JOSSO在JBOSS中安装与配置

 

1、JOSSO单点登录网关

1.1进入josso/bin目录，执行josso-gsh命令

1.2 安装JOSSO的核心Gateway,执行命令

gateway install --target <JBOSS_HOME> --jboss-instance default -  platform jb42

此命令实际上执行了如下操作：

1.2.1 Copy <JOSSO_HOME> \dist\gateway\config目录下文件至<JBOSS_HOME>\ server\default\conf目录下

1.2.2 Copy <JOSSO_HOME> \dist\gateway\apps目录下josso-gateway-web-1.8.0.war包至<JBOSS_HOME>\ server\default\deploy目录下，并重命名为josso.war
 

2、参与单点登录的Web

2.1进入josso/bin目录，执行josso-gsh命令

2.2安装JOSSO的agent,执行命令

agent install --target <JBOSS_HOME> --jboss-instance default --platform jb42

此命令实际上执行了如下操作：

2.2.1修改JBOSS JAAS(Java Authentication Authorization Service)验证
注释默认验证：   <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"

修改%JAVA_HOME%\server\default\deploy\jboss-web.deployer目录下的server.xml的JAAS验证，用SSO验证，添加

<Realm className="org.josso.jb42.agent.JBossCatalinaRealm" appName="josso"

userClassNames="org.josso.gateway.identity.service.BaseUserImpl"

roleClassNames="org.josso.gateway.identity.service.BaseRoleImpl" debug="1" />

2.2.2修改%JBOSS_HOME%\server\default\conf目录下的login-config.xml文件

添加Josso的login模型。

<application-policy name = "josso">

<authentication>

<login-module code ="org.josso.jb4.agent.JBossSSOGatewayLoginModule" flag= "required">

<module-option name="debug">true</module-option>

</login-module>

</authentication>

</application-policy>
 

2.2.3修改%JAVA_HOME%\server\default\deploy\jboss-web.deployer目录下的server.xml大约在87行，在下面的代码后面添加SSO代理，在Host节点中添加SSO代理

<Valve className="org.josso.tc55.agent.SSOAgentValve" debug="1"/>

2.2.4在<JBOSS_HOME>\ server\default\conf目录下新建josso-agent-config.xml文件，此文件可在下载的JOSSO包中找到，服务器版本不同，此文件都不同，主要配置修改2个地方

<!-- Gateway LOGIN and LOGOUT URLs -->

<gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl>

<gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl>

这里是配置josso服务器的login和logout的url

需要加入认证的app

<agent:partner-apps>

<!-- Simple definition of a partner application -->

<agent:partner-app id="MySimplePartnerApp" context="/simple-partnerapp"/>

<agent:partner-app id="MyPartnerApp1" context="/partnerapp" >

</agent:partner-apps>

2.2.5 从<JOSSO_HOME>\lib目录COPY相关jar包到<JBOSS_HOME>\server\default\lib目录

 

 

2.3对Web应用进行改造
2.3.1 修改web.xml 安全策略

修改Web应用的web.xml文件，在其最后添加<security-constraint>、<security- role>等配置，设置相应Web应用中哪些角色对应用哪些资源具有访问权限，即在这里可以根据需要配置不同的角色，对应于不同的资源访问权限。如：
    <security-constraint>
        <!-- Sample Security Constraint -->
        <web-resource-collection>
            <!-- We're going to protect this resource and make it available only to users in "role1". -->
            <web-resource-name>public-resources</web-resource-name>
            <url-pattern>/resources/*</url-pattern>
            <http-method>HEAD</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <!--
        No roles required, it means that this are public resources !
        Usefull to tell JOSSO that resources matching this security constraint
        should not be subject to SSO protection.
        -->
    </security-constraint>
    <security-constraint>
        <!-- Sample Security Constraint -->
        <web-resource-collection>
            <!-- We're going to protect this resource and make it available only to users in "role1". -->
            <web-resource-name>protected-resources</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>HEAD</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <!-- NOTE: This role names will be retrieved by Josso using the proper identity store. -->
        <auth-constraint>
            <role-name>role1</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
                    <!-- We only need tomcat to redirect the user -->
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <!--
            NOTE: This will redirect the user to the proper login page provided by JOSSO.
            -->
            <form-login-page>/login-redirect.jsp</form-login-page>
            <form-error-page>/login-redirect.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-role >
        <description>Role 1</description>
        <role-name>role1</role-name>
    </security-role>
在项目根目录下新增login-redirect.jsp页面，代码如下：

<%@page contentType="text/html; charset=UTF-8" language="java" session="true" %>

<!--

Redirects the user to the proper login page.  Configured as the login url the web.xml for this application.

-->

<%response.sendRedirect(request.getContextPath() + "/josso_login/");%>
2.3.2 修改jboss-web.xml

设置<security-domain>，必须与login-config.xml中的josso login模型名称一致，我这里名称为josso，故配置为java:/jaas/josso，如：
<jboss-web>
    <security-domain>java:/jaas/josso</security-domain>
    <context-root>/</context-root>
</jboss-web>