Single Sign-On in CAS Server with java spring security

Single sign on

Central Authentication System is a Single-Sign-On Service. Let’s take a scenario of having different applications which requires users authentication. The most straightforward way is to create a security mechanism for each application. But it is better to implement a mechanism to perform authentication for all applications in single place.(i.e Single-Sign-On).

To understand how the CAS works and its protocol specification please refer this link.

SSO structure

There are two components involved in CAS. They are

  1. Setting the CAS server.
  2. Setting the CAS clients (i.e one or more applications) which connects with CAS server for authentication.

In this blog, we are going to check out how to build the CAS Server using spring boot.

The quickest way to implement and deploy the CAS server is by Maven-Overlay method.Here we look at the quick start template which can be cloned and used as a CAS server. Now we can modify the cas server according to our needs in our local system.

Here I am going to use jdbc for database authentication. Add the following dependencies in pom.xml.

<dependency><groupId>org.apereo.cas</groupId><artifactId>cas-server-support-jdbc</artifactId><version>${cas.version}</version></dependency><dependency><groupId>org.apereo.cas</groupId><artifactId>cas-server-support-jdbc-drivers</artifactId><version>${cas.version}</version></dependency>

Note: The CAS will automatically extract the latest version. So it is not necessary to specify the version.

Next create the src/main/resources folder and copy the contents of cas-server/etc in to it.

In Order to establish the https connection. we have to generate the local SSL keystore. You can generate the keystore by following the instructions using the given link.

Then the generated keystore has to be imported to the java cacerts keystore. It can be done using those terminal commands,

keytool -import -alias thekeystore -storepass changeit -file thekeystore.crt-keystore C:\ProgramFiles\Java\jdk1.8.0_152\jre\lib\security\cacerts”keytool -import -alias thekeystore -storepass changeit -file thekeystore.crt-keystore “C:\Program Files\Java\jre1.8.0_152\lib\security\cacerts”

In src/main/resources/application.properties add the following lines to configure the SSL keystore.

server.port=6443cas.standalone.config=classpath:/etc/cas/config

After successfully adding the keystore, we need to restart the system and eventually kill the running JVM.

Then generate the war file using command Maven → install and deploy it. Starting the server may take it some time when it is ready then it will print ready in the console. Now you can see the default login screen by visiting https://localhost:6443/cas.

The default username is casuser and password is Mellon.

Since we have connected the CAS with the static credentials, however in real time applications we need to connect the CAS server to the Database. We will show you how to connect CAS to the MSSQL Server.

Add the following data to the src/main/resources/application.properties file.

#cas.authn.accept.users=casuser::Melloncas.authn.accept.users=cas.authn.accept.name=#CAS Database Authentication Propertycas.authn.jdbc.query[0].sql=SELECT * FROM USER WHERE USERNAME= ?cas.authn.jdbc.query[0].url=jdbc:sqlserver://127.0.0.1:1433;databaseName=TESTcas.authn.jdbc.query[0].dialect=org.hibernate.dialect.SQLServer2012Dialectcas.authn.jdbc.query[0].user=rootcas.authn.jdbc.query[0].password=rootcas.authn.jdbc.query[0].ddlAuto=none#cas.authn.jdbc.query[0].driverClass=com.mysql.jdbc.Drivercas.authn.jdbc.query[0].driverClass=com.microsoft.sqlserver.jdbc.SQLServerDrivercas.authn.jdbc.query[0].fieldPassword=PASSWORDcas.authn.jdbc.query[0].passwordEncoder.type=DEFAULTcas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=NONEcas.authn.jdbc.query[0].passwordEncoder.characterEncoding=NONE

Leaving the field cas.authn.accept.users and cas.authn.accept.name as blank it will deactivate the static user repositories by the server.

According to the above SQL we have the database called TEST and it is having the table USER in which all user details are stored. The principal for the server is USERNAME. Also we have declared the password field as cas.authn.jdbc.query[0].fieldPassword=PASSWORD.

Apart from these, CAS server also supports encryption and character encoding. It can support many encryption mechanism such as BCRYPT. In this case it is set to NONE. Running the server now(Build) will enable the authentication of the users which are present in configured database.

That’s it. We had build the CAS server and it is ready to work. There are many other aspects from the CAS server and they can be configured by following the document using this link.

CAS login page

In next blog, will write about CAS client with spring security configuration.

If you enjoyed this article, feel free to hit that clap button 👏 to help others find it.

I have a passion for understanding technology at a fundamental level and Sharing ideas and code. * Aspire to Inspire before I expire* https://balavenkatesh.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store