CAS general principles I will not say, a lot of online, but the specific interaction process is not clear, so there is this article, if there are errors, please advise
Logon process
When a user accesses a client Web app for a CAS service for the first time (Access Url:http://192.168.1.90:8081/web1),
The CAs Authenticationfilter deployed in the customer Web app intercepts this request, generates service parameters, and then redirect the login interface to the CAS service.
URL is https://cas:8443/cas/login?service=http%3A%2F%2F192.168.1.90%3A8081%2Fweb1%2F&logoutUrl=http%3A%2F% 2F192.168.1.90%3A8081%2FWEB1%2FLOGOUT%2F,
This URL has 2 addresses, one is the login after the completion of the jump address, the other is logged out when the user access to the current service logout URL address, after this address is saved in the CAS server, the user log out when the use of
After successful authentication, the CAS server generates an authentication cookie, writes to the browser, and caches the cookie to the server locally.
The CAS server will also generate ticket,ticket based on service parameters, which will be saved to the server and appended to the URL.
The request is then redirect back to the customer web App with a URL of http://192.168.1.90:8081/web1/?ticket=ST-5-Sx6eyvj7cPPCfn0pMZuMwnbMvxpCBcNAIi6-20.
When the client's Authenticationfilter sees the ticket parameter, it skips and is processed by the ticketvalidationfilter behind it,
Ticketvalidationfilter will use the HttpClient tool to access the/servicevalidate interface of the CAS service.
The ticket and service are uploaded to this interface, and the interface verifies the validity of the ticket, ticketvalidationfilter if a successful message is obtained,
The user information is written to the Web application session. So far, the SSO session has been set up, and in the future when users access the Web app in the same browser,
Authenticationfilter will read the user information in the session, so will not go to CAS certification, if this browser access to other Web applications, Authenticationfilter in the session can not read the user information,
will go to CAS login interface authentication, but then CAS will read the browser from the cookie, so CAs will not require users to login page login, but will be based on the service parameters to generate a ticket,
Then make a validation ticket interaction with the Web application.
Log out process
When CAS server accepts a logout request, it detects the user's TCG Cookie, clears the corresponding session, and finds all application server URL submission requests through the TGC SSO login, including a parameter logoutrequest in all callback requests. Access this logout URL,
All application servers that receive the request (that is, CAS client) will parse this parameter, get SessionID, and delete the session after taking the session based on this ID. This enables the single-point logout function, the user cannot continue the operation on this specific application, can only re-login to the line.
Note: The above content is organized according to the content of the network, if infringement of your interests, please contact me
CAS SSO Single Sign-on logon process and logout process principle explanation