This is the official home of the Java Apereo CAS client. The client consists of a collection of Servlet filters that are suitable for most Java-based web applications. It also serves as an API platform to interact with the CAS server programmatically to make authentication requests, validate tickets and consume principal attributes.
All client artifacts are published to Maven central. Depending on functionality, applications will need include one or more of the listed dependencies in their configuration.
git clone git@github.com:apereo/java-cas-client.git
cd java-cas-client
mvn clean package
<dependency>
<groupId>org.apereo.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas.client</groupId>
<artifactId>cas-client-support-saml</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas.client</groupId>
<artifactId>cas-client-support-distributed-ehcache</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas.client</groupId>
<artifactId>cas-client-support-distributed-memcached</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas.client</groupId>
<artifactId>cas-client-support-springboot</artifactId>
<version>${java.cas.client.version}</version>
</dependency>
The client provides multiple strategies for the deployer to provide client settings. The following strategies are supported:
JNDI)PROPERTY_FILE). The configuration is provided via an external properties file. The path may be specified in the web context as such:<context-param>
<param-name>configFileLocation</param-name>
<param-value>/etc/cas/file.properties</param-value>
</context-param>
If no location is specified, by default /etc/java-cas-client.properties will be used.
SYSTEM_PROPERTIES)WEB_XML)DEFAULT)In order to instruct the client to pick a strategy, strategy name must be specified in the web application's context:
<context-param>
<param-name>configurationStrategy</param-name>
<param-value>DEFAULT</param-value>
</context-param>
If no configurationStrategy is defined, DEFAULT is used which is a combination of WEB_XML and JNDI.
web.xmlThe client can be configured in web.xml via a series of context-params and filter init-params. Each filter for the client has a required (and optional) set of properties. The filters are designed to look for these properties in the following way:
init-params for a parameter matching the required property name.context-params for a parameter matching the required property name.init-params and the context-params, the init-param takes precedence. Note: If you're using the serverName property, you should note well that the fragment-URI (the stuff after the #) is not sent to the server by all browsers, thus the CAS client can't capture it as part of the URL.
An example application that is protected by the client is available here.
The AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.apereo.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://www.acme-client.com</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
| Property | Description | Required |
|---|---|---|
casServerUrlPrefix |
The start of the CAS server URL, i.e. https://localhost:8443/cas |
Yes (unless casServerLoginUrl is set) |
casServerLoginUrl |
Defines the location of the CAS server login URL, i.e. https://localhost:8443/cas/login. This overrides casServerUrlPrefix, if set. |
Yes (unless casServerUrlPrefix is set) |
serverName |
The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). | Yes |
service |
The service URL to send to the CAS server, i.e. https://localhost:8443/yourwebapp/index.html |
No |
renew |
specifies whether renew=true should be sent to the CAS server. Valid values are either true/false (or no value at all). Note that renew cannot be specified as local init-param setting. |
No |
gateway |
specifies whether gateway=true should be sent to the CAS server. Valid values are either true/false (or no value at all) |
No |
artifactParameterName |
specifies the name of the request parameter on where to find the artifact (i.e. ticket). |
No |
serviceParameterName |
specifies the name of the request parameter on where to find the service (i.e. service) |
No |
encodeServiceUrl |
Whether the client should auto encode the service url. Defaults to true |
No |
ignorePattern |
Defines the url pattern to ignore, when intercepting authentication requests. | No |
ignoreUrlPatternType |
Defines the type of the pattern specified. Defaults to REGEX. Other types are CONTAINS, EXACT, FULL_REGEX. Can also accept a fully-qualified class name that implements UrlPatternMatcherStrategy. |
No |
gatewayStorageClass |
The storage class used to record gateway requests | No |
authenticationRedirectStrategyClass |
The class name of the component to decide how to handle authn redirects to CAS | No |
method |
The method used by the CAS server to send the user back to the application. Defaults to null |
No |
The following types are supported:
| Type | Description |
|---|---|
REGEX |
Matches the URL the ignorePattern using Matcher#find(). It matches the next occurrence within the substring that matches the regex. |
CONTAINS |
Uses the String#contains() operation to determine if the url contains the specified pattern. Behavior is case-sensitive. |
EXACT |
Uses the String#equals() operation to determine if the url exactly equals the specified pattern. Behavior is case-sensitive. |
FULL_REGEX |
Matches the URL the ignorePattern using Matcher#matches(). It matches the expression against the entire string as it implicitly add a ^ at the start and $ at the end of the pattern, so it will not match substring or part of the string. ^ and $ are meta characters that represents start of the string and end of the string respectively. |
The SAML 1.1 AuthenticationFilter is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.apereo.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://somewhere.cas.edu:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://www.the-client.com</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
| Property | Description | Required |
|---|---|---|
casServerUrlPrefix |
The start of the CAS server URL, i.e. https://localhost:8443/cas |
Yes (unless casServerLoginUrl is set) |
casServerLoginUrl |
Defines the location of the CAS server logi |
$ claude mcp add java-cas-client \
-- python -m otcore.mcp_server <graph>