https://github.com/apereo/java-cas-client/tree/master/cas-client-integration-Atlassian
https://apereo.atlassian.net/wiki/spacedirectory/view.action
cas整合jira实现思路
- cas的客户端实现是依靠在客户端配置cas的过滤器和监听器来实现的,并配置在首位,用于监听子系统的session和收取cas server发过来的命令。
- jira有自己本身的用户登录登出的验证机制,jira的登录主要依靠认证器
com.atlassian.jira.security.login.JiraSeraphAuthenticator来进行认证。 - 那么在jira的配置文件中配置cas的客户端依赖,并替换掉jira的认证器即可实现cas的整合,cas官方已经提供了相关的jar包和配置说明
操作说明
JIRA_HOME:
war/jar格式: ${install_url}/webapps
导入相关依赖包:
- 需要下载cas client的支持jar
cas-client-core-xyz.jar和cas 与jira和confulence的支持jarcas-client-integration-atlassian-xyz.jar
这里使用的是cas-client-core-3.4.1.jar和cas-client-integration-atlassian-3.4.1.jar- 将jar包放如入
JIRA_HOME/atlassian-jira/WEB-INF/lib下,如下图
配置web.xml:
配置
JIRA_HOME/atlassian-jira/WEB-INF下的web.xml,加入cas client的相关监听和过滤器,放在首位
web.xml
<!-- 单点登出的监听器放在第一位 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 单点登出的过滤器,用于单点登出,放在第二位 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name> <!--casServerUrlPrefix配置cas server的地址-->
<param-value>https://iquantex.com:8445/cas</param-value>
</init-param>
</filter>
<!-- cas 的认证过滤器,用于校验用户是否登录cas client没有登录则跳转到cas server的login -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<!--<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>-->
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name> <!--casServerLoginUrl配置cas server的login页面地址-->
<param-value>https://iquantex.com:8445/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name> <!--serverName 配置cas client的地址-->
<param-value>http://localhost:8089</param-value>
</init-param>
</filter>
<!-- cas 的ticket认证过滤器,用于提交ticket到cas sever进行校验,教养成功变获得了用户信息 -->
<filter>
<filter-name>CAS Validation Filter</filter-name>
<!--<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>-->
<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://iquantex.com:8445/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8089</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>useSession</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!-- 使用request.getUserPrincipal()来获取用户信息 -->
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
配置seraph-config.xml:
进入
JIRA_HOME/atlassian-jira/WEB-INF/classes:编辑seraph-config.xml
seraph-config.xml
<init-param>
<param-name>login.url</param-name>
<!-- 注释掉本身的jira登录地址 -->
<!-- <param-value>/login.jsp?permissionViolation=true&os_destination=${originalurl}&page_caps=${pageCaps}&user_role=${userRole}</param-value> -->
<!-- 修改默认的登录地址为cas server的login地址 -->
<param-value>https://iquantex.com:8445/cas/login?service=${originalurl}</param-value>
<!--<param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value>-->
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<!-- 注释掉本身的jira 的link.login.url地址 -->
<!-- <param-value>/login.jsp?os_destination=${originalurl}</param-value> -->
<!-- 修改为cas server的login地址 -->
<param-value>https://iquantex.com:8445/cas/login?service=${originalurl}</param-value>
<!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>-->
<!--<param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value>-->
</init-param>
<init-param>
<!-- URL for logging out.
- If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
- If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
-->
<param-name>logout.url</param-name>
<!-- 注释掉jira本身的logour地址 -->
<!-- <param-value>/secure/Logout!default.jspa</param-value> -->
<!-- 修改为cas serverlogout地址 -->
<param-value>https://iquantex.com:8445/cas/logout</param-value>
<!--<param-value>http://sso.mycompany.com/logout</param-value>-->
</init-param>
修改authenticator:
<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/> -->
<!-- 将jira本身的认证器authenticator注释掉,替换为cas 提供的认证器 -->
<authenticator class="org.jasig.cas.client.integration.atlassian.Jira44CasAuthenticator"/>
1 Comment
红旗公
这里有问题是,需要实现了CAS的单点登录,但对于JIRA和Confluence的打通,却带来影响。
需要了解CAS一次认证过后,就不再向CAS认证了。