星期二, 三月 20, 2007

JBOSS上部署JOSSO单点登录组件

本文主要阐述在编译,打包和在JBOSS上部署和运行JOSSO单点登陆程序的步骤,认证数据存放Mysql数据库

####################################
建立基础数据库

选择认证信息存放介质,本文考虑用mysql数据库


mysql 连接信息为:
"com.mysql.jdbc.Driver"
"jdbc:mysql://localhost/test"
下载mysql jdbc驱动
把驱动程序放到
$JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/ 目录下 或 josso src lib 目录下

建立数据库,执行下列SQL
-- Roles
CREATE TABLE JOSSO_ROLE (
NAME VARCHAR(16) NOT NULL,
DESCRIPTION VARCHAR(64) NULL
);
ALTER TABLE JOSSO_ROLE
ADD ( PRIMARY KEY (NAME) ) ;
-- Users
CREATE TABLE JOSSO_USER (
LOGIN VARCHAR(16) NOT NULL,
PASSWORD VARCHAR(20) NOT NULL,
NAME VARCHAR(64) NULL,
DESCRIPTION VARCHAR(64) NULL
);
ALTER TABLE JOSSO_USER
ADD ( PRIMARY KEY (LOGIN) ) ;
-- Users Properties
CREATE TABLE JOSSO_USER_PROPERTY (
LOGIN VARCHAR(16) NOT NULL,
NAME VARCHAR(255) NOT NULL,
VALUE VARCHAR(255) NOT NULL
);
ALTER TABLE JOSSO_USER_PROPERTY
ADD ( PRIMARY KEY (LOGIN, NAME) ) ;
ALTER TABLE JOSSO_USER_PROPERTY
ADD ( FOREIGN KEY (LOGIN)
REFERENCES JOSSO_USER ) ;
-- Roles by user
CREATE TABLE JOSSO_USER_ROLE (
LOGIN VARCHAR(16) NOT NULL,
NAME VARCHAR(255) NOT NULL
);
ALTER TABLE JOSSO_USER_ROLE
ADD ( PRIMARY KEY (LOGIN, NAME) ) ;
ALTER TABLE JOSSO_USER_ROLE
ADD ( FOREIGN KEY (NAME)
REFERENCES JOSSO_ROLE ) ;
ALTER TABLE JOSSO_USER_ROLE
ADD ( FOREIGN KEY (LOGIN)
REFERENCES JOSSO_USER ) ;
-- SSO Sessions
CREATE TABLE JOSSO_SESSION
(
SESSION_ID VARCHAR (64) NOT NULL
, USERNAME VARCHAR (128) NOT NULL
, CREATION_TIME INTEGER NOT NULL
, LAST_ACCESS_TIME INTEGER NOT NULL
, ACCESS_COUNT INTEGER NOT NULL
, MAX_INACTIVE_INTERVAL INTEGER NOT NULL
, VALID INTEGER NOT NULL
);
ALTER TABLE JOSSO_SESSION
ADD ( PRIMARY KEY (SESSION_ID) ) ;

INSERT INTO JOSSO_ROLE (NAME,DESCRIPTION) VALUES('role1','The Role1');
INSERT INTO JOSSO_ROLE (NAME,DESCRIPTION) VALUES('role2','The Role2');
INSERT INTO JOSSO_ROLE (NAME,DESCRIPTION) VALUES('role3','The Role3');
INSERT INTO JOSSO_USER (LOGIN,PASSWORD,DESCRIPTION)
VALUES('user1', 'user1pwd', 'The User1');
INSERT INTO JOSSO_USER_ROLE (LOGIN,NAME) VALUES('user1', 'role1');
INSERT INTO JOSSO_USER_ROLE (LOGIN,NAME) VALUES('user1', 'role2');
INSERT INTO JOSSO_USER (LOGIN,PASSWORD,DESCRIPTION)
VALUES('user2', 'user2pwd', 'The User2');
INSERT INTO JOSSO_USER_ROLE (LOGIN,NAME) VALUES('user2', 'role3');
INSERT INTO JOSSO_USER_PROPERTY(LOGIN,NAME,VALUE)
VALUES('user1', 'user.name', 'User1 Name');
INSERT INTO JOSSO_USER_PROPERTY(LOGIN,NAME,VALUE)
VALUES('user1', 'user.lastName', 'User1 Last Name');
INSERT INTO JOSSO_USER_PROPERTY(LOGIN,NAME,VALUE)
VALUES('user1', 'user.registrationDate', 'User1 Registration Date');
INSERT INTO JOSSO_USER_PROPERTY(LOGIN,NAME,VALUE)
VALUES('user2', 'user.name', 'User2 Name');
INSERT INTO JOSSO_USER_PROPERTY(LOGIN,NAME,VALUE)
VALUES('user2', 'user.lastName', 'User2 Last Name');
INSERT INTO JOSSO_USER_PROPERTY(LOGIN,NAME,VALUE)
VALUES('user2', 'user.registrationDate', 'User2 Registration Date');


----------------------------------------
设置好环境变量

set JAVA_HOME=c:jdk1.5.0_03
set JBOSS_HOME=c:jboss-4.0.3SP1 类似
----------------------------------------
#####################################
设置JOSSO配置文件信息 %JOSSO_HOME%srcresources
1.设置网关配置文件 【
Gateway Configuration】josso-gateway-config.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<domain>
<name>SampleDomain</name>
<type>web</type>
<authenticator>
<class>org.josso.auth.AuthenticatorImpl</class>
<authentication-schemes>
<!-- Basic Authentication Scheme -->
<authentication-scheme>
<name>basic-authentication</name>
<class>org.josso.auth.scheme.UsernamePasswordAuthScheme</class>
<!--JDBC Credential Store-->
<credential-store>
<class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore </class>
<credentialsQueryString>SELECT login AS username , password AS password FROM josso_user
WHERE login = ?</credentialsQueryString>
<connectionName>cernet</connectionName>
<connectionPassword>password</connectionPassword>
<connectionURL>jdbc:mysql://localhost/cernet</connectionURL>
<driverName>com.mysql.jdbc.Driver</driverName>
</credential-store>
<credential-store-key-adapter>
<class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter </class>
</credential-store-key-adapter>
</authentication-scheme>
</authentication-schemes>
</authenticator>
<sso-identity-manager>
<class>org.josso.gateway.identity.service.SSOIdentityManagerImpl</class>
<!-- JDBC Identity Store -->
<sso-identity-store>
<class>org.josso.gateway.identity.service.store.db.JDBCIdentityStore </class>
<userQueryString>SELECT login FROM josso_user WHERE login = ? </userQueryString>
<rolesQueryString>SELECT josso_role.name FROM josso_role , josso_user_role , josso_user
WHERE josso_user.login = ? AND josso_user.login = josso_user_role.login
AND josso_role.name = josso_user_role.name</rolesQueryString>
<connectionName>cernet</connectionName>
<connectionPassword>password</connectionPassword>
<connectionURL>jdbc:mysql://localhost/cernet</connectionURL>
<driverName>com.mysql.jdbc.Driver</driverName>
</sso-identity-store>
<sso-identity-store-key-adapter>
<class>org.josso.gateway.identity.service.store.SimpleIdentityStoreKeyAdapter</class>
</sso-identity-store-key-adapter>
</sso-identity-manager>
<sso-session-manager>
<class>org.josso.gateway.session.service.SSOSessionManagerImpl</class>
<!--
Set the maximum time interval, in minutes, between client requests
before the SSO Service will invalidate the session. A negative time
indicates that the session should never time out.
-->
<maxInactiveInterval>1</maxInactiveInterval>
<sso-session-store>
<class>
org.josso.gateway.session.service.store.MemorySessionStore
</class>
</sso-session-store>
<sso-session-id-generator>
<class>
org.josso.gateway.session.service.SessionIdGeneratorImpl
</class>
<!--
The message digest algorithm to be used when generating session
identifiers. This must be an algorithm supported by the
java.security.MessageDigest class on your platform.

In J2SE 1.4.2 you can check :
Java Cryptography Architecture API Specification & Reference -
Apendix A : Standard Names
Values are : MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512
-->
<algorithm>MD5</algorithm>
</sso-session-id-generator>
</sso-session-manager>
<sso-audit-manager>
<class>org.josso.gateway.audit.service.SSOAuditManagerImpl</class>
<handlers>
<!-- This handler logs all audit trails using Log4J, under the given category -->
<handler>
<class>org.josso.gateway.audit.service.handler.LoggerAuditTrailHandler</class>
<name>LoggerAuditTrailHandler</name>
<category>org.josso.gateway.audit.SSO_AUDIT</category>
</handler>
</handlers>
</sso-audit-manager>
<!-- SSO Event Manager component -->
<sso-event-manager>
<class>org.josso.gateway.event.security.JMXSSOEventManagerImpl</class>
<!--
JMX Name of the EventManager MBean that will send SSO Events as JMX Notifications
The MBean will be registered by the MBeanComponentKeeper.
-->
<oname>josso:type=SSOEventManager</oname>
</sso-event-manager>
</domain>

2.设置智能代理配置文件 【Agent Configuration】josso-agent-config.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<agent>

<!-- JOSSO Agent classes -->
<!--class>org.josso.tc50.agent.CatalinaSSOAgent</class-->
<!--class>org.josso.tc55.agent.CatalinaSSOAgent</class-->
<!--class>org.josso.jb32.agent.JBossCatalinaSSOAgent</class-->
<class>org.josso.jb4.agent.JBossCatalinaSSOAgent</class>

<!-- Login/Logout URLs -->
<gatewayLoginUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>http://localhost:8080/josso/signon/logout.do</gatewayLogoutUrl>
<!--gatewayLoginErrorUrl>http://localhost:8080/josso/signon/login.do</gatewayLoginErrorUrl-->

<!--
Usefull when working in N-Tier modes behind a reverse proxy or load balancer
Here you should place the reverse proxy or load balancer base URL.

Note : When using this options, the gatewayLoginURL and gatewayLogoutURL should also point to this host.

<singlePointOfAccess>http://reverse-proxy-host:8080</singlePointOfAccess>

<gatewayLoginUrl>http://reverse-proxy-host:8080/josso/signon/login.do</gatewayLoginUrl>
<gatewayLogoutUrl>http://reverse-proxy-host:8080/josso/signon/logout.do</gatewayLogoutUrl>
-->

<!-- Mininum interval between sso session access , in milliseconds -->
<sessionAccessMinInterval>1000</sessionAccessMinInterval>

<!-- JOSSO Agent service locator configuration -->
<service-locator>
<class>org.josso.gateway.WebserviceGatewayServiceLocator</class>
<endpoint>localhost:8080</endpoint>

<!-- Associate an identity to SOAP messages
<username>wsclient</username>
<password>wsclientpwd</password>
-->

<!-- Enabled SSL on the SOAP circuit.
<transportSecurity>confidential</transportSecurity>
-->
</service-locator>

<!--
JOSSO Parnter application definicions :

Configure all web applications that should be a josso partner application within this server.
For each partner application you have to define the propper web-context.
-->
<partner-apps>

<partner-app>
<context>/partnerapp</context>
<!-- This is an optional feature :
You can reference any web resource collection that should not be subject to SSO protection.
The SSO agent will not provide identity nor demand authentication to requests matching the
security constraint associated to this web resource collections.
In order to work, the security constraint must not contain auth-constraints declarations.
See sample web.xml file from josso partnerapp.
<security-constraint>
<ignore-web-resource-collection>public-resources</ignore-web-resource-collection>
</security-constraint>
-->
</partner-app>

</partner-apps>

</agent>


3.设置 josso-reverseproxy-config.xml 配置文件

4.设置 josso配置文件 josso-config.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<configuration>
<hierarchicalXml fileName="josso-gateway-config.xml"/>
<hierarchicalXml fileName="josso-agent-config.xml"/>
<hierarchicalXml fileName="josso-reverseproxy-config.xml"/>
</configuration>

#####################################################

配置应用服务器文件

----------------------------------------

编辑server.xml $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml

<Server>
...
<Service>
...
<Engine>
...
<Host name="localhost" ...>
...
<Valve className="org.josso.tc55.agent.SSOAgentValve" debug="1"/>
...
</Host>
</Engine>
</Service>
</Server>


<Server>
...
<Service>
...
<Engine name="Catalina" defaultHost="localhost" debug="0">
...
<Realm className="org.josso.jb4.agent.JBossCatalinaRealm"
appName="josso"
userClassNames="org.josso.gateway.identity.service.BaseUserImpl"
roleClassNames="org.josso.gateway.identity.service.BaseRoleImpl"
debug="1" />
...
</Engine>
</Service>
</Server>

----------------------------------------
编辑 login-config.xml $JBOSS_HOME/server/default/conf

<application-policy name = "josso">
<authentication>
<login-module code = "org.josso.jb4.agent.JBossSSOGatewayLoginModule"
flag = "required">
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>

拷贝文件到$JBOSS_HOME/server/default/conf
josso-config.xml
josso-gateway-config.xml
josso-agent-config.xml
josso-reverseproxy-config.xml

#########################################
执行 Ant Build 任务列表部署和启动JOSSO on JBOSS
----------------------------------------
//编译War包
build.bat war
----------------------------------------
//安装josso到jboss
build.bat install-jboss4

----------------------------------------
//部署 josso应用ear包
build.bat deploy-jboss4
----------------------------------------
//启动 Jboss 进程
cd $JBOSS_HOME/bin
cd %JBOSS_HOME%bin
run.bat
----------------------------------------
访问受保护地址验证SSO
http://localhost:8080/partnerapp/protected
user and password is : user1/user1pwd user2/user2pwd
----------------------------------------


########################################
错误诊断

15:30:15,922 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
错误,一般是因为 login-config.xml 没有设置

没有评论: