Wednesday, March 11, 2015

CAS - Central Authentication Service


This post will give you a brief overview of what is CAS - Central authentication service as a protocol and CAS solution which is an solution for web services implemented by JASIG - Java in Administration Special Interest Group.

Before you dive in, there are some things you need to know like:

  • What is multi-sign-on? We have multi-sign-on when we have multiple web applications, each having their own login form. Most probably for each of them you need to use different usernames and passwords
  • What is single-sign-on? We can describe this as being able to login only once in order to access multiple web applications. From my point of view the most obvious example is Google, one needs to login only once to access all Google services like Gmail, Google Drive, Google+ or Google analytics.

CAS - the protocol

CAS is a single-sign-on protocol which allows users to access multiple web services by providing only once their authentication credentials, usually their username and password.

The involved entities in such a protocol would be the CAS server, the registered to CAS web service and the client web browser. Obviously the CAS server would hold an CAS application instance. A registered service is a service which will become accessible by the user after he successfully logs in, a user would use a web browser to access the service.

One of the best way to get you started with understanding CAS protocol is to follow the sequence diagram which is available on JASIG's website at

CAS - the application

CAS, the application, developed by JASIG is an open source software that implements CAS protocol.

The application consists of a server component which is written in Java. CAS developers also used Spring Webflow and Spring MVC framework which in my opinion is a very good thing as it allows other developers to improve or customize CAS according to their needs easier by just being able to understand these common used frameworks.

CAS has libraries for different authentication methods like authenticating user against LDAP or database. Also its very easy to configure your own authentication handler, for example an authentication handler which calls an external service.

As the registered services must also implement the CAS protocol there are client implementations in different programming languages like Java, C#, PHP or Perl.

When is CAS useful and when its not useful?

CAS is useful when you want to allow users to access multiple web applications by requiring them to authenticate only once instead of multiple times. Obviously you cant have multiple users with same username, this means that you might want to have only one place in which you store usernames and passwords.

One of the most problematic issue which I've found in CAS is that it does not allow you to group registered services which are accessible by a user after authenticating in CAS. For example if I have four registered services, after an user with a certain role logs in he should be able to access only first two of the four services and a second user with other privileges should be able to access only the last two of the services. From the short research which I've done there is no support for this. A way to solve this is to have two CAS instances running or another would be to customize CAS to work with something similar to ACL - Access Control List.

Useful resources

Even if I am not an expert in developing applications which implement CAS protocol or use CAS application as a solution for single-sign-on I wanted to share what I know and I hope that this will help other developers to get them started with CAS. I will also try to create a blogpost in which to describe a step by step and from scratch CAS installation and configuration. 

You're feedback and comments are more than welcome!

Good luck!
Robert Rusu