...
Later a channel wants access to a backend protected by CAS. The channel makes a call to a method in the CAS security provider which returns a proxy ticket. It then attaches that to the connection to the back end. To validate the ticket, the back end calls CAS proxy authentication service and gets back: y/n for success or failure netid in case of success AND the ssl url of intervening proxies (the url in our case of the CAS proxy ticket acceptor servlet). The application decides whether the url of the proxy is acceptable and if so responds with the requested data. The servlet filter provided in the CAS client package contains code to support the proxy authentication so you can use that or use it as an example.
Originally answered by: ~susan.bramhall@yale.edu Unlicensed user on the CAS mailing list.