Understanding Session Mechanisms, Session Sharing, and SSO with CAS Implementation

The article introduces the problem of multiple systems requiring separate logins and explains why unified authentication (SSO) improves user experience and security.

It first reviews traditional HTTP session mechanisms, how browsers store JSESSIONID in cookies, and the server‑side handling of session IDs.

In a clustered environment the article discusses the difficulty of sharing session data across nodes and presents two common solutions: session replication and centralized session storage, recommending Redis for the latter.

It then describes the challenges of multi‑service login and presents a CAS‑based SSO solution, detailing the ticket flow, ticket‑to‑session conversion, and the interaction between the authentication domain and business services.

Key implementation code is provided, including a public class UserForm implements Serializable { private static final long serialVersionUID = 1L; private String username; private String password; private String backurl; public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } public String getBackurl() { return backurl; } public void setBackurl(String backurl) { this.backurl = backurl; } } Java bean, a Spring MVC login controller, a public class LoginFilter implements Filter { public static final String USER_INFO = "user"; @Override public void init(FilterConfig filterConfig) throws ServletException {} @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; Object userInfo = request.getSession().getAttribute(USER_INFO); String requestUrl = request.getServletPath(); if (!"/toLogin".equals(requestUrl) && !requestUrl.startsWith("/login") && userInfo == null) { request.getRequestDispatcher("/toLogin").forward(request, response); return; } filterChain.doFilter(request, servletResponse); } @Override public void destroy() {} } filter for session validation, and a public class SSOFilter implements Filter { private RedisTemplate redisTemplate; public static final String USER_INFO = "user"; public SSOFilter(RedisTemplate redisTemplate) { this.redisTemplate = redisTemplate; } @Override public void init(FilterConfig filterConfig) throws ServletException {} @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; Object userInfo = request.getSession().getAttribute(USER_INFO); String requestUrl = request.getServletPath(); if (!"/toLogin".equals(requestUrl) && !requestUrl.startsWith("/login") && userInfo == null) { String ticket = request.getParameter("ticket"); if (ticket != null) { userInfo = redisTemplate.opsForValue().get(ticket); } if (userInfo == null) { response.sendRedirect("http://127.0.0.1:8080/toLogin?url=" + request.getRequestURL().toString()); return; } UserForm user = (UserForm) userInfo; request.getSession().setAttribute(SSOFilter.USER_INFO, user); redisTemplate.delete(ticket); } filterChain.doFilter(request, servletResponse); } @Override public void destroy() {} } for ticket processing via Redis.

Finally, the article compares CAS with OAuth2, highlighting that CAS secures client‑side resource access while OAuth2 protects server‑side resources, and invites readers to ask questions.