josso for tomcat配置 step by step

for tomcat 5.0.x 配置 step by step

josso（Java Open Single Sign-On）是一個開源的基於J2EE的單點登錄（SSO - Single Sign-On）架構，他提供了針對web應用的集中用戶驗證機制。相關文檔及下載請訪問www.josso.org。

本文簡單介紹了在tomcat 5.0.x環境下如何配置及應用josso架構。

1、配置文件

josso的幾個主要的配置文件如下：

josso-config.xml
[php]<?xml version="1.0" encoding="ISO-8859-1" ?>
<configuration>
    <hierarchicalXml fileName="josso-agent-config.xml"/>
    <!-- 指定josso-agent-config.xml文件 -->
</configuration>[/php]
josso-agent-config.xml
配置在josso控制下的web應用。
[php]<?xml version="1.0" encoding="ISO-8859-1"?>
<agent>
    <class>org.josso.tc50.agent.CatalinaSSOAgent</class>
    <!--class>org.josso.tc55.agent.CatalinaSSOAgent</class-->
    <!--class>org.josso.jb32.agent.JBossCatalinaSSOAgent</class-->
    <!--class>org.josso.jb4.agent.JBossCatalinaSSOAgent</class-->
    <!-- Login/Logout URLs -->
    <gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl>
    <gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl>
    <!--gatewayLoginErrorUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginErrorUrl-->
    <!--
    Usefull when working in N-Tier modes behind a reverse proxy or load balancer
    Here you should place the reverse proxy or load balancer base URL.

    Note : When using this options, the gatewayLoginURL and gatewayLogoutURL should also point to this host.

    <singlePointOfAccess>http://reverse-proxy-host:8080</singlePointOfAccess>

    <gatewayLoginUrl>http://reverse-proxy-host:8080/josso/signon/login.do</gatewayLoginUrl>
    <gatewayLogoutUrl>http://reverse-proxy-host:8080/josso/signon/logout.do</gatewayLogoutUrl>
    -->
    <!-- Mininum interval between sso session access , in milliseconds -->
    <sessionAccessMinInterval>1000</sessionAccessMinInterval>
    <!-- JOSSO Agent service locator configuration -->
    <service-locator>
        <class>org.josso.gateway.WebserviceGatewayServiceLocator</class>
        <endpoint>localhost:8080</endpoint>
        <!-- Associate an identity to SOAP messages
        <username>wsclient</username>
        <password>wsclientpwd</password>
        -->
        <!-- Enabled SSL on the SOAP circuit.
        <transportSecurity>confidential</transportSecurity>
        -->
    </service-locator>
    <!--
    JOSSO Parnter application definicions :

    Configure all web applications that should be a josso partner application within this server.
    For each partner application you have to define the propper web-context.
    -->
    <partner-apps>
        <partner-app>
            <context>/partnerapp</context>
            <!-- This is an optional feature :
            You can reference any web resource collection that should not be subject to SSO protection.
            The SSO agent will not provide identity nor demand authentication to requests matching the
            security constraint associated to this web resource collections.
            In order to work, the security constraint must not contain auth-constraints declarations.
            See sample web.xml file from josso partnerapp.
            <security-constraint>
                <ignore-web-resource-collection>public-resources</ignore-web-resource-collection>
            </security-constraint>
            -->
        </partner-app>
        <partner-app>
            <context>/josso_client</context>
        </partner-app>
        <!-- Root context protection
        <partner-app>
            <context>/</context>
        </partner-app>
         -->
    </partner-apps>
</agent>[/php]
上述配置文件要放到CATALINA_HOME/bin目錄下

[注]：CATALINA_HOME即tomcat安裝目錄，如“C:/jakarta-tomcat-5.0.28”。

2、tomcat啓動文件的配置

在 catalina.bat 中增加如下代碼
[php]rem Added by JOSSO
set JAVA_OPTS=-Djava.security.auth.login.config=../conf/jaas.conf[/php]
將 jaas.conf 文件拷貝到 CATALINA_HOME/conf 目錄下，jaas.conf文件內容如下：
[php]josso {
  org.josso.tc50.agent.jaas.SSOGatewayLoginModule required debug=true;
};[/php]
3、tomcat server.xml

在CATALINA_HOME/conf/server.xml中增加如下配置
[php]<Realm className="org.josso.tc50.agent.jaas.CatalinaJAASRealm"
       appName="josso"
       userClassNames="org.josso.gateway.identity.service.BaseUserImpl"
       roleClassNames="org.josso.gateway.identity.service.BaseRoleImpl"
       debug="1" />[/php]
在<host>標籤內的最後增加如下
[php]<Valve className="org.josso.tc50.agent.SSOAgentValve" debug="1"/>[/php]
4、運行庫

將 josso 的運行庫拷貝到 CATALINA_HOME/server/lib 目錄下。

josso運行庫可在www.josso.org下載並通過ant build得到。

5、josso web應用

將 josso 的示例應用拷貝到 CATALINA_HOME/webapps 目錄下

josso.war [必須]，用來實現單點登錄驗證。

partnerapp.war [可選]，示例應用。

6、web應用中的登錄框

在自己的web應用的登錄框form中配置如下參數
[php]<form name="usernamePasswordLoginForm" method="post" action="/josso/signon/usernamePasswordLogin.do">
    <input type="hidden" name="josso_cmd" value="login">
    <input type="hidden" name="josso_back_to" value="">
    <input type="hidden" name="josso_on_error" value="">
    username: <input type="text" name="josso_username">
    password: <input type="password" name="josso_password">
    <input type="submit" value="Login" ></td></tr>
</form>[/php]
上面form中的各參數名稱不能更改，適用於用“用戶名/口令”方式進行的驗證。
[php]<form name="" method="post" action="">
  TODO
</form>[/php]
上面form適用於X509方式進行的驗證。

文章出處：DIY部落(http://www.diybl.com/course/1_web/webjs/2007927/74617.html)