JForum与JOSSO集成单点登录

转载：http://www.jeedao.net/posts/list/0/44.page

　　本文以JForum v2.1.7和JOSSO v1.5为例说明，JForum论坛单点登录的集成。
　　JForum在设计之初就考虑了与其它系统进行SSO单点登录集成的接口，你需要做的是：

编写一个对接口net.jforum.sso.SSO.java的实现类。
修改配置文件“SystemGlobals.properties”，更改JForum的认证模式。
对JOSSO和jforum的相关配置文件进行设置。
　　要与JOSSO集成，当然是先到http://www.josso.org/去下载一个JOSSO啦，呵呵。我下载的是“apache-tomcat-5.5.20_josso-1.5.zip”，这个包已经把大部分的配置设置好了，你不需要进行太多的设置工作。
　　 下面我们来看看整个配置过程吧：
　　解开“apache-tomcat-5.5.20_josso-1.5.zip”得到目录“apache-tomcat-5.5.20_josso-1.5”，我们把jforum论坛拷贝到“\apache-tomcat-5.5.20_josso-1.5\webapps”目录下。
　　出于实验目的我们需要先在jforum论坛中注册一个用户“user1”，所以我们先启动tomcat，注册一个用户名为“user1”的论坛用户。
　　打开“\apache-tomcat-5.5.20_josso-1.5\bin”目录下的“josso-agent-config.xml”配置文件，参照原来的配置增加以下配置描述：
Code:

<partner-app>
   <context>/jforum</context>
 </partner-app>

为JForum论坛编写单点登录实现类，代码如下：
Code:

package net.jforum.sso;
 
 import net.jforum.context.RequestContext;
 import net.jforum.JForumExecutionContext;
 import net.jforum.entities.UserSession;
 import net.jforum.util.preferences.ConfigKeys;
 import net.jforum.util.preferences.SystemGlobals;
 import org.apache.log4j.Logger;
 
 public class Josso implements SSO {
 
         static final Logger logger = Logger.getLogger(Josso.class.getName());
 
         public String authenticateUser(RequestContext request) {        
                 String remoteUser = null;
                 
                 remoteUser = request.getRemoteUser();
                 logger.info("remoteUser:" + remoteUser);
                 
                 if(remoteUser == null) {
                         JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT));
                         return null;
                 }
                 
                 if (remoteUser == null || remoteUser.trim().equals("")) {
                         JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT));
                         return null; // no user found
                 } 
 
                 return remoteUser; // jforum username
         }
 
         public boolean isSessionValid(UserSession userSession, RequestContext request) {
 
                 String remoteUser = null;
                 
                 remoteUser = request.getRemoteUser(); //  jforum username
                 logger.info("remoteUser:" + remoteUser);
 
         // user has since logged out
         if(remoteUser == null && 
                 userSession.getUserId() != SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) {
                         return false;
         // user has since logged in
         } else if(remoteUser != null && 
                 userSession.getUserId() == SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) {
             return false;
         // user has changed user
         } else if(remoteUser != null && !remoteUser.equals(userSession.getUsername())) {
             return false;
         }
         return true; // myapp user and forum user the same
         }
 }

　　更改JForum的配置文件“SystemGlobals.properties”：

authentication.type = sso
sso.implementation = net.jforum.sso.Josso 

　　更改JForum论坛的web.xml文件，在web.xml文件增加以下配置：
Code:

<security-constraint>
         <!-- Sample Security Constraint -->
         <web-resource-collection>
 
             <!-- We're going to protect this resource and make it available only to users in "role1". -->
             <web-resource-name>public-resources</web-resource-name>
 
             <url-pattern>/resources/*</url-pattern>
 
             <http-method>HEAD</http-method>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
             <http-method>PUT</http-method>
             <http-method>DELETE</http-method>
 
         </web-resource-collection>
 
         <!--
         No roles required, it means that this are public resources !
         Usefull to tell JOSSO that resources matching this security constraint
         should not be subject to SSO protection.
         -->
 
     </security-constraint>
 
     <security-constraint>
         <!-- Sample Security Constraint -->
         <web-resource-collection>
 
             <!-- We're going to protect this resource and make it available only to users in "role1". -->
             <web-resource-name>protected-resources</web-resource-name>
 
             <url-pattern>/josso/*</url-pattern>
             <url-pattern>/protected/*</url-pattern>
             <url-pattern>/forums/*</url-pattern>
 
             <http-method>HEAD</http-method>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
             <http-method>PUT</http-method>
             <http-method>DELETE</http-method>
 
         </web-resource-collection>
 
         <!-- NOTE: This role names will be retrieved by Josso using the propper identity store. -->
         <auth-constraint>
             <role-name>role1</role-name>
         </auth-constraint>
 
         <user-data-constraint>
             <transport-guarantee>NONE</transport-guarantee>
         </user-data-constraint>
 
     </security-constraint>
 
     <!-- We only need tomcat to redirect the user -->
     <login-config>
 
         <auth-method>FORM</auth-method>
 
         <form-login-config>
             <!--
             NOTE: This will redirect the user to the propper login page provided by JOSSO.
             -->
             <form-login-page>/login-redirect.jsp</form-login-page>
             <form-error-page>/login-redirect.jsp</form-error-page>
 
         </form-login-config>
 
     </login-config>
 
     <security-role >
         <description>Role 1</description>
         <role-name>role1</role-name>
     </security-role>

　　好了，现在你重新启动tomcat，并访问论坛：http://localhost:8080/jforum/forums/list.page
　　呵呵，页面被重定向到JOSSO的用户登录页面去了。请在登录页面输入用户名：user1，密码：user1pwd，成功登录后页面会自动重定向到http://localhost:8080/jforum/forums/list.page，并且jforum论坛显示用户：user1已经处于在线登录状态了。
　　细心查看JForum论坛的页面你会发现，论坛中的退出按钮已经不见了，这是因为退出功能应该由你的JOSSO来实现的原因。还有就是那个JForum原来的那个登录输入框也没有了。
　　呵呵，别以为你已经完成单点登录的整合了哦，还有很多工作要做呢。例如，用户注册的时候你必须同时把jforum论坛必须的信息也保存到jforum论坛的相关库表中；你需要为论坛安置一个正确的退出按钮连接；你需要美好JOSSO的登录界面等。

　　 trackback: http://www.jeedao.net/posts/list/0/44.page