Jasig CAS - authentication server

    If you are developing web applications, you are probably faced with the task of implementing single sign on. In this short article, I will briefly describe a complete solution from Jasig .

    Short description

    Jasig CAS (Central Authentication Service) is a web application written in java. To start using it, almost nothing needs to be done. You need to download, configure, assemble, deploy. And set up clients (sites on which we do single sign on).

    Scheme of work

    How CAS works can be understood from this diagram:


    Yandex and Google use a similar scheme.

    Consider it in steps:
    • 1. The user opens a web application.
    • 2. The request so far is received not by CAS, but by the application.
    • 3. Our web application understands that the user does not have a session and redirects the user to CAS. For the user, everything is simple - he opened the application and immediately saw the login page.
    • 4. User enters login / password
    • 5. CAS validates them.
    • 6. And generates a random set of characters - "ticket". In the future, he will identify the user.
    • 7. The request is redirected to our web application, the ticket is passed as a parameter.
    • 8. Our web application asks CAS if there is a user with this ticket.
    • 9. If there is, in response, CAS sends the user login and other data (which depends on how you configure).

    How to setup

    Own authorization method

    First, we need to define our logic for checking the username and password. To do this, we need to override the class org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler:

    package mypack;
     * @author http://habrahabr.ru/users/nucleotide/
    public class MyAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
     protected final boolean authenticateUsernamePasswordInternal( // true, если успешная аутенификация
            final UsernamePasswordCredentials credentials)
            throws AuthenticationException {
    return credentials.getUsername().equals(credentials.getPassword());

    After that, you need to change the configuration of the Spring context so that CAS knows that it is necessary to use MyAuthenticationHandler.
    If you know little about Spring, then you can search for it on the hub or read the documentation at www.springsource.org .
    In CAS, the main Spring configuration that we may need is in the deployerConfigContext.xml file. Add our class:

    . . . . .
    . . . . .

    Everything that we may need for a login (for example, dataSource) can also be injected in the context of Spring:

    . . . . .
    . . . . .


    To deploy, you will need a server with jvm installed and some kind of DBMS. Even if you do not use the DBMS for authorization, CAS uses it to store its service tables.
    In these tables it stores lists of addresses on which authorization through this server is possible.
    For example, if we need to log in to example.com through our CAS, but it is not in the list, then authorization will be unsuccessful (recall: the address of the site on which the login occurs is passed as a parameter). You do not need to use any lists at all, allowing you to log in with any addresses.

    How to set up a client

    Jasic already has some ready-made libraries for working with CAS (for java, .net and php). In the case of Java, these are ready-made HTTP filters that you just need to configure (how to do this, read here: https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1 ) .
    Or create your own, inheriting it from org.jasig.cas.client.util.AbstractCasFilter.

    Everything else is a refinement and customization to your needs. From my own experience I can say that the deployment and refinement of CAS is not a very complicated and long process. You can attach captcha and statistics, of course, design.

    Links: You
    can take it on the download page The
    picture is taken from here:
    Jasig: http://www.jasig.org/cas
    List of portals where CAS is already in use: http://www.jasig.org/cas/deployments
    License: http: / /www.jasig.org/cas/license

    Also popular now: