June 17, 2019

CAS 5.2 SSO and Spring Security

This article provides an example on Apereo CAS web Single Sign-On (SSO) integrated with a single or multiple web applications based on Spring Security. As centralized access control system, CAS is responsible for authenticating users and granting access to the “CASified” protected webapps (also called CAS clients or CAS services).
The client-server communication covered in this post is ticket-based and takes place by using the CAS 3.0 protocol (other authentication protocols supported by the CAS server are SAML, OpenID, OAuth). Let we take a look at the architecture.


  • Apereo CAS 5.2.3
  • Spring Security 5.0.3.RELEASE
  • Spring MVC 5.0.3.RELEASE
  • LDAP Active Directory 2012
  • JDK 1.8.0_112
  • Maven 3.5.0

SOURCE CODE (/giuseu/spring-mvc)

git clone https://gitlab.com/giuseppeurso-eu/spring-mvc

NOTE: Code examples covered in this article, are located under the project mvc-security-cas

CAS Server Setup

The first thing to do is to download the pre-built CAS web application server from the CAS git repository and enable an authentication handler. There are a variety of authentication handlers and schemes supported by CAS. In this example, I enable LDAP support by including the dependency in the pom.xml.

Protected webapps (services) must be registered in the CAS server services registry. The following dependency enables service registration via a JSON configuration.

Two JSON file that contains the definition of the client applications. The convention for the file name must be <serviceName>-<serviceNumericId>.json

I have to configure CAS to connect to the LDAP server for authentication handling. Also make sure CAS runs on HTTPS otherwise the web SSO functionality will not work.

Single Sign On NOT WORKS if you access CAS server over non-secure connection HTTP.
In order to have SSO on work, you must log in over HTTPS.

CAS Client Setup

The code covered in this article uses Spring MVC and Spring Security frameworks for the web application project (CAS client). In order to integrate a webapp with the CAS server, first of all I have to add the dependency for the Spring Security CAS module.

To initialize the web application context, I use the annotation-based approach as opposed to the traditional web.xml-based approach.
I configure the ServletContext with any servlets, filters, listeners, context-params and so on, in the WebappInitializer. This class implements Spring WebApplicationInitializer.

Annotated definition of Spring beans representing CAS authentication service. Goal of CasConfigurer class is to centralize all the configuration properties of the CAS Server.

SecurityConfigurer class which extends Spring WebSecurityConfigurerAdapter. This class initializes Spring Security and allows customization of the web based security.

Finally the controller that handles requests directed to “/sso-login” and root web context “/”


Related posts

Leave a Reply

Your email address will not be published.