...
Project Structure
CAS is distributed as a top level "parent" Maven project contains a set of "subprojects" in subdirectories. The POM at the top "parent" level lists the subprojects that are to be compiled.
Every CAS Server requires the cas-server-core subproject which contains about 95% of the CAS code. Yale also uses the cas-server-support-ldap optional subproject to access Active Directory using LDAP protocol to authenticate users and passwords.
Yale includes the cas-server-integration-ehcache project to use Ehcache as the ticket replication mechanism for CAS clustering.
CAS includes the cas-server-support-trusted project, although at any given time it may not be used. "Trusted" means that CAS allows some external agency to authenticate users. If we ever use the ability of the F5 to validate X.509 User Certificates and to turn the validated netid into an extended HTTP Header, then the code in this project will provide the support or at least provide a model for the use of this support.
The only Yale optional subproject that is fully used is cas-server-expired-password-change. This supports the Yale custom mechanism to check if passwords have been changed in the last year and redirect the user to the Netid (Change your Password) application if necessary.
The cas-server-preferences module is a Yale customization that was never used but which poses no particular problem if the user navigates to /cas/preferences he is supposed to be presented with a menu of options to customize CAS behavior on this browser. Selections are saved as a Cookie, which is then available to customize the CAS behavior in all subsequent logins. It could be used to enable CAS options that we don't want to present to a user unless he specifically requested themcontaining subdirectories each of which is a Maven subproject that builds a component (a JAR or WAR file). The order in which the subprojects are processed is determined by the order of <module> statements in the parent. You build first files that other projects use, and later the projects that use them. Generally you build server-core first, then the optional JAR files. You have to create the WAR after you have built all the JAR files that go into it.
The parent project is supposed to provide global dependency management. That is, it should ensure that every project that uses commons.io uses Version 2.4 and that in the end it is Version 2.4 of the JAR file that ends up in the WAR and therefore is used at run time.
Unfortunately, the JASIG parent project also includes some "open source project legal boilerplat" steps that insure that copyleft statements are in order and that all the Gnu and Apache license statements for included libraries are properly disclosed. That is important for JASIG, but Yale does not need it for its internal modifications and releases and we don't have the expertise to conform to build NOTICE and other boilerplate files. We do, however, need the dependency management because we include code that uses commons.io and we also have to compile against Version 2.4 just like everyone else.
So the first step in adapting any new CAS release is to merge the previous Yale top level project POM with the new one from JASIG.
First, you have to remove the reference to a undistributed JASIG parent (that is a parent to your parent) that is referenced only by a URL and stored on a JASIG server. That drags in the legal boilerplate processing.
Then you have to make sure that you update the version numbers at the end to be the new version numbers distributed by JASIG. You should also make sure that any new dependency management entries have been added. If there are changes to the Maven plugin configurations, you have to read the manual and figure out if they are helpful or a problem.
Then you copy over the Yale custom projects (expired-password-change, preferences, CushyTicketRegistry, and the Yale-webapp or "cas-server-war" project). They become additional subdirectories.
Now for the big step. Yale does not want to make changes to JASIG project source, but sometimes there are problems that only show up when you run in JBoss, or bugs in code that supports features that Yale does not need or use, and we may make some custom changes to a JASIG project if it is important.
So the starting point would ideally be that we do not build local custom copies of any JASIG subproject but only build the new Yale custom projects. If that is going to be the case, then you would comment out all the JASIG <module> statements in the parent project (because we would then use vanilla JASIG JAR and template-WAR files from the JASIG repository) and you would add <module> files for each Yale project subdirectory you just copied over.
If you make a single change to any JASIG project, you have to give it a new Yale Version ID to distinguish it from the vanilla artifact, then change the version number of dependencies in other projects.
Note that the vanilla cas-server-webapp project creates a Template WAR file that is then modified by the Yale-webapp project which uses the recommended technique of WAR Overlay process. WAR Overlay can add new files and replace old files in a WAR, but it is not automatically able to change the version number of dependencies.
Therefore, suppose you start with a vanilla cas-server-core for release "3.5.2.1" (and all the JASIG modules are commented out). However, there is a bug and you have to change one line of code. You now have to create a Yale modified artifact with a new release ID. At this point Yale takes advantage of the fact that JASIG starts out at 3.*.* releases, so Yale can number its release 1.*.* without conflict. The corresponding Yale releases to 3.5 are Yale's 1.1, so you uncomment the <module> for server-core in the parent project, and in the server-core POM you change the release from 3.5.2.1 to 1.1.x-SNAPSHOT (whatever the current Yale version is for all the other Yale projects).
Bugfixes typically don't change method signatures, so it probably doesn't matter if a project compiling source to build a JAR uses 3.5.2.1 or 1.1.x-SNAPSHOT during the compile. However, the cas-server-webapp project Version 3.5.2.1 if it is not changed will have included the cas-server-core JAR Version 3.5.2.1 and that JAR will be in the WEB-INF/lib. So either you have to also modify the cas-server-webapp project to be Version 1.1.x-SNAPSHOT and to depend on the 1.1.x-SNAPSHOT Version of server-core, or else you are going to have to make the Yale-webapp WAR Overlay project both delete the 3.5.2.1 server-core JAR file (by adding it to the exclude list in the maven-war-plugin configuration in the POM) and then add the 1.1.x-SNAPSHOT JAR file (by changing the version number in the Dependency list).
Yale developed a package of optional CAS code under the brand name CUSHY. All the CUSHY code is in the cas-server-support-CusyTicketRegistry project, but while the entire project is built, currently CAS at Yale only uses one bean based on one class (CushyClusterConfiguration) and ignores the rest of the code. The CushyClusterConfiguration bean is added to the TicketRegistry XML Spring configuration file to configure Ehcache after discovering the current environment (sandbox, dev, test, prod). Echache needs a configuration file that lists all the other nodes in the cluster. Without this bean, we would need to keep a separate configuration file for each server and the Jenkins install job would have to install the correct file on each machine. Automatically configuring the file based on discovering the hostname of the current machine is much simpler.
...