Analysis of CAS single sign-on principle

CAS is an open source single sign-on project initiated by Yale University and is also the most widely used open source project. It has a very good reference value for learning SSO

Single Sign On (Single Sign On), referred to as SSO. It is mostly used in multi-system storage environments. After users log in in one place, they do not need to log in in other systems. The simplest single sign-in implementation can be completely based on cookies, by writing a token with login information to the browser. To achieve the purpose of multi-point login, those who are interested can implement one by themselves

First steal a picture:

From a structural point of view, it is divided into three parts: CAS Client, CAS Server , browser

CAS Client is deployed together with the protected client application, protects the protected resources of the Web application in Filter mode, and filters every Web request from the client

Below I will divide it into two parts (user first login verification and subsequent login verification) to analyze the login principle in detail

The above is the basic process for the first verification

Cross The key to the domain lies in the browser-side Cookie: TGC. Because this cookie is set on the SSO Server side, it ensures that the unified ticket has nothing to do with the Client-side domain name.

The core of cas single sign-on is a single cookie, N sessions

In this protocol, all interactions with the CAS Server use the SSL protocol to ensure the security of ST and TGC .