All the files that we’ll be discussing in this section that concern the theme are located in and referenced from:
CAS user interface should properly and comfortably lend itself to all major browser vendors:
- Google Chrome
- Mozilla Firefox
- Apple Safari
- Microsoft Internet Explorer
Note that certain older version of IE, particularly IE 9 and below may impose additional difficulty in getting the right UI configuration in place.
To instruct CAS to render UI in compatibility mode, add the following to relevant UI components:
The default styles are all contained in a single file located in
css/cas.css. This location is set in
WEB-INF/classes/cas-theme-default.properties. If you would like to create your own
css/custom.css file, for example, you will need to update
standard.custom.css.file key in that file.
CSS per Locale
Selecting CSS files per enabled locale would involve changing the
top.jsp file to include the below sample code:
CSS media queries bring responsive design features to CAS which would allow adopter to focus on one theme for all appropriate devices and platforms. These queries are defined in the same
css/cas.css file. Below follows an example:
You can also create your own
custom.js file, for example, and call it from within
WEB-INF/view/jsp/default/ui/includes/bottom.jsp like so:
If you are developing themes per service, each theme also has the ability to specify a custom
cas.js file under the
- JQuery UI
- JQuery Cookie
Asynchronous Script Loading
CAS will attempt load the aforementioned script libraries asynchronously so as to not block the page rendering functionality.
The loading of script files is handled by the
head.js library and is the responsibility of
The only script that is loaded synchronously is the
head.js library itself.
CAS will display a brief warning when the CAPSLOCK key is turned on during the typing of the credential password. This check
is enforced by the
Browser Cookie Support
For CAS to honor a single sign-on session, the browser MUST support and accept cookies. CAS will notify the
user if the browser has turned off its support for cookies. This behavior is controlled via the
Preserving Anchor Fragments
Anchors/fragments may be lost across redirects as the server-side handler of the form post ignores the client-side anchor, unless appended to the form POST url. This is needed if you want a CAS-authenticated application to be able to use anchors/fragments when bookmarking.
Changes to Login Form
The default views are found at
bottom.jsp include files located in the
../includes directory. These serve as the layout template for the other JSP files, which get injected in between during compilation to create a complete HTML page.
The following JSP tag libraries are used by the user interface:
Glossary of Views
||Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that is disabled in the underlying account store (i.e. LDAP)|
||Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that is locked in the underlying account store (i.e. LDAP)|
||Specific to Password Policy Enforcement; displayed when authentication encounters an account that is not allowed authentication within the current time window in the underlying account store (i.e. LDAP)|
||Specific to Password Policy Enforcement; displayed when authentication encounters an account that is not allowed authentication from the current workstation in the underlying account store (i.e. LDAP)|
||Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that has expired in the underlying account store (i.e. LDAP)|
||Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that must change its password in the underlying account store (i.e. LDAP)|
||Specific to Password Policy Enforcement; displayed when the user account is near expiration based on specified configuration (i.e. LDAP)|
||Displayed when the user is warned before being redirected to the service. This allows users to be made aware whenever an application uses CAS to log them in. (If they don’t elect the warning, they may not see any CAS screen when accessing an application that successfully relies upon an existing CAS single sign-on session.) Some CAS adopters remove the ‘warn’ checkbox in the CAS login view and don’t offer this interstitial advisement that single sign-on is happening.|
||Displayed when the user has been logged in without providing a service to be redirected to.|
||Main login form.|
||Main logout view.|
||Used in conjunction with the service registry feature, displayed when the service the user is trying to access is not allowed to use CAS. The default in-memory services registry configuration, in ‘deployerConfigContext.xml’, allows all users to obtain a service ticket to access all services.|
||Displayed when a user would otherwise have experienced non-interactive single sign-on to a service that is, per services registry configuration, disabled from participating in single sign-on. (In the default services registry registrations, all services are permitted to participate in single sign-on, so this view will not be displayed.)|
Glossary of Monitoring Views
The monitoring views are found at
||Displayed when user attempts to view the state of the CAS application runtime and its configuration.|
||Displayed when user wishes to view the Single Sign-on Report.|
||Displayed when user wishes review the CAS server statistics.|
Glossary of System Error Views
The error views are found at
||Displayed when CAS experiences an error it doesn’t know how to handle (an unhandled Exception). For instance, CAS might be unable to access a database backing the services registry. This is the generic CAS error page. It’s important to brand it to provide an acceptable error experience to your users.|
||Displayed when a user successfully authenticates to the services management web-based administrative UI included with CAS, but the user is not authorized to access that application.|
Warning Before Accessing Application
CAS has the ability to warn the user before being redirected to the service. This allows users to be made aware whenever an application uses CAS to log them in. (If they don’t elect the warning, they may not see any CAS screen when accessing an application that successfully relies upon an existing CAS single sign-on session.) Some CAS adopters remove the ‘warn’ checkbox in the CAS login view and don’t offer this interstitial advisement that single sign-on is happening.
“I am at a public workstation” authentication
CAS has the ability to allow the user to opt-out of SSO, by indicating on the login page that the authentication is happening at a public workstation. By electing to do so, CAS will not honor the subsequent SSO session and will not generate the TGC that is designed to do so.
The CAS Web application includes a number of localized message files:
- English (US)
- Netherlands (Nederlands)
- Swedish (Svenskt)
- Italian (Italiano)
- Chinese (Simplified)
- Dutch (Deutsch)
- Portuguese (Brazil)
In order to “invoke” a specific language for the UI, the
/login endpoint may be passed a
locale parameter as such:
Note that not all languages are complete and accurate across CAS server releases as translations are entirely dependent upon community contributions. For an accurate and complete list of localized messages, always refer to the English language bundle.
All message bundles are marked under
messages_xx.properties files at
WEB-INF/classes. The default language bundle is for the
English language and is thus called
messages.properties. If there are any custom messages that need to be presented into views,
they may also be formatted under
Messages are parsed and loaded via the following configuration:
Messages are then read on each JSP view via the following sample configuration:
In the event that the code is not found in the activated resource bundle, the code itself will be used verbatim.
With the introduction of Service Management application, deployers are now able to switch the themes based on different services. For example, you may want to have different login screens (different styles) for staff applications and student applications. Or, you want to show two layouts for day time and night time. This document could help you go through the basic settings to achieve this.
Note that support for themes comes with the following components:
||can be configured to decorate CAS views based on the
||If there is a need to present an entirely new set of views for a given service, such that the structure and layout of the page needs an overhaul with additional icons, images, text, etc then this component
Configuration of service-specific themes is backed by the Spring framework and provided by the following component:
Furthermore, deployers may be able to use the functionality provided by the
ThemeChangeInterceptor of Spring framework to provide theme configuration per each request.
- Add another theme properties file, which must be placed to the root of
/WEB-INF/classesfolder, name it as
theme_name.properties. Contents of this file should match the
- Specify the name of your theme for the service definition under the
RegisteredServiceThemeBasedViewResolver is an alternate Spring View Resolver that utilizes a service’s
associated theme to selectively choose which set of UI views will be used to generate the standard views (
casLoginView.jsp, etc). This is specially useful in cases where the set of pages for a theme that are targeted
for a different type of audience are entirely different structurally that simply
ServiceThemeResolver is not practical to augment the default views. In such cases, new view pages may be required.
internalViewResolver definition with the following:
c:defaultThemeId value if your default theme is in a different directory than
/WEB-INF/view/jsp/default/. Views associated with a particular theme by default are expected to be found at:
- Clone the default set of view pages into a new directory based on the theme id (i.e.
- Specify the name of your theme for the service definition under the