Mastering CAS SSO: Step‑by‑Step Guide to Build Single Sign‑On with Java

1. Overview

1.1 What is Single Sign-On (SSO)?

Single Sign-On (SSO) allows a user to log in once and access multiple trusted applications without re‑authenticating.

1.2 What is CAS?

CAS (Central Authentication Service) is an open‑source solution originated at Yale that provides a reliable SSO method. It consists of a server and client and is easy to integrate into enterprise applications.

Official site: https://www.apereo.org/projects/cas

CAS features include:

Open‑source enterprise‑grade SSO solution

CAS Server can be deployed independently for web applications

CAS Client supports many platforms such as Java, .Net, PHP, Ruby, etc.

With CAS, the system architecture evolves as shown below:

The architecture consists of two parts: CAS Server and CAS Client.

CAS Server handles user authentication and must be deployed separately.

CAS Client processes protected resource requests, redirecting unauthenticated users to the CAS Server.

Next, we will build CAS step by step to achieve SSO.

1.3 Development environment requirements

JDK 1.8+, Maven 3.6, IntelliJ IDEA, Tomcat 9.0+, Windows 10.

2. CAS Server setup

2.1 Download CAS server package

Version 5.3

Download overlay from: https://github.com/apereo/cas-overlay-template/tree/5.3

Compressed package: cas-overlay-template-5.3.zip After extraction, build with: build.cmd package Locate the generated WAR file in the build directory:

2.2 Deploy and test the server

Place the WAR into Tomcat's webapps directory and start Tomcat.

Access URLs: http://localhost:8080/cas or

http://localhost:8080/cas/login

Default credentials are defined in \webapps\cas\WEB-INF\classes\application.properties (username: casuser, password: Mellon).

2.3 CAS Server configuration

2.3.1 Disable HTTPS

CAS uses HTTPS by default, which requires a certificate. For development you can switch to HTTP by editing the configuration file:

\cas\WEB-INF\classes\application.properties

cas.tgc.secure=false
cas.serviceRegistry.initFromJson=true

Modify the service JSON at \cas\WEB-INF\classes\services\HTTPSandIMAPS-10000001.json to:

"serviceId": "^(https|http|imaps)://.*"

3. CAS Client configuration

Add the following dependency to pom.xml:

<dependency>
    <groupId>net.unicon.cas</groupId>
    <artifactId>cas-client-autoconfig-support</artifactId>
    <version>2.1.0-GA</version>
</dependency>

Client 1 application.yml:

server:
  port: 9010
cas:
  server-url-prefix: http://localhost:8080/cas
  server-login-url: http://localhost:8080/cas/login
  client-host-url: http://localhost:9010
  validation-type: cas3

Enable CAS in the main class with @EnableCasClient.

Test controller for client 1:

import io.swagger.annotations.Api;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@Api(description = "SSO-CAS test")
public class TestController {
    @GetMapping("/test1")
    public String test1() {
        return "test1....";
    }
}

Client 2 application.yml:

server:
  port: 9011
cas:
  server-url-prefix: http://localhost:8080/cas
  server-login-url: http://localhost:8080/cas/login
  client-host-url: http://localhost:9011
  validation-type: cas3

Enable CAS in the main class with @EnableCasClient.

Test controller for client 2:

import io.swagger.annotations.Api;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@Api(description = "SSO-CAS test")
public class TestController {
    @GetMapping("/test2")
    public String test2() {
        return "test2....";
    }
}

Testing steps:

Start the CAS server.

Start client 1 and client 2.

Visit http://localhost:9010/test1. You will be redirected to the CAS login page.

After logging in (e.g., on client 2), accessing http://localhost:9010/test1 again will succeed without re‑login.

This completes the SSO test using CAS.