Central Authentication Service (CAS) is a single sign-on protocol designed to allow untrusted web applications to authenticate users against a trusted central server. It also refers to a server package by the same name that provides the service.
The CAS protocol involves a client web browser, and the application requesting authentication with the CAS server. When the client visits a protected application, it will be automatically redirected by the application to CAS. CAS will validate the client's user ID and password via a secure database, such as Active Directory or some other directory service. This is performed through an Authentication Handler. You can change the Credentials and the PrincipalToCredentialResolver to accept any kind of login Credential other than just login name and password (e.g. A valid IP Address of the requesting application).
If the user ID and password are valid, CAS redirects the client to the application with a random number called a ticket. The application opens an HTTPS connection directly to CAS, and provides its own service identifier and the ticket. CAS then tells the application the user ID if the ticket is valid for that service identifier.
CAS was first developed by Shawn Bayern of Yale University Technology and Planning, and it was later maintained by Drew Mazurek. Originally CAS implemented only single-sign-on, but it later implemented multitier proxy authentication. Since it is distributed under a BSD-style license, several other CAS distributions have been developed with new features.
In December 2004, CAS became a project of the Java Architectures Special Interest Group (press release).