{"id":13848474,"url":"https://github.com/apereo/java-cas-client","last_synced_at":"2025-05-12T13:14:15.790Z","repository":{"id":2654448,"uuid":"3645037","full_name":"apereo/java-cas-client","owner":"apereo","description":"Apereo Java CAS Client","archived":false,"fork":false,"pushed_at":"2025-05-09T13:14:50.000Z","size":2948,"stargazers_count":933,"open_issues_count":3,"forks_count":600,"subscribers_count":68,"default_branch":"master","last_synced_at":"2025-05-09T14:29:51.986Z","etag":null,"topics":["authentication","cas-client","cas-server","java","servlet-container","sso"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apereo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":["https://www.apereo.org/content/apereo-membership"]}},"created_at":"2012-03-07T02:29:34.000Z","updated_at":"2025-05-09T13:14:53.000Z","dependencies_parsed_at":"2023-07-05T18:31:55.116Z","dependency_job_id":"924a9090-48a3-4539-97db-2068dcf49a35","html_url":"https://github.com/apereo/java-cas-client","commit_stats":{"total_commits":1120,"total_committers":55,"mean_commits":"20.363636363636363","dds":0.7008928571428572,"last_synced_commit":"29a87ee9439fd988604cd028fbcd8011b9054cbd"},"previous_names":["jasig/java-cas-client"],"tags_count":45,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fjava-cas-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fjava-cas-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fjava-cas-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apereo%2Fjava-cas-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apereo","download_url":"https://codeload.github.com/apereo/java-cas-client/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253745196,"owners_count":21957319,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","cas-client","cas-server","java","servlet-container","sso"],"created_at":"2024-08-04T19:00:50.143Z","updated_at":"2025-05-12T13:14:15.737Z","avatar_url":"https://github.com/apereo.png","language":"Java","readme":"# Java Apereo CAS Client [![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.apereo.cas.client/cas-client-core/badge.svg?style=flat)](https://maven-badges.herokuapp.com/maven-central/org.apereocas.client/cas-client)\n\n\u003ca name=\"intro\"\u003e\u003c/a\u003e\n## Intro\nThis is the official home of the Java Apereo CAS client. The client consists of a collection of Servlet filters that are suitable for most Java-based web applications. It also serves as an API platform to interact with the CAS server programmatically to make authentication requests, validate tickets and consume principal attributes.\n\nAll client artifacts are published to Maven central. Depending on functionality, applications will need include one or more of the listed dependencies in their configuration.\n\n\u003ca name=\"build\"\u003e\u003c/a\u003e\n## Build\n\n```bash\ngit clone git@github.com:apereo/java-cas-client.git\ncd java-cas-client\nmvn clean package\n```\n\n\n\u003ca name=\"components\"\u003e\u003c/a\u003e\n## Components\n\n- Core functionality, which includes CAS authentication/validation filters.\n\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eorg.apereo.cas.client\u003c/groupId\u003e\n \u003cartifactId\u003ecas-client-core\u003c/artifactId\u003e\n \u003cversion\u003e${java.cas.client.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n- Support for SAML functionality is provided by this dependency:\n\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eorg.apereo.cas.client\u003c/groupId\u003e\n \u003cartifactId\u003ecas-client-support-saml\u003c/artifactId\u003e\n \u003cversion\u003e${java.cas.client.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n- Distributed proxy ticket caching with Ehcache is provided by this dependency:\n\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eorg.apereo.cas.client\u003c/groupId\u003e\n \u003cartifactId\u003ecas-client-support-distributed-ehcache\u003c/artifactId\u003e\n \u003cversion\u003e${java.cas.client.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n- Distributed proxy ticket caching with Memcached is provided by this dependency:\n\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eorg.apereo.cas.client\u003c/groupId\u003e\n \u003cartifactId\u003ecas-client-support-distributed-memcached\u003c/artifactId\u003e\n \u003cversion\u003e${java.cas.client.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n- Spring Boot AutoConfiguration is provided by this dependency:\n\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eorg.apereo.cas.client\u003c/groupId\u003e\n \u003cartifactId\u003ecas-client-support-springboot\u003c/artifactId\u003e\n \u003cversion\u003e${java.cas.client.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n\u003ca name=\"configuration\"\u003e\u003c/a\u003e\n## Configuration\n\n### Strategies\nThe client provides multiple strategies for the deployer to provide client settings. The following strategies are supported:\n\n- JNDI (`JNDI`)\n- Properties File (`PROPERTY_FILE`). The configuration is provided via an external properties file. The path may be specified in the web context as such:\n\n```xml\n\u003ccontext-param\u003e\n \u003cparam-name\u003econfigFileLocation\u003c/param-name\u003e\n \u003cparam-value\u003e/etc/cas/file.properties\u003c/param-value\u003e\n\u003c/context-param\u003e\n```\nIf no location is specified, by default `/etc/java-cas-client.properties` will be used.\n\n- System Properties (`SYSTEM_PROPERTIES`)\n- Web Context (`WEB_XML`)\n- Default (`DEFAULT`)\n\nIn order to instruct the client to pick a strategy, strategy name must be specified in the web application's context:\n\n```xml\n\u003ccontext-param\u003e\n \u003cparam-name\u003econfigurationStrategy\u003c/param-name\u003e\n \u003cparam-value\u003eDEFAULT\u003c/param-value\u003e\n\u003c/context-param\u003e\n```\n\nIf no `configurationStrategy` is defined, `DEFAULT` is used which is a combination of `WEB_XML` and `JNDI`. \n\n\u003ca name=\"client-configuration-using-webxml\"\u003e\u003c/a\u003e\n### Client Configuration Using `web.xml`\n\nThe client can be configured in `web.xml` via a series of `context-param`s and filter `init-param`s. Each filter for the client has a required (and optional) set of properties. The filters are designed to look for these properties in the following way:\n\n- Check the filter's local `init-param`s for a parameter matching the required property name.\n- Check the `context-param`s for a parameter matching the required property name.\n- If two properties are found with the same name in the `init-param`s and the `context-param`s, the `init-param` takes precedence. \n\n**Note**: If you're using the `serverName` property, you should note well that the fragment-URI (the stuff after the #) is not sent to the server by all browsers, thus the CAS client can't capture it as part of the URL.\n\nAn example application that is protected by the client is [available here](https://github.com/UniconLabs/cas-sample-java-webapp).\n\n\u003ca name=\"orgapereocasclientauthenticationauthenticationfilter\"\u003e\u003c/a\u003e\n#### org.apereo.cas.client.authentication.AuthenticationFilter\nThe `AuthenticationFilter` is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Authentication Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.authentication.AuthenticationFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003ecasServerUrlPrefix\u003c/param-name\u003e\n \u003cparam-value\u003ehttps://battags.ad.ess.rutgers.edu:8443/cas\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003eserverName\u003c/param-name\u003e\n \u003cparam-value\u003ehttp://www.acme-client.com\u003c/param-value\u003e\n \u003c/init-param\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Authentication Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n| Property | Description | Required |\n|---------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------|\n| `casServerUrlPrefix` | The start of the CAS server URL, i.e. `https://localhost:8443/cas` | Yes (unless `casServerLoginUrl` is set) |\n| `casServerLoginUrl` | Defines the location of the CAS server login URL, i.e. `https://localhost:8443/cas/login`. This overrides `casServerUrlPrefix`, if set. | Yes (unless `casServerUrlPrefix` is set) |\n| `serverName` | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). | Yes |\n| `service` | The service URL to send to the CAS server, i.e. `https://localhost:8443/yourwebapp/index.html` | No |\n| `renew` | specifies whether `renew=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all). Note that `renew` cannot be specified as local `init-param` setting. | No |\n| `gateway ` | specifies whether `gateway=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all) | No |\n| `artifactParameterName ` | specifies the name of the request parameter on where to find the artifact (i.e. `ticket`). | No |\n| `serviceParameterName ` | specifies the name of the request parameter on where to find the service (i.e. `service`) | No |\n| `encodeServiceUrl ` | Whether the client should auto encode the service url. Defaults to `true` | No |\n| `ignorePattern` | Defines the url pattern to ignore, when intercepting authentication requests. | No |\n| `ignoreUrlPatternType` | Defines the type of the pattern specified. Defaults to `REGEX`. Other types are `CONTAINS`, `EXACT`, `FULL_REGEX`. Can also accept a fully-qualified class name that implements `UrlPatternMatcherStrategy`. | No |\n| `gatewayStorageClass` | The storage class used to record gateway requests | No |\n| `authenticationRedirectStrategyClass` | The class name of the component to decide how to handle authn redirects to CAS | No |\n| `method` | The method used by the CAS server to send the user back to the application. Defaults to `null` | No |\n\n##### Ignore Patterns\n\nThe following types are supported:\n\n| Type | Description |\n|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `REGEX` | Matches the URL the `ignorePattern` using `Matcher#find()`. It matches the next occurrence within the substring that matches the regex. |\n| `CONTAINS` | Uses the `String#contains()` operation to determine if the url contains the specified pattern. Behavior is case-sensitive. |\n| `EXACT` | Uses the `String#equals()` operation to determine if the url exactly equals the specified pattern. Behavior is case-sensitive. |\n| `FULL_REGEX` | Matches the URL the `ignorePattern` using `Matcher#matches()`. It matches the expression against the entire string as it implicitly add a `^` at the start and `$` at the end of the pattern, so it will not match substring or part of the string. `^` and `$` are meta characters that represents start of the string and end of the string respectively. |\n\n\u003ca name=\"orgapereocasclientauthenticationsaml11authenticationfilter\"\u003e\u003c/a\u003e\n#### org.apereo.cas.client.authentication.Saml11AuthenticationFilter\nThe SAML 1.1 `AuthenticationFilter` is what detects whether a user needs to be authenticated or not. If a user needs to be authenticated, it will redirect the user to the CAS server.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Authentication Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.authentication.Saml11AuthenticationFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003ecasServerLoginUrl\u003c/param-name\u003e\n \u003cparam-value\u003ehttps://somewhere.cas.edu:8443/cas/login\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003eserverName\u003c/param-name\u003e\n \u003cparam-value\u003ehttp://www.the-client.com\u003c/param-value\u003e\n \u003c/init-param\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Authentication Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n| Property | Description | Required |\n|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------|\n| `casServerUrlPrefix` | The start of the CAS server URL, i.e. `https://localhost:8443/cas` | Yes (unless `casServerLoginUrl` is set) |\n| `casServerLoginUrl` | Defines the location of the CAS server login URL, i.e. `https://localhost:8443/cas/login`. This overrides `casServerUrlPrefix`, if set. | Yes (unless `casServerUrlPrefix` is set) |\n| `serverName` | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). | Yes |\n| `service` | The service URL to send to the CAS server, i.e. `https://localhost:8443/yourwebapp/index.html` | No |\n| `renew` | specifies whether `renew=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all). Note that `renew` cannot be specified as local `init-param` setting. | No |\n| `gateway ` | specifies whether `gateway=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all) | No |\n| `artifactParameterName ` | specifies the name of the request parameter on where to find the artifact (i.e. `SAMLart`). | No |\n| `serviceParameterName ` | specifies the name of the request parameter on where to find the service (i.e. `TARGET`) | No |\n| `encodeServiceUrl ` | Whether the client should auto encode the service url. Defaults to `true` | No |\n| `method` | The method used by the CAS server to send the user back to the application. Defaults to `null` | No |\n\n\u003ca name=\"rgapereocasclientvalidationcas10ticketvalidationfilter\"\u003e\u003c/a\u003e\n#### org.apereo.cas.client.validation.Cas10TicketValidationFilter\nValidates tickets using the CAS 1.0 Protocol.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.validation.Cas10TicketValidationFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003ecasServerUrlPrefix\u003c/param-name\u003e\n \u003cparam-value\u003ehttps://somewhere.cas.edu:8443/cas\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003eserverName\u003c/param-name\u003e\n \u003cparam-value\u003ehttp://www.the-client.com\u003c/param-value\u003e\n \u003c/init-param\u003e \n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n| Property | Description | Required |\n|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| `casServerUrlPrefix ` | The start of the CAS server URL, i.e. `https://localhost:8443/cas` | Yes |\n| `serverName` | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. `https://localhost:8443` (you must include the protocol, but port is optional if it's a standard port). | Yes |\n| `renew` | Specifies whether `renew=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all). Note that `renew` cannot be specified as local `init-param` setting. | No |\n| `redirectAfterValidation ` | Whether to redirect to the same URL after ticket validation, but without the ticket in the parameter. Defaults to `true`. | No |\n| `useSession ` | Whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request. Defaults to `true`. | No |\n| `exceptionOnValidationFailure ` | Whether to throw an exception or not on ticket validation failure. Defaults to `true`. | No |\n| `sslConfigFile` | A reference to a properties file that includes SSL settings for client-side SSL config, used during back-channel calls. The configuration includes keys for `protocol` which defaults to `SSL`, `keyStoreType`, `keyStorePath`, `keyStorePass`, `keyManagerType` which defaults to `SunX509` and `certificatePassword`. | No. |\n| `encoding` | Specifies the encoding charset the client should use | No |\n| `hostnameVerifier` | Hostname verifier class name, used when making back-channel calls | No |\n\n\u003ca name=\"orgapereocasclientvalidationsaml11ticketvalidationfilter\"\u003e\u003c/a\u003e\n#### org.apereo.cas.client.validation.Saml11TicketValidationFilter\nValidates tickets using the SAML 1.1 protocol.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.validation.Saml11TicketValidationFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003ecasServerUrlPrefix\u003c/param-name\u003e\n \u003cparam-value\u003ehttps://battags.ad.ess.rutgers.edu:8443/cas\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003eserverName\u003c/param-name\u003e\n \u003cparam-value\u003ehttp://www.acme-client.com\u003c/param-value\u003e\n \u003c/init-param\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n| Property | Description | Required |\n|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| `casServerUrlPrefix ` | The start of the CAS server URL, i.e. `https://localhost:8443/cas` | Yes |\n| `serverName` | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. `https://localhost:8443` (you must include the protocol, but port is optional if it's a standard port). | Yes |\n| `renew` | Specifies whether `renew=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all). Note that `renew` cannot be specified as local `init-param` setting. | No |\n| `redirectAfterValidation ` | Whether to redirect to the same URL after ticket validation, but without the ticket in the parameter. Defaults to `true`. | No |\n| `useSession ` | Whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request. Defaults to `true`. | No |\n| `exceptionOnValidationFailure ` | whether to throw an exception or not on ticket validation failure. Defaults to `true` | No |\n| `tolerance ` | The tolerance for drifting clocks when validating SAML tickets. Note that 10 seconds should be more than enough for most environments that have NTP time synchronization. Defaults to `1000 msec` | No |\n| `sslConfigFile` | A reference to a properties file that includes SSL settings for client-side SSL config, used during back-channel calls. The configuration includes keys for `protocol` which defaults to `SSL`, `keyStoreType`, `keyStorePath`, `keyStorePass`, `keyManagerType` which defaults to `SunX509` and `certificatePassword`. | No. |\n| `encoding` | Specifies the encoding charset the client should use | No |\n| `hostnameVerifier` | Hostname verifier class name, used when making back-channel calls | No |\n\n\u003ca name=\"orgapereocasclientvalidationcas20proxyreceivingticketvalidationfilter\"\u003e\u003c/a\u003e\n#### org.apereo.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter\nValidates the tickets using the CAS 2.0 protocol. If you provide either the `acceptAnyProxy` or the `allowedProxyChains` parameters, a `Cas20ProxyTicketValidator` will be constructed. Otherwise a general `Cas20ServiceTicketValidator` will be constructed that does not accept proxy tickets. \n\n**Note**: If you are using proxy validation, you should place the `filter-mapping` of the validation filter before the authentication filter.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003ecasServerUrlPrefix\u003c/param-name\u003e\n \u003cparam-value\u003ehttps://battags.ad.ess.rutgers.edu:8443/cas\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003eserverName\u003c/param-name\u003e\n \u003cparam-value\u003ehttp://www.acme-client.com\u003c/param-value\u003e\n \u003c/init-param\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n| Property | Description | Required |\n|------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| `casServerUrlPrefix ` | The start of the CAS server URL, i.e. `https://localhost:8443/cas` | Yes |\n| `serverName` | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. `https://localhost:8443` (you must include the protocol, but port is optional if it's a standard port). | Yes |\n| `renew` | Specifies whether `renew=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all). Note that `renew` cannot be specified as local `init-param` setting. | No |\n| `redirectAfterValidation ` | Whether to redirect to the same URL after ticket validation, but without the ticket in the parameter. Defaults to `true`. | No |\n| `useSession ` | Whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request. Defaults to `true`. | No |\n| `exceptionOnValidationFailure ` | whether to throw an exception or not on ticket validation failure. Defaults to `true` | No |\n| `proxyReceptorUrl ` | The URL to watch for `PGTIOU/PGT` responses from the CAS server. Should be defined from the root of the context. For example, if your application is deployed in `/cas-client-app` and you want the proxy receptor URL to be `/cas-client-app/my/receptor` you need to configure proxyReceptorUrl to be `/my/receptor`. | No |\n| `acceptAnyProxy ` | Specifies whether any proxy is OK. Defaults to `false`. | No |\n| `allowedProxyChains ` | Specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs (for exact match) or regular expressions of URLs (starting by the `^` character). Each acceptable proxy chain should appear on its own line. | No |\n| `proxyCallbackUrl` | The callback URL to provide the CAS server to accept Proxy Granting Tickets. | No |\n| `proxyGrantingTicketStorageClass ` | Specify an implementation of the ProxyGrantingTicketStorage class that has a no-arg constructor. | No |\n| `sslConfigFile` | A reference to a properties file that includes SSL settings for client-side SSL config, used during back-channel calls. The configuration includes keys for `protocol` which defaults to `SSL`, `keyStoreType`, `keyStorePath`, `keyStorePass`, `keyManagerType` which defaults to `SunX509` and `certificatePassword`. | No. |\n| `encoding` | Specifies the encoding charset the client should use | No |\n| `secretKey` | The secret key used by the `proxyGrantingTicketStorageClass` if it supports encryption. | No |\n| `cipherAlgorithm` | The algorithm used by the `proxyGrantingTicketStorageClass` if it supports encryption. Defaults to `DESede` | No |\n| `millisBetweenCleanUps` | Startup delay for the cleanup task to remove expired tickets from the storage. Defaults to `60000 msec` | No |\n| `ticketValidatorClass` | Ticket validator class to use/create | No |\n| `hostnameVerifier` | Hostname verifier class name, used when making back-channel calls | No |\n| `privateKeyPath` | The path to a private key to decrypt PGTs directly sent encrypted as an attribute | No |\n| `privateKeyAlgorithm` | The algorithm of the private key. Defaults to `RSA` | No |\n\n#### org.apereo.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter\nValidates the tickets using the CAS 3.0 protocol. If you provide either the `acceptAnyProxy` or the `allowedProxyChains` parameters, \na `Cas30ProxyTicketValidator` will be constructed. Otherwise a general `Cas30ServiceTicketValidator` will be constructed that does not \naccept proxy tickets. Supports all configurations that are available for `Cas20ProxyReceivingTicketValidationFilter`.\n\n#### org.apereo.cas.client.validation.Cas30JsonProxyReceivingTicketValidationFilter\nIdentical to `Cas30ProxyReceivingTicketValidationFilter`, yet the filter is able to accept validation responses from CAS\nthat are formatted as JSON per guidelines laid out by the CAS protocol. \nSee the [protocol documentation](https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html)\nfor more info.\n\n\u003ca name=\"orgapereocasclientvalidationcasjwtticketvalidationfilter\"\u003e\u003c/a\u003e\n#### org.apereo.cas.client.validation.CasJWTTicketValidationFilter\nValidates service tickets that issued by the CAS server as JWTs.\n \nSupported JWTs are:\n\n- The JWT must be signed and encrypted, in that order, or...\n- The JWT must be encrypted and signed, in that order, or...\n- The JWT must be encrypted.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.validation.CasJWTTicketValidationFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003esigningKey\u003c/param-name\u003e\n \u003cparam-value\u003e...\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003eencryptionKey\u003c/param-name\u003e\n \u003cparam-value\u003e...\u003c/param-value\u003e\n \u003c/init-param\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Validation Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n| Property | Description | Required |\n|---------------------------|------------------------------------------------------------------------------------------|----------|\n| `signingKey ` | The signing key. Only `AES` secret keys are supported. | Yes |\n| `encryptionKey ` | The encryption key. Only `AES` secret keys are supported. | Yes |\n| `expectedIssuer ` | `iss` claim value that is required to match what is in the JWT. | Yes |\n| `expectedAudience ` | `aud` claim value that is required to match what is in the JWT. | Yes |\n| `encryptionKeyAlgorithm ` | Default is `AES`. | No |\n| `encryptionKeyAlgorithm ` | Default is `AES`. | No |\n| `requiredClaims ` | Default is `sub,aud,iat,jti,exp,iss`. | No |\n| `base64EncryptionKey ` | If encryption key should be base64-decoded first. Default is `true`. | No |\n| `base64SigningKey ` | If encryption key should be base64-decoded first. Default is `false`. | No |\n| `maxClockSkew ` | Maximum acceptable clock skew when validating expiration dates. Default is `60` seconds. | No |\n\n##### Proxy Authentication vs. Distributed Caching\nThe client has support for clustering and distributing the TGT state among application nodes that are behind a load balancer. In order to do so, \nthe parameter needs to be defined as such for the filter.\n\n###### Ehcache\n\nConfigure the client:\n\n```xml\n\u003cinit-param\u003e\n \u003cparam-name\u003eproxyGrantingTicketStorageClass\u003c/param-name\u003e\n \u003cparam-value\u003eorg.apereo.cas.client.EhcacheBackedProxyGrantingTicketStorageImpl\u003c/param-value\u003e\n\u003c/init-param\u003e\n```\nThe setting provides an implementation for proxy storage using EhCache to take advantage of its replication features so that the PGT is successfully replicated and shared among nodes, regardless which node is selected as the result of the load balancer rerouting. \n\nConfiguration of this parameter is not enough. The EhCache configuration needs to enable the replication mechanism through once of its suggested ways. A sample of that configuration based on RMI replication can be found here. Please note that while the sample is done for a distributed ticket registry implementation, the basic idea and configuration should easily be transferable. \n\nWhen loading from the `web.xml`, the Apereo CAS Client relies on a series of default values, one of which being that the cache must be configured in the default location (i.e. `classpath:ehcache.xml`). \n\n```xml\n\u003ccacheManagerPeerProviderFactory class=\"net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory\"\n properties=\"peerDiscovery=automatic,\n multicastGroupAddress=230.0.0.1, multicastGroupPort=4446\"/\u003e\n \n\u003ccacheManagerPeerListenerFactory class=\"net.sf.ehcache.distribution.RMICacheManagerPeerListenerFactory\"/\u003e\n \n\u003ccache\n name=\"org.apereo.cas.client.EhcacheBackedProxyGrantingTicketStorageImpl.cache\"\n maxElementsInMemory=\"100\"\n eternal=\"false\"\n timeToIdleSeconds=\"100\"\n timeToLiveSeconds=\"100\"\n overflowToDisk=\"false\"\u003e\n \u003ccacheEventListenerFactory class=\"net.sf.ehcache.distribution.RMICacheReplicatorFactory\"/\u003e\n\u003c/cache\u003e\n```\n\n###### Memcached\n\nA similar implementation based on Memcached is also available.\n\nConfigure the client:\n\n```xml\n\u003cinit-param\u003e\n \u003cparam-name\u003eproxyGrantingTicketStorageClass\u003c/param-name\u003e\n \u003cparam-value\u003eorg.apereo.cas.client.proxy.MemcachedBackedProxyGrantingTicketStorageImpl\u003c/param-value\u003e\n\u003c/init-param\u003e\n```\n\nWhen loading from the `web.xml`, the Client relies on a series of default values, one of which being that the list of memcached servers must be defined in `/cas/casclient_memcached_hosts.txt` on the classpath). The file is a simple list of `\u003chostname\u003e:\u003cports\u003e` on separate lines. **BE SURE NOT TO HAVE EXTRA LINE BREAKS**.\n\n\u003ca name=\"orgapereocasclientutilhttpservletrequestwrapperfilter\"\u003e\u003c/a\u003e\n#### org.apereo.cas.client.HttpServletRequestWrapperFilter\n\nWraps an `HttpServletRequest` so that the `getRemoteUser` and `getPrincipal` return the CAS related entries.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS HttpServletRequest Wrapper Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.HttpServletRequestWrapperFilter\u003c/filter-class\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS HttpServletRequest Wrapper Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n| Property | Description | Required |\n|-----------------|---------------------------------------------------------------|----------|\n| `roleAttribute` | Used to determine the principal role. | No |\n| `ignoreCase` | Whether role checking should ignore case. Defaults to `false` | No |\n\n\u003ca name=\"orgapereocasclientutilassertionthreadlocalfilter\"\u003e\u003c/a\u003e\n\n#### org.apereo.cas.client.AssertionThreadLocalFilter\nPlaces the `Assertion` in a `ThreadLocal` for portions of the application that need access to it. This is useful when the Web application that this filter \"fronts\" needs to get the Principal name, but it has no access to the `HttpServletRequest`, hence making `getRemoteUser()` call impossible.\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Assertion Thread Local Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.AssertionThreadLocalFilter\u003c/filter-class\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Assertion Thread Local Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n\u003ca name=\"orgapereocasclientutilerrorredirectfilter\"\u003e\u003c/a\u003e\n\n#### org.apereo.cas.client.ErrorRedirectFilter\nFilters that redirects to the supplied url based on an exception. Exceptions and the urls are configured via init filter name/param values.\n\n| Property | Description | Required |\n|----------------------------|-------------------------------------------------------------------|----------|\n| `defaultErrorRedirectPage` | Default url to redirect to, in case no error matches are found. | Yes |\n| `java.lang.Exception` | Fully qualified exception name. Its value must be redirection url | No |\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Error Redirect Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.ErrorRedirectFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003ejava.lang.Exception\u003c/param-name\u003e\n \u003cparam-value\u003e/error.jsp\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003edefaultErrorRedirectPage\u003c/param-name\u003e\n \u003cparam-value\u003e/defaulterror.jsp\u003c/param-value\u003e\n \u003c/init-param\u003e\n\u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Error Redirect Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n\n\u003ca name=\"client-configuration-using-spring\"\u003e\u003c/a\u003e\n\n### Client Configuration Using Spring\n\nConfiguration via Spring IoC will depend heavily on `DelegatingFilterProxy` class. For each filter that will be configured for CAS via Spring, a corresponding `DelegatingFilterProxy` is needed in the web.xml.\n\nAs the `HttpServletRequestWrapperFilter` and `AssertionThreadLocalFilter` have no configuration options, we recommend you just configure them in the `web.xml`\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Authentication Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.springframework.web.filter.DelegatingFilterProxy\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003etargetBeanName\u003c/param-name\u003e\n \u003cparam-value\u003eauthenticationFilter\u003c/param-value\u003e\n \u003c/init-param\u003e\n \u003c/filter\u003e\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Authentication Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n```\n\n\u003ca name=\"bean-configuration\"\u003e\u003c/a\u003e\n#### Bean Configuration\n\n##### AuthenticationFilter\n```xml\n\u003cbean\n name=\"authenticationFilter\"\n class=\"org.apereo.cas.client.authentication.AuthenticationFilter\"\n p:casServerLoginUrl=\"https://localhost:8443/cas/login\"\n p:renew=\"false\"\n p:gateway=\"false\"\n p:service=\"https://my.local.service.com/cas-client\" /\u003e\n```\n\n##### Cas10TicketValidationFilter\n```xml\n\u003cbean\n name=\"ticketValidationFilter\"\n class=\"org.apereo.cas.client.validation.Cas10TicketValidationFilter\"\n p:service=\"https://my.local.service.com/cas-client\"\u003e\n \u003cproperty name=\"ticketValidator\"\u003e\n \u003cbean class=\"org.apereo.cas.client.validation.Cas10TicketValidator\"\u003e\n \u003cconstructor-arg index=\"0\" value=\"https://localhost:8443/cas\" /\u003e\n \u003c/bean\u003e\n \u003c/property\u003e\n\u003c/bean\u003e\n```\n\n##### Saml11TicketValidationFilter\n```xml\n\u003cbean\n name=\"ticketValidationFilter\"\n class=\"org.apereo.cas.client.validation.Saml11TicketValidationFilter\"\n p:service=\"https://my.local.service.com/cas-client\"\u003e\n \u003cproperty name=\"ticketValidator\"\u003e\n \u003cbean class=\"org.apereo.cas.client.validation.Saml11TicketValidator\"\u003e\n \u003cconstructor-arg index=\"0\" value=\"https://localhost:8443/cas\" /\u003e\n \u003c/bean\u003e\n \u003c/property\u003e\n\u003c/bean\u003e\n```\n\n##### Cas20ProxyReceivingTicketValidationFilter\nConfiguration to validate tickets:\n```xml\n\u003cbean\n name=\"ticketValidationFilter\"\n class=\"org.apereo.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter\"\n p:service=\"https://my.local.service.com/cas-client\"\u003e\n \u003cproperty name=\"ticketValidator\"\u003e\n \u003cbean class=\"org.apereo.cas.client.validation.Cas20ServiceTicketValidator\"\u003e\n \u003cconstructor-arg index=\"0\" value=\"https://localhost:8443/cas\" /\u003e\n \u003c/bean\u003e\n \u003c/property\u003e\n\u003c/bean\u003e\n```\n\nConfiguration to accept a Proxy Granting Ticket:\n```xml\n\u003cbean\n name=\"ticketValidationFilter\"\n class=\"org.apereo.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter\"\n p:service=\"https://my.local.service.com/cas-client\"\n p:proxyReceptorUrl=\"/proxy/receptor\"\u003e\n \u003cproperty name=\"ticketValidator\"\u003e\n \u003cbean\n class=\"org.apereo.cas.client.validation.Cas20ServiceTicketValidator\"\n p:proxyCallbackUrl=\"/proxy/receptor\"\u003e\n \u003cconstructor-arg index=\"0\" value=\"https://localhost:8443/cas\" /\u003e\n \u003c/bean\u003e\n \u003c/property\u003e\n\u003c/bean\u003e\n```\n\nConfiguration to accept any Proxy Ticket (and Proxy Granting Tickets):\n\n```xml\n\u003cbean\n name=\"ticketValidationFilter\"\n class=\"org.apereo.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter\"\n p:service=\"https://my.local.service.com/cas-client\"\n p:proxyReceptorUrl=\"/proxy/receptor\"\u003e\n \u003cproperty name=\"ticketValidator\"\u003e\n \u003cbean class=\"org.apereo.cas.client.validation.Cas20ProxyTicketValidator\"\n p:acceptAnyProxy=\"true\"\n p:proxyCallbackUrl=\"/proxy/receptor\"\u003e\n \u003cconstructor-arg index=\"0\" value=\"https://localhost:8443/cas\" /\u003e\n \u003c/bean\u003e\n \u003c/property\u003e\n\u003c/bean\u003e\n```\n\nConfiguration to accept Proxy Ticket from a chain (and Proxy Granting Tickets):\n\n```xml\n\u003cbean\n name=\"ticketValidationFilter\"\n class=\"org.apereo.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter\"\n p:service=\"https://my.local.service.com/cas-client\"\n p:proxyReceptorUrl=\"/proxy/receptor\"\u003e\n \u003cproperty name=\"ticketValidator\"\u003e\n \u003cbean class=\"org.apereo.cas.client.validation.Cas20ProxyTicketValidator\"\n p:proxyCallbackUrl=\"/proxy/receptor\"\u003e\n \u003cconstructor-arg index=\"0\" value=\"https://localhost:8443/cas\" /\u003e\n \u003cproperty name=\"allowedProxyChains\"\u003e\n \u003clist\u003e\n \u003cvalue\u003ehttp://proxy1 http://proxy2\u003c/value\u003e\n \u003c/list\u003e\n \u003c/property\u003e\n \u003c/bean\u003e\n \u003c/property\u003e\n\u003c/bean\u003e\n```\n\nThe specific filters can be configured in the following ways. Please see the JavaDocs included in the distribution for specific required and optional properties:\n\n\u003ca name=\"springboot-autoconfiguration\"\u003e\u003c/a\u003e\n## Spring Boot AutoConfiguration\n\n### Usage \n\n* Define a dependency:\n\n\u003e Maven:\n\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eorg.apereo.cas.client\u003c/groupId\u003e\n \u003cartifactId\u003ecas-client-support-springboot\u003c/artifactId\u003e\n \u003cversion\u003e${java.cas.client.version}\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n\u003e Gradle:\n\n```groovy\ndependencies {\n ...\n implementation 'org.apereo.cas.client:cas-client-support-springboot:${java.cas.client.version}'\n ...\n}\n```\n\n* Add the following required properties in Spring Boot's `application.properties` or `application.yml`:\n\n```properties\ncas.server-url-prefix=https://cashost.com/cas\ncas.server-login-url=https://cashost.com/cas/login\ncas.client-host-url=https://casclient.com\n```\n\n* Annotate Spring Boot application (or any @Configuration class) with `@EnableCasClient` annotation\n\n```java\n@SpringBootApplication\n@Controller\n@EnableCasClient\npublic class MyApplication { .. }\n```\n\n\u003e For CAS3 protocol (authentication and validation filters) - which is default if nothing is specified\n\n```properties\ncas.validation-type=CAS3\n```\n\n\u003e For CAS2 protocol (authentication and validation filters)\n\n```properties\ncas.validation-type=CAS\n```\n\n\u003e For SAML protocol (authentication and validation filters)\n\n```properties\ncas.validation-type=SAML\n```\n\n### Available optional properties\n\n* `cas.single-logout.enabled`\n* `cas.authentication-url-patterns`\n* `cas.validation-url-patterns`\n* `cas.request-wrapper-url-patterns`\n* `cas.assertion-thread-local-url-patterns`\n* `cas.gateway`\n* `cas.use-session`\n* `cas.attribute-authorities`\n* `cas.redirect-after-validation`\n* `cas.allowed-proxy-chains`\n* `cas.proxy-callback-url`\n* `cas.proxy-receptor-url`\n* `cas.accept-any-proxy`\n* `server.context-parameters.renew`\n\n### Spring Security Integration\n\nAn application that is handling security concerns via Spring Security can take advantage\nof this module to automatically populate the Spring Security authentication context\nwith roles and authorities that are fetched as attributes from the CAS assertion. \n\nTo do so, the attributes names (i.e. `membership`) from the CAS assertion that should be translated to Spring Security \nauthorities must be specified in the configuration:\n\n```properties\ncas.attribute-authorities=membership\n```\n\nThe application may then enforce role-based security via:\n\n```java \n@SpringBootApplication\n@EnableCasClient\npublic class MyConfiguration extends WebSecurityConfigurerAdapter {\n @Override\n protected void configure(HttpSecurity http) throws Exception {\n http.authorizeRequests()\n .antMatchers(\"/\").permitAll()\n .antMatchers(\"/protected-endpoint\").hasAuthority(\"ADMIN\")\n .anyRequest().authenticated();\n }\n}\n```\n\nThe translation between CAS attributes and Spring Security authorities and/or roles can be customized using \nthe following bean definition:\n\n```java\n@Bean\npublic AuthenticationUserDetailsService\u003cCasAssertionAuthenticationToken\u003e springSecurityCasUserDetailsService() {\n return null;\n}\n``` \n\n### Advanced configuration\n\nThis module does not expose ALL the CAS client configuration options via standard Spring property sources, but only most commonly used ones.\nIf there is a need however, to set any number of not exposed, 'exotic' properties, you can implement the `CasClientConfigurer`\nclass in your `@EnableCasClient` annotated class and override appropriate configuration method(s) for CAS client filter(s) in question.\nFor example:\n\n```java\n@SpringBootApplication\n@EnableCasClient\nclass CasProtectedApplication implements CasClientConfigurer { \n @Override\n void configureValidationFilter(FilterRegistrationBean validationFilter) { \n validationFilter.getInitParameters().put(\"millisBetweenCleanUps\", \"120000\");\n } \n @Override\n void configureAuthenticationFilter(FilterRegistrationBean authenticationFilter) {\n authenticationFilter.getInitParameters().put(\"artifactParameterName\", \"casTicket\");\n authenticationFilter.getInitParameters().put(\"serviceParameterName\", \"targetService\");\n } \n}\n```\n\n\u003ca name=\"configuring-single-sign-out\"\u003e\u003c/a\u003e\n### Configuring Single Sign Out\nThe Single Sign Out support in CAS consists of configuring one `SingleSignOutFilter` and one `ContextListener`. Please note that if you have configured the CAS Client for Java as Web filters, this filter must come before the other filters as described.\n\nThe `SingleSignOutFilter` can affect character encoding. This becomes most obvious when used in conjunction with applications such as Atlassian Confluence. It's recommended you explicitly configure either the [VT Character Encoding Filter](http://code.google.com/p/vt-middleware/wiki/vtservletfilters#CharacterEncodingFilter) or the [Spring Character Encoding Filter](http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/filter/CharacterEncodingFilter.html) with explicit encodings.\n\n#### Configuration\n\n| Property | Description | Required |\n|-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| `artifactParameterName` | The ticket artifact parameter name. Defaults to `ticket` | No |\n| `logoutParameterName` | Defaults to `logoutRequest` | No |\n| `relayStateParameterName` | Defaults to `RelayState` | No |\n| `eagerlyCreateSessions` | Defaults to `true` | No |\n| `artifactParameterOverPost` | Defaults to `false` | No |\n| `logoutCallbackPath` | The path which is expected to receive logout callback requests from the CAS server. This is necessary if your app needs access to the raw input stream when handling form posts. If not configured, the default behavior will check every form post for a logout parameter. | No |\n\n\u003ca name=\"cas-protocol\"\u003e\u003c/a\u003e\n#### CAS Protocol\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Single Sign Out Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.session.SingleSignOutFilter\u003c/filter-class\u003e\n\u003c/filter\u003e\n...\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Single Sign Out Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n...\n\u003clistener\u003e\n \u003clistener-class\u003eorg.apereo.cas.client.session.SingleSignOutHttpSessionListener\u003c/listener-class\u003e\n\u003c/listener\u003e\n```\n\n\u003ca name=\"saml-protocol\"\u003e\u003c/a\u003e\n#### SAML Protocol\n\n```xml\n\u003cfilter\u003e\n \u003cfilter-name\u003eCAS Single Sign Out Filter\u003c/filter-name\u003e\n \u003cfilter-class\u003eorg.apereo.cas.client.session.SingleSignOutFilter\u003c/filter-class\u003e\n \u003cinit-param\u003e\n \u003cparam-name\u003eartifactParameterName\u003c/param-name\u003e\n \u003cparam-value\u003eSAMLart\u003c/param-value\u003e\n \u003c/init-param\u003e\n\u003c/filter\u003e\n...\n\u003cfilter-mapping\u003e\n \u003cfilter-name\u003eCAS Single Sign Out Filter\u003c/filter-name\u003e\n \u003curl-pattern\u003e/*\u003c/url-pattern\u003e\n\u003c/filter-mapping\u003e\n...\n\u003clistener\u003e\n \u003clistener-class\u003eorg.apereo.cas.client.session.SingleSignOutHttpSessionListener\u003c/listener-class\u003e\n\u003c/listener\u003e\n```\n\n\n\n\u003ca name=\"recommend-logout-procedure\"\u003e\u003c/a\u003e\n#### Recommend Logout Procedure\nThe client has no code to help you handle log out. The client merely places objects in session. Therefore, we recommend you do a `session.invalidate()` call when you log a user out. However, that's entirely your application's responsibility. We recommend that text similar to the following appear when the application's session is ended.\n\n```html\nYou have been logged out of [APPLICATION NAME GOES HERE].\nTo log out of all applications, click here. (provide link to CAS server's logout)\n```\n\n\u003ca name=\"jaas\"\u003e\u003c/a\u003e\n## JAAS\nThe client supports the Java Authentication and Authorization Service (JAAS) framework, which provides authn facilities to CAS-enabled JEE applications.\n\nA general JAAS authentication module, `CasLoginModule`, is available with the specific purpose of providing authentication and authorization services to CAS-enabled JEE applications. The design of the module is simple: given a service URL and a service ticket in a `NameCallback` and `PasswordCallback`, respectively, the module contacts the CAS server and attempts to validate the ticket. In keeping with CAS integration for Java applications, a JEE container-specific servlet filter is needed to protect JEE Web applications. The JAAS support should be extensible to any JEE container.\n\n\u003ca name=\"configure-casloginmodule\"\u003e\u003c/a\u003e\n### Configure CasLoginModule\nIt is expected that for JEE applications both authentication and authorization services will be required for CAS integration. The following JAAS module configuration file excerpt demonstrates how to leverage SAML 1.1 attribute release in CAS to provide authorization data in addition to authentication:\n\n```\ncas {\n jaas.org.apereo.cas.client.CasLoginModule required\n ticketValidatorClass=\"org.apereo.cas.client.validation.Saml11TicketValidator\"\n casServerUrlPrefix=\"https://cas.example.com/cas\"\n tolerance=\"20000\"\n service=\"https://webapp.example.com/webapp\"\n defaultRoles=\"admin,operator\"\n roleAttributeNames=\"memberOf,eduPersonAffiliation\"\n principalGroupName=\"CallerPrincipal\"\n roleGroupName=\"Roles\"\n cacheAssertions=\"true\"\n cacheTimeout=\"480\";\n}\n```\n\n\n| Property | Description | Required |\n|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|\n| `ticketValidatorClass ` | Fully-qualified class name of CAS ticket validator class. | Yes |\n| `casServerUrlPrefix` | URL to root of CAS Web application context. | Yes |\n| `service` | CAS service parameter that may be overridden by callback handler. **Note**: service must be specified by at least one component such that it is available at service ticket validation time. | No |\n| `defaultRoles` | Comma-delimited list of static roles applied to all authenticated principals. | No |\n| `roleAttributeNames` | Comma-delimited list of attribute names that describe role data delivered to CAS in the service-ticket validation response that should be applied to the current authenticated principal. | No |\n| `principalGroupName` | The name of a group principal containing the primary principal name of the current JAAS subject. The default value is `CallerPrincipal`. | No |\n| `roleGroupName` | The name of a group principal containing all role data. The default value is `Roles`. | No |\n| `cacheAssertions` | Flag to enable assertion caching. This may be required for JAAS providers that attempt to periodically reauthenticate to renew principal. Since CAS tickets are one-time-use, a cached assertion must be provided on reauthentication. | No |\n| `cacheTimeout` | Assertion cache timeout in minutes. | No |\n| `tolerance` | The tolerance for drifting clocks when validating SAML tickets. | No |\n\n### Programmatic JAAS login using the Servlet 3\nA `jaas.org.apereo.cas.client.Servlet3AuthenticationFilter` servlet filter that performs a programmatic JAAS login using the Servlet 3.0 `HttpServletRequest#login()` facility. This component should be compatible with any servlet container that supports the Servlet 3.0/JEE6 specification.\n \nThe filter executes when it receives a CAS ticket and expects the\n`CasLoginModule` JAAS module to perform the CAS ticket validation in order to produce an `AssertionPrincipal` from which the CAS assertion is obtained and inserted into the session to enable SSO.\n\nIf a `service` init-param is specified for this filter, it supersedes\nthe service defined for the `CasLoginModule`.\n","funding_links":["https://www.apereo.org/content/apereo-membership"],"categories":["Java"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapereo%2Fjava-cas-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapereo%2Fjava-cas-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapereo%2Fjava-cas-client/lists"}