.
Developer Spot - Web Development Tutorials
arrowDeverloper Spot  Tutorials  JAVA  Build and Implement A Single Sign-On Solution 
 
Development Tutorials
ASP
CGI & Perl
CSS
HTML
Java
JavaScript
Linux
PHP
XML




More Resources
Web Hosting Articles
Web Development News
PHP Manual
Web Hosting Directory
Budget Web Hosting Linux Web Hosting Small Business Hosting
Windows Web Hosting Reseller Web Hosting Web Hosting Articles

Build and Implement A Single Sign-On Solution

By Chris Dunne
2004-01-28
 Reader Rating: 4 out of 5
Bookmark Print Version
A brief overview of CAS
Note that in the CAS protocol, your application never sees the user's password. The CAS server performs the authentication and only it sees the user's password. This increases overall security since the username and password are not passed across the network to other applications.

The following figure demonstrates the authentication flow path of a system that has a CAS server integrated.

Figure 1. How the CAS protocol performs authentication


The following are the main steps in the authentication protocol.

1. The user attempts to access an application using its URL. The user is redirected to the CAS login URL over an HTTPS connection, passing the name of the requested service as a parameter. The user is presented with a username/password dialog box.

2. The user enters ID and password details and CAS attempts to authenticate the user. If authentication fails, the target application never hears about it -- the user remains at the CAS server.

3. If authentication succeeds, then CAS redirects the user back to the target application, appending a parameter called a ticket to the URL. CAS then attempts to create an in-memory cookie called a ticket-granting cookie. This is done to allow for automatic re-authentication later -- if present, then it indicates that the user has already successfully logged in and the user avoids having to re-enter his username and password.

4. The application then validates that this is a correct ticket and represents a valid user by calling the CAS serviceValidate URL by opening an HTTPS connection and passing the ticket and service name as parameters. CAS checks that the supplied ticket is valid and is associated with the requested service. If validation is successful, CAS returns the username to the application.

If you are programming to the Servlet 2.3 specification, you don't even have to do any of these steps. A servlet filter handles the entire protocol. All you have to do is to configure the filter parameters in the web.xml file. That's the approach I will take -- it means less changes to the application code in the portal.

An in-depth discussion of CAS is not within the scope of this article, so I encourage you to look in Resources for the articles from Yale University to determine if this is an authentication scheme that might suit your own purposes.


Article Pages:
Integrate an open source, Java-based authentication component into a Web portal
Why choose single sign-on?
SSO open source projects
A brief overview of CAS
Getting started with CAS
Active Directory Server authentication
Single sign-off
Resources

First published by IBM developerWorks

 Rate this article:   Poor          Excellent 


If you found this article interesting, you may want to read these as well:

» Scheduling Recurring Tasks In Java Applications

» Eye On Performance: A Load Of Stress

» A Brief History Of Garbage Collection
 
Development Tutorials: CGI & Perl - CSS - HTML - Java - JavaScript - Linux - PHP - XML
More Resources: Web Hosting Articles - Web Development News - PHP Manual