Skip to end of metadata
Go to start of metadata
Table of Contents

The current official version is version 3.3.3. You should immediately upgrade to this version for security reasons ( Note, that as of 3.1.11, the Maven2 info has changed. The groupId is now org.jasig.cas.client

The JA-SIG CAS Client for Java 3.1 is a reworking of the original Yale CAS Client and the newer JA-SIG CAS Client for Java 3.0. Both were excellent for different reasons: the Yale client had minimal dependencies and could get you up and running quickly while the JA-SIG client offered a more flexible configuration and conformed to more modern "best practices" but came with a large number of dependencies.

The JA-SIG CAS Client for Java 3.1 looks to offer the best of both worlds. In its default configuration mode, it can be configured completely in the web.xml and has only one dependency, Commons Logging, which most applications use anyway. However, if you need the more advanced configuration you can easily configure the CAS client using Spring (and take its jars along with you (wink) ).

Going forward, the JA-SIG CAS Client for Java 3.1 will be included in projects requiring a Java CAS Client, such as Spring Security.


Configuring the CAS Client

Let's take a look at how to configure the JA-SIG CAS Client for Java 3.1:

Order of Required Filters

How to configure the filters is described on the pages above. This section details the order in which the filters should appear:

  1. SingleLogOutFilter (if you're using it)
  2. AuthenticationFilter
  3. TicketValidationFilter (whichever one is chosen)
  4. HttpServletRequestWrapperFilter
  5. AssertionThreadLocalFilter

Please note that the order of the filters is determined by the filter-mapping not the filter definitions


Recommend Logout Procedure

The CAS Client for Java has no code to help you handle log out. The client merely places objects in session. Therefore, we recommend you do a session.invalidate() call when you log a user out. However, that's entirely your application's responsibility.

The CAS Client for Java team has recommended guidelines for logout pages for CAS Clients. We recommend that text similar to the following appear when the application's session is ended.

Recommended logout text

You have been logged out of APPLICATION NAME GOES HERE.

To log out of all applications, click here. (provide link to CAS server's logout)


Git source code access

Point your favorite git client at the link below:

  • No labels


  1. [Tue Jun 19 23:17:32 2012] [error] [client] MOD_AUTH_CAS: Error parsing XML content for '30f368ef33f39be7338eed2810bc558e' (Internal error), referer:;jsessionid=CE160556B99DA7DE0F453C38A9FE073A

    does any body know about this error


  2. I'm an experienced programmer but new to CAS. Would it be possible to give a bit more explanation of basic things? For example, it's nice to know that this client is an improvement on two others, but first I'd like to know whether this is the thing I'm looking for, that lets me use an existing CAS server to authenticate users in my application. And is it a standalone library, a server plus a small client library, a separately deployed package, some combination of these, or something else? No explanation, so turn to the code. The download (3.2.1) seems to contain the source (with maven build files) and the built output as well–24 jars, 8 of which start with "cas-client". So, probably a library...but there's Tomcat jars in there, so no guarantees.

    Similarly, configuring the client is no doubt important, but would it be possible to give equal attention to integrating it with an application? Perhaps a section titled "Using the CAS Client"? Maybe the examples will make it clearer, explaining the different choices to be made. I'll be searching through all the links available, but it would be nice for beginners if the path were more clear.

    (edited to reflect website changes)

  3. There's three links that show how to configure it via (a) Spring, (b) web.xml, and (c) JNDI as well as well as more links/examples if you expand the left navigation (i.e. for Tomcat container authentication)I.  There's also a reference to the Maven2 GroupId  (for use with Maven2, Ivy, Gradle, etc.) and a link to download the zip (or the jars directly from Maven).  Further, there's a link to the Github source directly.  My Confluence page seems to be missing a CSS style.  Are the links not visible to you due to some rendering issue? 

    1. I can see the links you mention. It wasn't clear that what I want to do is "configure" this; to me that means "tweak settings" rather than "integrate with application". From the examples, it's becoming clearer that it is, indeed, what I was looking for. However, I'm still trying to figure out stuff that I think ought to have been made explicit. Here's some suggested introductory text that would have saved me several hours of poking around (from a newcomer, it undoubtedly has errors, but it gives the flavor of what I had hoped to find):

      CAS Client is a set of configurable servlet filters or Spring beans that guard access to a web application based on authorization from a CAS Server(link to server doc). The CAS Client intercepts the HTTP request and performs authentication and authorization. If not authenticated or if the user is not authorized for the application, the request is blocked; if permitted, the request is allowed to continue to the web application. For more information, see (link to architecture doc).

      By doing authentication and authorization before the request arrives at the web application, the application can use CAS Client without source code changes or even without recompiling. All that needs to be done to enable CAS authentication is to configure the application server to use the client filters or beans before the application receives the request. For simple applications, no other changes should be needed. For more complex applications that have different levels of service or individual authorization for various operations, there may be some changes needed for the application to bypass existing authentication or for the application to use the CAS authorization information to provide the appropriate level of service.

      Why would I need to be told this? I'm a newcomer, arriving only with a vague idea that CAS is some sort of authentication and authorization system/method/protocol/package that I might want to use with my application. I don't know yet what I've found. I had originally expected to be looking at a library, with a Java API I would call from Java code to get authentication/authorization info ("Java client" has multiple interpretations, and that was what I though of first). I think the filter architecture is a good one, but it took me a while to realize what I was looking at.

      Also, our project isn't fortunate enough to be using Maven2-compatible dependencies; we're still talking about moving from Ant to Gradle. I haven't yet figured out which jars in the tarball I downloaded are needed and which I can leave out. I'll figure it out eventually, but that's time I will be forced to spend that would be saved by clear explanations.

      1. We're always happy to update documentation to make it more clear (though, note, since you have an account, you can update it).  I just wasn't sure if you weren't seeing the links or if it was something else.  

        Also, even if your project is using Ant, you can use Ivy to download dependencies.  You also don't need Maven to download it from the repository.  You can browse/search the Maven repository (or click the link) and download the JAR directly.  Not need to go through TARs unless you want to.

        Finally, just a note that the Java client, like most other security libraries, integrates directly with the Servlet API's security methods, namely the Request#getRemoteUser and Request#getUserPrincipal

        You are also welcome to ask any questions you need to on our user list:

  4. How to identify a cas session in a normal java code ,I have included the  cas-client-core 3.2.1 jar file in my workspace , i have also included the authentication filter in my web.xml, It is working  but apart from this  i want to know  how to identify a cas session  say in a java servlet without using authentication filter. Please help me in this , 

  5. i am using CAS server(3.4.10) in https and development server(CAS client 3.1.0) http mode.

    i am using these filters in client side







    but i found 

    final Assertion assertion = session != null ? (Assertionsession.getAttribute(CONST_CAS_ASSERTION) : null;

    is always null ,

    so AuthenticationFilter always sends request to CAS server to create new ticket. 

    Also when trying to view the value of 

     final Assertion assertion = session != null ? (Assertion) session.getAttribute(AuthenticationFilter.CONST_CAS_ASSERTION) : null;

    in my controller, it will always null.

    Can you please explain why it is null ? and how this can be fixed. Thanks in advance







  6. Is CAS suitable with Java desktop Application ?