Older CAS RC release notes changelog links broken?

[Baron Fujimoto]

I'm preparing for a CAS upgrade from 7.0.8 to 7.2 and wanted to review the release notes changelogs for anything we needed to be aware of. (I'm not sure why, but it seems like only release candidates really get useful information of this nature.)

Currently it appears that all of the documentation for older (7.1, 7.2) RC changelogs only points to the changelogs for 7.3 RC versions.

E.g. on the Release Notes page for 7.1.0-RC6 <https://github.com/apereo/cas/releases/tag/v7.1.0-RC6>, the linked changelogs for previous RC versions all link to 7.3 changelogs:

• <https://apereo.github.io/cas/development/release_notes/RC1.html>

• <https://apereo.github.io/cas/development/release_notes/RC2.html>

• etc

• Busted portal gun 404 for changelogs that don't yet exist for 7.4 (RC6)

Are the older changelogs still available? I seem to recall seeing potentially important items in there when previously skimming them.

--

Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

[Baron Fujimoto]

This is problematic, because when I build and deploy 7.2.5, I now get the following error logged. 

=====

ERROR [org.springframework.boot.context.properties.migrator.PropertiesMigrationListener] - <
The use of configuration keys that are no longer supported was found in the environment:

Property source 'bootstrapProperties-casCompositePropertySource':
        Key: management.endpoints.enabled-by-default
                Reason: Replacement key 'management.endpoints.access.default' uses an incompatible target type


Please refer to the release notes or reference guide for potential alternatives.
>
ERROR [org.apereo.cas.util.spring.boot.BeanDefinitionStoreFailureAnalyzer] - <Error creating bean due to: Failed to process import candidates for configuration class [org.apereo.cas.web.CasWebApplication]: Error processing condition on org.springframework.boot.actuate.autoconfigure.audit.AuditEventsEndpointAutoConfiguration  caused by MutuallyExclusiveConfigurationPropertiesException: The configuration properties 'management.endpoints.access.default, management.endpoints.enabled-by-default' are mutually exclusive and 'management.endpoints.access.default, management.endpoints.enabled-by-default' have been configured together >
DEBUG [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <Application failed to start due to an exception>
ERROR [org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter] - <

***************************
APPLICATION FAILED TO START
***************************

Description:

Error creating bean due to: Failed to process import candidates for configuration class [org.apereo.cas.web.CasWebApplication]: Error processing condition on org.springframework.boot.actuate.autoconfigure.audit.AuditEventsEndpointAutoConfiguration  caused by MutuallyExclusiveConfigurationPropertiesException: The configuration properties 'management.endpoints.access.default, management.endpoints.enabled-by-default' are mutually exclusive and 'management.endpoints.access.default, management.endpoints.enabled-by-default' have been configured together

Action:

Review the properties available for the configuration. Enable debug logging on org.apereo.cas.util.spring.boot.BeanDefinitionStoreFailureAnalyzer to see exception stack trace
>

=====

I believe these are the sorts of issues typically mentioned in the missing changelogs. I seem to recall there also being something about the use of groovy scripts that I cannot currently find. We incorporate a groovy script in some of our service registrations, so this is also a concern.

[Baron Fujimoto]

FWIW, I was able to get past this error by removing the deprecated property "management.endpoints.enabled-by-default=true". The error message seems to suggest the property "management.endpoints.access.default" as a replacement, but I can't find information about this property in the CAS documentation.

I did find Spring Boot documentation[1] that identifies one possible valid value ("none") for this property, but not any other possible valid values.

For CAS, the default appears to be sort of consistent with "none" since it seems I have to explicitly enable any actuator endpoints if I want to use anything besides just "health" and "info" (e.g. "throttles" and "duoPing").

Furthermore the CAS documentation[2] states, "that by default the only endpoints exposed over the web are info, status, health and configurationMetadata." However, even if the status endpoint is explicitly enabled the same way as for health and info, it still rejects access to status.

cas.properties:

management.endpoints.web.base-path=/actuator
management.endpoints.web.exposure.include=health,info,status,throttles,duoPing
management.endpoint.health.enabled=true
management.endpoint.info.enabled=true
management.endpoint.status.enabled=true
management.endpoint.throttles.enabled=true
management.endpoint.duoPing.enabled=true
cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.required-ip-addresses=127.0.0.1, [...more IP addrs...]

This results in the following logs that demonstrate the difference between attempted access to "health" and "status" endpoints:

DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing HEAD /actuator/health>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured HEAD /actuator/health>
DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /actuator/status>
DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Set SecurityContextHolder to anonymous SecurityContext>
DEBUG [org.springframework.security.web.savedrequest.HttpSessionRequestCache] - <Saved request https://cas66.pvt.hawaii.edu:8443/cas/actuator/status?continue to session>
DEBUG [org.springframework.security.web.authentication.Http403ForbiddenEntryPoint] - <Pre-authenticated entry point called. Rejecting access>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Securing GET /error>
DEBUG [org.springframework.security.web.FilterChainProxy] - <Secured GET /error>

I seem to recall the status endpoint may have been deprecated at some point, but I can't find confirmation in the CAS documentation. If so, is the current documentation erroneous in stating that it may be exposed? If not, how do you also get status to work?

[1] <https://docs.spring.io/spring-boot/reference/actuator/endpoints.html>

[2] Example from the Endpoint details popup window at <https://apereo.github.io/cas/7.2.x/monitoring/actuators/Actuator-Endpoint-Info.html>

[Ray Bon]

Baron,

There is this release note about the change https://apereo.github.io/cas/7.2.x/release_notes/RC2.html#actuator-endpoints

For a list of values for 'access' see https://apereo.github.io/cas/7.2.x/monitoring/actuators/Actuator-Endpoint-Auditevents.html click on the green book icon beside 'Provides information about ...' then click on the Configuration tab.

There is also 

Management.endpoints.web.exposure.include= [*|comma separated list]

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Baron Fujimoto <ba...@hawaii.edu>
Sent: August 12, 2025 11:37
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: Older CAS RC release notes changelog links broken?

 

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0VE779MvaL2oj0Qfpfo9N3Jg%3DtEXYbiguYipRscTz2eA%40mail.gmail.com.

[Baron Fujimoto]

Thank you! The URL pattern <https://apereo.github.io/cas/7.2.x/release_notes/RC2.html> provides an example of how I can directly access the Release Notes for these versions. However, the documentation for older (7.1, 7.2) links to RC changelogs/release notes still point to the changelogs for 7.3 RC and not the expected older versions.

I'm also still somewhat confused by the documentation and/or logged error(s). I have the following in cas.properties (consistent with the information in the Configuration tab information):

management.endpoints.web.exposure.include=health,info

management.endpoint.health.enabled=true

management.endpoint.info.enabled=true

I also have:

cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS

cas.monitor.endpoints.endpoint.defaults.required-ip-addresses=127.0.0.1, [...more IP addrs...]

I use "defaults" endpoints there because though this isn't discussed in the CAS documentation AFAICT, I think I found the use of the defaults in the spring documentation somewhere (unfortunately I can't locate it again now).

Although things appear to work, on startup the following error is logged:

ERROR [org.springframework.boot.context.properties.migrator.PropertiesMigrationListener] - <
The use of configuration keys that are no longer supported was found in the environment:

Property source 'bootstrapProperties-casCompositePropertySource':

        Key: management.endpoint.health.enabled
                Reason: Replacement key 'management.endpoint.health.access' uses an incompatible target type
        Key: management.endpoint.info.enabled
                Reason: Replacement key 'management.endpoint.info.access' uses an incompatible target type

Please refer to the release notes or reference guide for potential alternatives.
>

I don't understand the references to the replacement keys, because I don't see these discussed in the CAS docs, nor are they present in my cas.properties. Is this an actual error I should be addressing?

Finally, another aspect of the documentation I found confusing was that  under the Configuration tab, there are gear icon links for each property "How can I configure this property?" that if you click on them does nothing other than clear the popup window and dim the popup parent window with no good/apparent way to cancel/exit that state.

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081E136102BABA62F28C6ADCE2AA%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.

[Ray Bon]

Baron,

The release note form of the  property is correct, The one in the docs has not been updated.

This url should bring you to the 7.1 release notes https://apereo.github.io/cas/7.1.x/release_notes/Overview.html 

Depending on which endpoints you want to use, some of them will have to be explicitly added to the properties; defaults only covers a few.

I never tried the gear icon before; it is definitely not working.

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Baron Fujimoto <ba...@hawaii.edu>

Sent: August 19, 2025 19:53
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Re: Older CAS RC release notes changelog links broken?

 

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1W90SdsTWxM3ivYH%2BBjUi5A1sYj46-30cNwbnB0bbU%2Bg%40mail.gmail.com.

[Baron Fujimoto]

The fact that defaults only covers a few properties is unfortunate, as I think the expectation is that it should cover anything that is not otherwise explicitly overridden. That is after all the generally accepted meaning of a default.

Since the defaults are not discussed in the CAS docs as far as I can tell, does this then suggest that the defaults endpoint should not be used, and rather than 

cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.defaults.required-ip-addresses=127.0.0.1, [...more IP addrs...]

Should these properties instead explicitly identify specific endpoints even though you would like the same settings applied to each? E.g..:

cas.monitor.endpoints.endpoint.health.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.health.required-ip-addresses=127.0.0.1, [...more IP addrs...]

cas.monitor.endpoints.endpoint.info.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.info.required-ip-addresses=127.0.0.1, [...more IP addrs...]

... etc.

That seems rather reduplicative, and prone to error by typo, omission, or other careless error. :/

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081B21BD029A0EAB8BFD039CE33A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.

[Ray Bon]

I think defaults is defined (maybe by spring) for about a half dozen actuators; but I do not know which.

https://fawnoos.com/blog/ may have some info.

But if you want a lot of actuators, you will have a large config file 🙁

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Baron Fujimoto <ba...@hawaii.edu>

Sent: August 26, 2025 16:22

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3r%3DnAgSoNyHJSV_6ajZyOLYSfSgDCiZdH_RsidyA8PJA%40mail.gmail.com.