This document is an evolution of Drew Mazurek's Using CAS With Java HTML / Word document. It provides information about the Java Filter, JSP Tag, and core Java objects provided in the Java CAS Client.
The CAS filter is the simplest way of CAS-protecting your Java Servlets application.
Just a few lines of XML need to be added to your web application's deployment descriptor (web.xml):
In this case, any URL beneath /webapp/cas-protected would require a CAS login. If you want to protect your entire web application, you can simply put /* for the URL pattern:
The serverName initialization parameter does not require a port number if you are using the standard HTTP port (80).
You can specify other initialization parameters to configure the behavior of the filter:
Required CASFilter init-params
Optional CASFilter init-params
Consuming the results of CASFilter
Once the user has logged into your application through the filter, the application may access the user's name through the session attribute, edu.yale.its.tp.cas.client.filter.user, or if you import edu.yale.its.tp.cas.client.filter.CASFilter in your JSP or servlet, simply CASFilter.CAS_FILTER_USER.
Additionally, the client application may access a CASReceipt JavaBean-style object which exposes the username as well as additional information about the successful authentication, in the session attribute edu.yale.its.tp.cas.client.filter.receipt .
Session attributes set by CASFilter
Read more about CAS Filter behavior.
CAS Tag Library
The CAS Tag Library is a another way to authenticate users' access to JSP pages. JSP Tags cannot be used in servlets, so if you need CAS protection within a servlet environment, you can use either the CAS Filter or the CAS Java objects (see below); the former is recommended.
To use the tag library, once casclient.jar is installed in your web application's /WEB-INF/lib directory, you need to add the following to the top of a JSP page you wish to protect:
The user will not see any part of the page past the <cas:auth /> tags until he/she has logged in. If the user hasn't logged in yet, a redirect to the CAS login page will be performed.
Also provided with the CAS Tag Library is a logout tag:
CAS Java Objects
You may also authenticate users "manually" using the CAS Java objects. In this case, you would instantiate a new ServiceTicketValidator or ProxyTicketValidator. Notice that in the example below, the page already expects to receive a ticket parameter (this is the servlet that CAS returned to after the user logged in). If this servlet was accessed directly by a user, it would need to check that the request parameter, ticket, was not null. If it was null, the servlet would need to redirect to the CAS login page manually.
The proxy ticket validator is almost identical, except it allows you to validate service tickets or proxy tickets. This class contains one additional method, getProxyList(), which accesses the list of URLs through which the authentication was proxied.
In order to obtain proxy tickets, the proxy callback listener must be set up as a servlet in the application's web.xml: