Auto login after signup in CAS

Question

I am setting up my own CAS. A authentication handler was written and username/password are authenticated against a MySQL db. I also add signup page and related logic.

Now I would like to let user automatically log on when he/she has registered as a user. How to achieve this?

Answer 1

Here is my implementation. The idea is borrowed from class org.jasig.cas.web.flow.AuthenticationViaFormAction.

In my web controller handling unlock request which is often from a registration email of a new user.

        String oneTimeAuthToken = this.userManager.generateOneTimeAuthToken(userEmail);
        UsernamePasswordCredentials credentials = new UsernamePasswordCredentials();
        credentials.setUsername(userEmail);
        credentials.setPassword(oneTimeAuthToken);
        String tgt = centralAuthenticationService.createTicketGrantingTicket(credentials);
        ticketGrantingTicketCookieGenerator.addCookie(request, response, tgt);
        log.debug("Current user was unlocked and logged in.");

The fundamentals behind this is to create a temp password-like token to authenticate. Of course, userManager should clear this token automatically once authentication is successful.

Hope this is clear. Let me know if you observe anything wrong.

Answer 2

The comment above is incorrect - CAS clients do not have access to the cookie, only the CAS Server does - CAS is not a shared-cookie protocol.

If you only have a single site, you can just create a session on the client, using the standard mechanisms for Java, Ruby, whatever platform you're using.

If you want to create an SSO session for login to multiple applications, basically you need to:

1. Create a SSO session (via the CAS server)
2. Redirect to the CAS Server
3. Have the user redirected back to your application.

To accomplish the first one, you likely will want to modify the CAS LoginFlow to allow you to authenticate the user, either via one-time token or a similar mechanism.