JIRA 整合單點登入系統 CAS

摘要： JIRA 是一個非常優秀的專案管理工具，可以幫助我們缺陷管理和任務追蹤。關於 JIRA 這裡不多做介紹。JIRA 本身有完善的賬號系統，但是因為很多公司包括我們自己有自己的單點登入系統，比如我們自己搭建的 CAS。所以如果能把 JIRA 接入 CAS 才是理想的方案。這裡介紹一下 J...

JIRA 是一個非常優秀的專案管理工具，可以幫助我們缺陷管理和任務追蹤。關於 JIRA 這裡不多做介紹。JIRA 本身有完善的賬號系統，但是因為很多公司包括我們自己有自己的單點登入系統，比如我們自己搭建的 CAS。所以如果能把 JIRA 接入 CAS 才是理想的方案。這裡介紹一下 JIRA 整合 CAS 的方案。

這裡我們是用 docker 部署的 JIRA 7.x, 理論上 JIRA 7.x 不管是 docker 方式還是直接在宿主機上安裝，我們的整合方案都是適用的。

## 整合方案

Step 1

下載兩個 jar 包cas-client-core-3.3.3.jar ,cas-client-integration-atlassian-3.5.0-jira7.jar .

下載地址在這裡

Step 2

• 編寫好如下內容

  <!-- CAS:START - Java Client Filters -->
  
  <filter>
  <filter-name>CasSingleSignOutFilter</filter-name>
  <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>
  <filter>
  <filter-name>CasAuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
  <param-name>casServerLoginUrl</param-name>
  <param-value> Include your CAS login here </param-value>
  </init-param>
  <init-param>
  <param-name>serverName</param-name>
  <param-value> include your JIRA url here </param-value>
  </init-param>
  </filter>
  <filter>
  <filter-name>CasValidationFilter</filter-name>
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
  <init-param>
  <param-name>casServerUrlPrefix</param-name>
  <param-value>Include your CAS address</param-value>
  </init-param>
  <init-param>
  <param-name>serverName</param-name>
  <param-value>include your JIRA url here</param-value>
  </init-param>
  <init-param>
  <param-name>redirectAfterValidation</param-name>
  <param-value>true</param-value>
  </init-param>
  </filter>
  
  <!--- CAS:END -->
  

• 將上面的配置複製進web.xml 大概380行的位置THIS MUST BE THE LAST FILTER IN THE DEFINED CHAIN 的上面

• 在大概 640行的位置

  <filter-mapping>
  <filter-name>login</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>FORWARD</dispatcher> <!-- we want security/login to be applied after urlrewrites, for example -->
  </filter-mapping>
  

  在這部分的上面複製以下的配置

  <!-- CAS:START - Java Client Filter Mappings -->
   
  <filter-mapping>
  <filter-name>CasSingleSignOutFilter</filter-name>
  <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>CasAuthenticationFilter</filter-name>
  <url-pattern>/default.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>CasValidationFilter</filter-name>
  <url-pattern>/*</url-pattern>
  </filter-mapping>
  
  <!-- CAS:END -->
  

Step 3

修改seraph-config.xml
和web.xml 類似，只是路徑變為/opt/atlassian/jira/atlassian-jira/WEB-INF/classes/

• 修改這部分內容

  <init-param>
  <!--
  The login URL to redirect to when the user tries to access a protected resource (rather than clicking on
  an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
  - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
  - else the context path will be prepended to this URL
   
  If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested.
  This gives SSO login pages the chance to redirect to the original page
  -->
  <param-name>login.url</param-name>
  <!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>-->
  <param-value>add your CAS login URL here</param-value>
  </init-param>
  <init-param>
  <!--
  the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
  trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
  - same properties as login.url above
  -->
  <param-name>link.login.url</param-name>
  <!--<param-value>/login.jsp?os_destination=${originalurl}</param-value>-->
  <!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>-->
  <param-value>add your CAS login URL here</param-value>
  </init-param>
  <init-param>
  <!-- URL for logging out.
  - If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
  - If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
  -->
  <param-name>logout.url</param-name>
  <!--<param-value>/secure/Logout!default.jspa</param-value>-->
  <param-value>add your CAS LOGOUT URL here</param-value>
  </init-param>
  

• 大概 95 行的位置註釋掉SSOSeraphAuthenticator 和JIRASeraphAuthenticator 的部分

• 用下面的部分替代JIRASeraphAuthenticator

  <authenticatorclass="org.jasig.cas.client.integration.atlassian.Jira7CasAuthenticator">
  <init-param>
  <param-name>casServerUrlPrefix</param-name>
  <param-value>include your cas server here</param-value>
  </init-param>
  <init-param>
  <param-name>serverName</param-name>
  <param-value>include your JIRA server URL</param-value>
  </init-param>
  </authenticator>
  

step 4

把準備好的 jar 包和配置檔案複製進 JIRA 響應的目錄

如果是宿主機安裝方式直接複製即可

我們採用 docker 安裝， 所以修改一下 dockerfile

COPY crack/cas-client-core-3.3.3.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/
COPY crack/cas-client-integration-atlassian-3.5.0-jira7.jar /opt/atlassian/jira/atlassian-jira/WEB-INF/lib/
COPY crack/web.xml /opt/atlassian/jira/atlassian-jira/WEB-INF/
COPY crack/seraph-config.xml /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/

至此，我們重啟 JIRA 載入新的 jar 包和配置檔案，JIRA 與 CAS 的整合就完成了，應該就可以用 CAS 的賬號登入 JIRA。