seems make the system more complicate?
- I have no idea...
By the way, my opinion is going to favour CAS, otherwise I am not going to
be here typing this sharing :) So, take this with a grain of salt
Cheers!
- Andy
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c293c70-6cb6-41c8-ab5c-b743dd9758fb%40apereo.org.
