Basic CAS client developed on Apache Wicket 1.5.2. Only handles authentication (not authorization strategy). Pages which need to have a CAS authentication just have to extend this class.

import java.io.Serializable;

import javax.servlet.http.HttpServletRequest;

import org.apache.wicket.Session;
import org.apache.wicket.WicketRuntimeException;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.markup.html.pages.RedirectPage;
import org.apache.wicket.model.IModel;
import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
import org.apache.wicket.request.IRequestParameters;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.cycle.RequestCycle;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.util.string.StringValue;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.jasig.cas.client.validation.TicketValidationException;

/**
 * Basic CAS authenticated web page for Wicket 1.5.2. <br/>
 * Just import this class into your project <br/>
 * . All cassified pages have to extend this class<br/>
 * <br/>
 * 
 * @author Alexandre de Pellegrin - ESSEC Business School
 * 
 */
public class CasAuthenticatedWebPage extends WebPage {

/** Session key which indicates if the user is already authenticated */
 private static final String SSO_FLAG_AUTHENTICATED = "SSO_FLAG_AUTHENTICATED";

/** URL parameter to retrieve the CAS service ticket */
 private static final String SSO_TICKET_URL_PARAM = "ticket";

/** Session key to get the currently authenticated user name */
 private static final String SSO_USER_NAME = "SSO_USER_NAME";

/** Internal stuff */
 private static final String BLANK_STRING = "";

/**
 * Your CAS server base URL. Don't forget to change it. Ex :
 * https://my_cas_server/cas/"
 */
public static String SSO_CAS_BASE_URL = "https://my_cas_server/cas/";

/**
 * Use CasAuthenticatedWebPage(PageParameters parameters) instead
 */
 @Deprecated
 public CasAuthenticatedWebPage() {
 super();
 //throw new WicketRuntimeException("Constuctor disabled because we need to get the service ticket back from the CAS server");
 }

/**
 * Use CasAuthenticatedWebPage(PageParameters parameters) instead
 */
 @Deprecated
 public CasAuthenticatedWebPage(IModel<?> model) {
 super(model);
 //throw new WicketRuntimeException("Constuctor disabled because we need to get the service ticket back from the CAS server");
 }

/**
 * Default constructor
 * 
 * @param parameters
 */
 public CasAuthenticatedWebPage(PageParameters parameters) {
 super(parameters);
 }

@Override
 protected void onBeforeRender() {
 super.onBeforeRender();
 if (isTicketToValidate()) {
 boolean isValidated = validateTicket();
 if (isValidated) {
 reloadPage();
 return;
 }
 }
 if (!isAuthenticated()) {
 redirectToLoginPage();
 }
 }

/**
 * @return true if the user has already been authenticated on the CAS server
 */
 private boolean isAuthenticated() {
 Session session = getSession();
 Serializable value = session.getAttribute(SSO_FLAG_AUTHENTICATED);
 if (value != null) {
 return true;
 }
 return false;
 }

/**
 * Redirect to the CAS login page
 */
 private void redirectToLoginPage() {
 String pageURL = getPagePublicURL();
 RedirectPage redirectPage = new RedirectPage(SSO_CAS_BASE_URL + "/login?service=" + pageURL);
 setResponsePage(redirectPage);
 }

/**
 * Reload page without the service ticket to avoid multiple submit with the same ticket
 */
 private void reloadPage() {
 String pageURL = getPagePublicURL();
 RedirectPage redirectPage = new RedirectPage(pageURL);
 setResponsePage(redirectPage);
 }


 /**
 * @return the authenticated principal name
 */
 public String getUser() {
 Session session = getSession();
 Serializable value = session.getAttribute(SSO_USER_NAME);
 return value + BLANK_STRING;
 }

/**
 * @return true if there's a CAS service ticket in the current request
 */
 private boolean isTicketToValidate() {
 StringValue ticketValue = getTicket();
 if (!ticketValue.isNull()) {
 return true;
 }
 return false;
 }

/**
 * @return the current CAS service ticket
 */
 private StringValue getTicket() {
 RequestCycle requestCycle = RequestCycle.get();
 Request request = requestCycle.getRequest();
 IRequestParameters queryParameters = request.getQueryParameters();
 StringValue ticketValue = queryParameters.getParameterValue(SSO_TICKET_URL_PARAM);
 return ticketValue;
 }

/**
 * Validates the CAS service ticket on the CAS server
 */
 private boolean validateTicket() {
 StringValue ticket = getTicket();
 if (ticket.isNull()) {
 return false;
 }
 String ticketValue = ticket.toString();
 String pageURL = getPagePublicURL();
 try {
 Cas20ServiceTicketValidator ticketValidator = new Cas20ServiceTicketValidator(SSO_CAS_BASE_URL);
 Assertion assertion = ticketValidator.validate(ticketValue, pageURL);
 AttributePrincipal principal = assertion.getPrincipal();
 String user = principal.getName();
 Session session = getSession();
 session.setAttribute(SSO_FLAG_AUTHENTICATED, Boolean.TRUE);
 session.setAttribute(SSO_USER_NAME, user);
 return true;
 } catch (TicketValidationException e) {
 getSession().invalidate();
 }
 return false;
 }

/**
 * @return the url of this page as seen by the browser
 */
 private String getPagePublicURL() {
 RequestCycle requestCycle = RequestCycle.get();
 ServletWebRequest servletWebRequest = (ServletWebRequest) requestCycle.getRequest();
 HttpServletRequest containerRequest = servletWebRequest.getContainerRequest();
 String requestURL = containerRequest.getRequestURL().toString();
 return requestURL;
 }