1.7.0

• Upgrade to Spring Security 6.x and Jakarta EE 9 (thanks to @basil).
• Compatibility with Jenkins 2.476 and higher (requires Java 17).
• Incompatibility with Jenkins 2.475 and lower, please make sure to upgrade CAS plugin and Jenkins together.

1.6.3

• Fixed session fixation vulnerability (SECURITY-3000, see 2023-05-16 security advisory).

1.6.2

• Added explicit dependency on JAXB plugin (JENKINS-68455).

1.6.1

• Fixed open redirect vulnerability (SECURITY-2387, see 2021-06-30 security advisory).

1.6.0

• Added option to customize validation URL parameters in advanced protocol configuration.
• Allow using {{attribute}} placeholders in Full Name and Email Attribute configuration (e.g. {{firstName}} {{lastName}} or {{uid}}@example.com).
• Fixed handling of empty attributes.

1.5.0

• Compatibility with Jenkins 2.266 and higher (replacement of Acegi Security with Spring Security, see JEP-227).
• Incompatibility with Jenkins 2.265 and lower (for the reason above), please make sure to upgrade CAS plugin and Jenkins together.
• Added support for CAS 3.0 JSON protocol format.
• Added option to control redirection to CAS after logging out of Jenkins.

1.4.3

• Fixed login redirect loop caused by changes in Jenkins 2.160 and 2.150.2 LTS (SECURITY-901, see 2019-01-16 security advisory).

1.4.2

• Fixed security issue (SECURITY-809, see 2018-06-04 security advisory)

1.4.1

• Fixed NullPointerException in SessionUrlAuthenticationSuccessHandler, that could occur when coming back from CAS on some servlet containers (JENKINS-46993).
• Fixed NullPointerException in Cas10Protocol, when using an empty Groovy role parsing script (JENKINS-45441).

1.4.0

• Fixed security issues related to Groovy script execution in CAS Protocol 1.0 configuration (SECURITY-488, see 2017-04-10 security advisory).