CAS is a centralised authentication server that makes it very easy to implement single sign-on (SSO) in java application, and is a very good OAuth alternative. For distributed/clustered environments CAS also offers integration with a number of caching technologies in order to support single-logout (SLO). Recently we had an issue on clustered Wildfly J2EE servers where we had to support SLO in our distributed spring-boot based applications. Infinispan is the default distributed caching technology used by Wildfly, and unfortunately we didn’t find any integration support provided by CAS for Infinispan. So I wrote an integration library for CAS & Infinispan, which is available on github under Apache License. This library makes it possible to achieve SLO in distributed J2EE applications on Wildfly.
In order integrate CAS on the client side add the following dependency to the application’s POM file:
<dependency> <groupId>org.kamranzafar.cas.client</groupId> <artifactId>cas-client-support-distributed-infinispan</artifactId> <version>1.1</version> </dependency>
We then lookup the distributed Infinispan cache using JNDI and use it as storage for CAS tickets. Please see my previous post for more information on Infinispan and Spring boot integration.
// Lookup the relevant Cache that will be used to store CAS proxy granting tickets @Bean public Cache defaultCache() throws NamingException { return (Cache) ((DefaultCacheContainer) new JndiTemplate().lookup("java:jboss/infinispan/container/sso")).getCache(); } . . . // Create the bean for InfinispanProxyGrantingTicketStorage @Bean public ProxyGrantingTicketStorage proxyGrantingTicketStorage(){ return new InfinispanProxyGrantingTicketStorage(defaultCache()); } . . . // Setup CasAuthenticationFilter to use Infinispan CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter(); casAuthenticationFilter.setProxyGrantingTicketStorage(proxyGrantingTicketStorage()); . . // Setup Cas20ProxyTicketValidator to use Infinispan Cas20ProxyTicketValidator cas20ProxyTicketValidator = new Cas20ProxyTicketValidator("..."); cas20ProxyTicketValidator.setProxyGrantingTicketStorage(proxyGrantingTicketStorage());
With this CAS will use the distributed Infinispan on Wildfly to cache the authentication tickets. The authentication tickets are deleted on user logout. So now when the user logs out from one of the applications, deployed on Wildfly, he/she will be logged out from all the clustered applications; hence achieving single-logout (SLO).
For more information please see the CAS-Infinispan integration client on Github.