The Central Authentication Service (CAS) is a single-sign-on/single-sign-off protocol for the web. It permits a user to access multiple applications while providing their credentials (such as userid and password) only once to a central CAS Server application.

– CAS Protocol Specification

CAS is an open source, platform-independent, central single sign-on (SSO) service supporting a variety of well-known protocols. Spring Security has first-class support for CAS, and the implementation is quite simple for an enterprise having a central CAS server. CAS is based on Spring Framework, and the architecture is quite simple, as shown in the following diagram:

The CAS server is a Java servlet-based application built on Spring Framework (Spring MVC and Spring Web Flow). It authenticates and grants access to CAS-enabled services.

Upon the successful login of the user, an SSO session is created, and the server issues a ticket-granting-ticket (TGT), and this token is validated against the backend for subsequent calls from the client.

The CAS client is a CAS-enabled application that communicates with CAS using supported protocols (CAS, SAML, OAuth, and so on). A number of language supports are already available for CAS, and a number of applications have implemented this methodology. Some of the well-known applications are Atlassian products (JIRA and Confluence), Drupal, and so on.

The following diagram shows the authentication flow (sequence diagram) involving a CAS server and client:

Let's see a working hands-on example now. We will have to create a CAS server and then a client that uses the CAS server to connect and get itself authenticated.