https://github.com/apereo/java-cas-client/tree/master/cas-client-integration-Atlassian
https://apereo.atlassian.net/wiki/spacedirectory/view.action
cas整合jira实现思路
- cas的客户端实现是依靠在客户端配置cas的过滤器和监听器来实现的,并配置在首位,用于监听子系统的session和收取cas server发过来的命令。
- jira有自己本身的用户登录登出的验证机制,jira的登录主要依靠认证器
com.atlassian.jira.security.login.JiraSeraphAuthenticator
来进行认证。 - 那么在jira的配置文件中配置cas的客户端依赖,并替换掉jira的认证器即可实现cas的整合,cas官方已经提供了相关的jar包和配置说明
操作说明
JIRA_HOME
:
war/jar格式: ${install_url}/webapps
导入相关依赖包
:
- 需要下载cas client的支持jar
cas-client-core-xyz.jar
和cas 与jira和confulence的支持jarcas-client-integration-atlassian-xyz.jar
这里使用的是cas-client-core-3.4.1.jar和cas-client-integration-atlassian-3.4.1.jar- 将jar包放如入
JIRA_HOME/atlassian-jira/WEB-INF/lib
下,如下图
配置web.xml
:
配置
JIRA_HOME/atlassian-jira/WEB-INF
下的web.xml,加入cas client的相关监听和过滤器,放在首位
web.xml
<!-- 单点登出的监听器放在第一位 --> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 单点登出的过滤器,用于单点登出,放在第二位 --> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <!--casServerUrlPrefix配置cas server的地址--> <param-value>https://iquantex.com:8445/cas</param-value> </init-param> </filter> <!-- cas 的认证过滤器,用于校验用户是否登录cas client没有登录则跳转到cas server的login --> <filter> <filter-name>CAS Authentication Filter</filter-name> <!--<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>--> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <!--casServerLoginUrl配置cas server的login页面地址--> <param-value>https://iquantex.com:8445/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <!--serverName 配置cas client的地址--> <param-value>http://localhost:8089</param-value> </init-param> </filter> <!-- cas 的ticket认证过滤器,用于提交ticket到cas sever进行校验,教养成功变获得了用户信息 --> <filter> <filter-name>CAS Validation Filter</filter-name> <!--<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>--> <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://iquantex.com:8445/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:8089</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>useSession</param-name> <param-value>true</param-value> </init-param> </filter> <!-- 使用request.getUserPrincipal()来获取用户信息 --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
配置seraph-config.xml
:
进入
JIRA_HOME/atlassian-jira/WEB-INF/classes
:编辑seraph-config.xml
seraph-config.xml
<init-param> <param-name>login.url</param-name> <!-- 注释掉本身的jira登录地址 --> <!-- <param-value>/login.jsp?permissionViolation=true&os_destination=${originalurl}&page_caps=${pageCaps}&user_role=${userRole}</param-value> --> <!-- 修改默认的登录地址为cas server的login地址 --> <param-value>https://iquantex.com:8445/cas/login?service=${originalurl}</param-value> <!--<param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value>--> </init-param> <init-param> <param-name>link.login.url</param-name> <!-- 注释掉本身的jira 的link.login.url地址 --> <!-- <param-value>/login.jsp?os_destination=${originalurl}</param-value> --> <!-- 修改为cas server的login地址 --> <param-value>https://iquantex.com:8445/cas/login?service=${originalurl}</param-value> <!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>--> <!--<param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value>--> </init-param> <init-param> <!-- URL for logging out. - If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout(). - If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL --> <param-name>logout.url</param-name> <!-- 注释掉jira本身的logour地址 --> <!-- <param-value>/secure/Logout!default.jspa</param-value> --> <!-- 修改为cas serverlogout地址 --> <param-value>https://iquantex.com:8445/cas/logout</param-value> <!--<param-value>http://sso.mycompany.com/logout</param-value>--> </init-param>
修改authenticator:
<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> --> <!-- 将jira本身的认证器authenticator注释掉,替换为cas 提供的认证器 --> <authenticator class="org.jasig.cas.client.integration.atlassian.Jira44CasAuthenticator"/>
1 Comment
红旗公
这里有问题是,需要实现了CAS的单点登录,但对于JIRA和Confluence的打通,却带来影响。
需要了解CAS一次认证过后,就不再向CAS认证了。