JIRA 整合單點登入系統 CAS
JIRA 是一個非常優秀的專案管理工具,可以幫助我們缺陷管理和任務追蹤。關於 JIRA 這裡不多做介紹。JIRA 本身有完善的賬號系統,但是因為很多公司包括我們自己有自己的單點登入系統,比如我們自己搭建的 CAS。所以如果能把 JIRA 接入 CAS 才是理想的方案。這裡介紹一下 JIRA 整合 CAS 的方案。
這裡我們是用 docker 部署的 JIRA 7.x, 理論上 JIRA 7.x 不管是 docker 方式還是直接在宿主機上安裝,我們的整合方案都是適用的。
## 整合方案
Step 1
下載兩個 jar 包cas-client-core-3.3.3.jar
,cas-client-integration-atlassian-3.5.0-jira7.jar
.
下載地址在這裡
Step 2
web.xml
如果是直接在宿主機(linux)上安裝的方式, 修改/opt/atlassian/jira/atlassian-jira/WEB-INF/web.xml
(預設路徑)
如果是 docker 方式, 我們可以先從容器中 copy 出 web.xml
docker cp container_id:/opt/atlassian/jira/atlassian-jira/WEB-INF/web.xml .
-
編寫好如下內容
<!-- CAS:START - Java Client Filters --> <filter> <filter-name>CasSingleSignOutFilter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter> <filter-name>CasAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value> Include your CAS login here </param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value> include your JIRA url here </param-value> </init-param> </filter> <filter> <filter-name>CasValidationFilter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>Include your CAS address</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>include your JIRA url here</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> </filter> <!--- CAS:END -->
-
將上面的配置複製進
web.xml
大概380行的位置THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN 的上面 -
在大概 640行的位置
<filter-mapping> <filter-name>login</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <!-- we want security/login to be applied after urlrewrites, for example --> </filter-mapping>
在這部分的上面複製以下的配置
<!-- CAS:START - Java Client Filter Mappings --> <filter-mapping> <filter-name>CasSingleSignOutFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CasAuthenticationFilter</filter-name> <url-pattern>/default.jsp</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CasValidationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- CAS:END -->
Step 3
修改seraph-config.xml
和web.xml
類似,只是路徑變為/opt/atlassian/jira/atlassian-jira/WEB-INF/classes/
-
修改這部分內容
<init-param> <!-- The login URL to redirect to when the user tries to access a protected resource (rather than clicking on an explicit login link). Most of the time, this will be the same value as 'link.login.url'. - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications) - else the context path will be prepended to this URL If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested. This gives SSO login pages the chance to redirect to the original page --> <param-name>login.url</param-name> <!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>--> <param-value>add your CAS login URL here</param-value> </init-param> <init-param> <!-- the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after trying to access a protected resource). Most of the time, this will be the same value as 'login.url'. - same properties as login.url above --> <param-name>link.login.url</param-name> <!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>--> <!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>--> <param-value>add your CAS login URL here</param-value> </init-param> <init-param> <!-- URL for logging out. - If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout(). - If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL --> <param-name>logout.url</param-name> <!--<param-value>/secure/Logout!default.jspa</param-value>--> <param-value>add your CAS LOGOUT URL here</param-value> </init-param>
-
大概 95 行的位置註釋掉
SSOSeraphAuthenticator
和JIRASeraphAuthenticator
的部分 -
用下面的部分替代
JIRASeraphAuthenticator
<authenticatorclass="org.jasig.cas.client.integration.atlassian.Jira7CasAuthenticator"> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>include your cas server here</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>include your JIRA server URL</param-value> </init-param> </authenticator>
step 4
把準備好的 jar 包和配置檔案複製進 JIRA 響應的目錄
如果是宿主機安裝方式直接複製即可
我們採用 docker 安裝, 所以修改一下 dockerfile
COPY crack/cas-client-core-3.3.3.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/ COPY crack/cas-client-integration-atlassian-3.5.0-jira7.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/ COPY crack/web.xml /opt/atlassian/jira/atlassian-jira/WEB-INF/ COPY crack/seraph-config.xml /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/
至此,我們重啟 JIRA 載入新的 jar 包和配置檔案,JIRA 與 CAS 的整合就完成了,應該就可以用 CAS 的賬號登入 JIRA。