for tomcat 5.0.x 配置 step by step
josso(Java Open Single Sign-On)是一个开源的基于J2EE的单点登录(SSO - Single Sign-On)架构,他提供了针对web应用的集中用户验证机制。相关文档及下载请访问www.josso.org。
本文简单介绍了在tomcat 5.0.x环境下如何配置及应用josso架构。
1、配置文件
josso的几个主要的配置文件如下:
josso-config.xml
[php]<?xml version="1.0" encoding="ISO-8859-1" ?>
<configuration>
<hierarchicalXml fileName="josso-agent-config.xml"/>
<!-- 指定josso-agent-config.xml文件 -->
</configuration>[/php]
josso-agent-config.xml
配置在josso控制下的web应用。
[php]<?xml version="1.0" encoding="ISO-8859-1"?>
<agent>
<class>org.josso.tc50.agent.CatalinaSSOAgent</class>
<!--class>org.josso.tc55.agent.CatalinaSSOAgent</class-->
<!--class>org.josso.jb32.agent.JBossCatalinaSSOAgent</class-->
<!--class>org.josso.jb4.agent.JBossCatalinaSSOAgent</class-->
<!-- Login/Logout URLs -->
<gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl>
<!--gatewayLoginErrorUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginErrorUrl-->
<!--
Usefull when working in N-Tier modes behind a reverse proxy or load balancer
Here you should place the reverse proxy or load balancer base URL.
Note : When using this options, the gatewayLoginURL and gatewayLogoutURL should also point to this host.
<singlePointOfAccess>http://reverse-proxy-host:8080</singlePointOfAccess>
<gatewayLoginUrl>http://reverse-proxy-host:8080/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>http://reverse-proxy-host:8080/josso/signon/logout.do</gatewayLogoutUrl>
-->
<!-- Mininum interval between sso session access , in milliseconds -->
<sessionAccessMinInterval>1000</sessionAccessMinInterval>
<!-- JOSSO Agent service locator configuration -->
<service-locator>
<class>org.josso.gateway.WebserviceGatewayServiceLocator</class>
<endpoint>localhost:8080</endpoint>
<!-- Associate an identity to SOAP messages
<username>wsclient</username>
<password>wsclientpwd</password>
-->
<!-- Enabled SSL on the SOAP circuit.
<transportSecurity>confidential</transportSecurity>
-->
</service-locator>
<!--
JOSSO Parnter application definicions :
Configure all web applications that should be a josso partner application within this server.
For each partner application you have to define the propper web-context.
-->
<partner-apps>
<partner-app>
<context>/partnerapp</context>
<!-- This is an optional feature :
You can reference any web resource collection that should not be subject to SSO protection.
The SSO agent will not provide identity nor demand authentication to requests matching the
security constraint associated to this web resource collections.
In order to work, the security constraint must not contain auth-constraints declarations.
See sample web.xml file from josso partnerapp.
<security-constraint>
<ignore-web-resource-collection>public-resources</ignore-web-resource-collection>
</security-constraint>
-->
</partner-app>
<partner-app>
<context>/josso_client</context>
</partner-app>
<!-- Root context protection
<partner-app>
<context>/</context>
</partner-app>
-->
</partner-apps>
</agent>[/php]
上述配置文件要放到CATALINA_HOME/bin目录下
[注]:CATALINA_HOME即tomcat安装目录,如“C:/jakarta-tomcat-5.0.28”。
2、tomcat启动文件的配置
在 catalina.bat 中增加如下代码
[php]rem Added by JOSSO
set JAVA_OPTS=-Djava.security.auth.login.config=../conf/jaas.conf[/php]
将 jaas.conf 文件拷贝到 CATALINA_HOME/conf 目录下,jaas.conf文件内容如下:
[php]josso {
org.josso.tc50.agent.jaas.SSOGatewayLoginModule required debug=true;
};[/php]
3、tomcat server.xml
在CATALINA_HOME/conf/server.xml中增加如下配置
[php]<Realm className="org.josso.tc50.agent.jaas.CatalinaJAASRealm"
appName="josso"
userClassNames="org.josso.gateway.identity.service.BaseUserImpl"
roleClassNames="org.josso.gateway.identity.service.BaseRoleImpl"
debug="1" />[/php]
在<host>标签内的最后增加如下
[php]<Valve className="org.josso.tc50.agent.SSOAgentValve" debug="1"/>[/php]
4、运行库
将 josso 的运行库拷贝到 CATALINA_HOME/server/lib 目录下。
josso运行库可在www.josso.org下载并通过ant build得到。
5、josso web应用
将 josso 的示例应用拷贝到 CATALINA_HOME/webapps 目录下
josso.war [必须],用来实现单点登录验证。
partnerapp.war [可选],示例应用。
6、web应用中的登录框
在自己的web应用的登录框form中配置如下参数
[php]<form name="usernamePasswordLoginForm" method="post" action="/josso/signon/usernamePasswordLogin.do">
<input type="hidden" name="josso_cmd" value="login">
<input type="hidden" name="josso_back_to" value="">
<input type="hidden" name="josso_on_error" value="">
username: <input type="text" name="josso_username">
password: <input type="password" name="josso_password">
<input type="submit" value="Login" ></td></tr>
</form>[/php]
上面form中的各参数名称不能更改,适用于用“用户名/口令”方式进行的验证。
[php]<form name="" method="post" action="">
TODO
</form>[/php]
上面form适用于X509方式进行的验证。
文章出处:DIY部落(http://www.diybl.com/course/1_web/webjs/2007927/74617.html)