接着上一个的jira 4.0.1 war 方式的安装过程,使用mysql,把jira的login加上crowd,为之后增加confluence和svn的sso做准备
第一步先把jira的认证改成使用crowd,接着上次安装完jira的tomcat,继续安装
1. 准备mysql
a)创建一个库create database crowd character set utf8;
b)在my.ini中增加一行
[mysqld]
transaction-isolation = READ-COMMITTED
2. 准备tomcat
a)修改$catalina_home\conf\server.xml,增加useBodyEncodingForURI="true",如下:
<Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" useBodyEncodingForURI="true"/>
b)下载javamail api,放到$catalina_home\lib目录下
3. 准备crowd
a)下载atlassian-crowd-2.0.3-war.zip,并解压到$crowd_home
b)修改$crowd_home\WEB-INF\classes\crowd-init.properties,增加配置crowd.home=$crowd_home($crowd_home替换成实际目录)
c)创建crowd.xml,内容为<Context path="/crowd" docBase="$crowd_home" reloadable="false"/>($crowd_home替换成实际目录),将这个文件放到$catalina_home\conf\Catalina\localhost目录下
d)启动tomcat,进入crowd,如:http://localhost:8080/crowd
e)到applications中add application,类型选jira,name: jira, password: haha, url: http://localhost:8080/jira, ip最好手工填, directories选一个需要的,Allow all users to authenticate我选上了,成功
f)import jira users在users里面选import users,import 的时候注意把dbname修改为jiradb就可以了。
4. 准备jira
a)修改$jira_home\WEB-INF\classes\crowd.properties,如
application.name jira
application.password haha
application.login.url http://hostname/jira/
crowd.server.url http://hostname/crowd/services/
...
其它的不需要修改
b)修改$jira_home\WEB-INF\classes\osuser.xml,内容如下:
http://www.atlassian.com/software/jira/docs/latest/ldap.html -->
< opensymphony-user >
< authenticator class ="com.opensymphony.user.authenticator.SmartAuthenticator" />
<!-- CROWD:START
You will need to uncomment the Crowd providers below to enable Crowd integration
and comment out the default providers that are located further down in this file.
-->
< provider class ="com.atlassian.crowd.integration.osuser.CrowdCredentialsProvider" />
< provider class ="com.atlassian.crowd.integration.osuser.CrowdAccessProvider" />
< provider class ="com.atlassian.crowd.integration.osuser.DelegatingProfileProvider" >
< property name ="provider-1" > com.atlassian.crowd.integration.osuser.CrowdProfileProvider </ property >
< property name ="provider-2" > com.atlassian.jira.user.ExternalEntityJiraProfileProvider </ property >
< property name ="provider-2-exclusive-access" > true </ property >
</ provider >
<!-- CROWD:END -->
<!-- CROWD:START - The providers below here will need to be commented out for Crowd integration -->
<!--
<provider class="com.atlassian.core.ofbiz.osuser.CoreOFBizCredentialsProvider">
<property name="exclusive-access">true</property>
</provider>
<provider class="com.atlassian.jira.user.osuser.JiraOFBizProfileProvider">
<property name="exclusive-access">true</property>
</provider>
<provider class="com.atlassian.jira.user.osuser.JiraOFBizAccessProvider">
<property name="exclusive-access">true</property>
</provider>
-->
<!-- CROWD:END -->
</ opensymphony-user >
c)修改$jira_home\WEB-INF\classes\seraph-config.xml,内容如下:
< parameters >
< init-param >
<!--
The login URL to redirect to when the user tries to access a protected resource (rather than clicking on
an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
- if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
- else the context path will be prepended to this URL
If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested.
This gives SSO login pages the chance to redirect to the original page
-->
< param-name > login.url </ param-name >
< param-value > /login.jsp?os_destination=${originalurl} </ param-value >
<!-- <param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value> -->
</ init-param >
< init-param >
<!--
the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
- same properties as login.url above
-->
< param-name > link.login.url </ param-name >
< param-value > /login.jsp?os_destination=${originalurl} </ param-value >
<!-- <param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value> -->
<!-- <param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value> -->
</ init-param >
< init-param >
<!-- URL for logging out.
- If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
- If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
-->
< param-name > logout.url </ param-name >
< param-value > /secure/Logout!default.jspa </ param-value >
<!-- <param-value>http://sso.mycompany.com/logout</param-value> -->
</ init-param >
<!-- The key that the original URL is stored with in the session -->
< init-param >
< param-name > original.url.key </ param-name >
< param-value > os_security_originalurl </ param-value >
</ init-param >
< init-param >
< param-name > login.cookie.key </ param-name >
< param-value > seraph.os.cookie </ param-value >
</ init-param >
<!-- This property controls how your cookie is encrypted. If you truly want to secure your cookies, you need
to change this to a secure password -->
< init-param >
< param-name > cookie.encoding </ param-name >
< param-value > jiracookie </ param-value >
</ init-param >
<!-- This property sets the default cookie timeout in seconds. It is currently set to 1 year -->
< init-param >
< param-name > autologin.cookie.age </ param-name >
< param-value > 31536000 </ param-value >
</ init-param >
<!-- Basic Authentication can be enabled by passing the authentication type as a configurable url parameter.
With this example, you will need to pass http://mycompany.com/anypage?os_authType=basic in the url to enable Basic Authentication -->
< init-param >
< param-name > authentication.type </ param-name >
< param-value > os_authType </ param-value >
</ init-param >
<!-- If this parameter is set to true, the cookie will never be set secure. This is useful if you're logging
into JIRA via https, but want to browse JIRA over http. This flag will ensure that the remember me option
works correctly.
<init-param>
<param-name>insecure.cookie</param-name>
<param-value>true</param-value>
</init-param> -->
</ parameters >
< rolemapper class ="com.atlassian.jira.security.JiraRoleMapper" />
<!-- CROWD:START - If enabling Crowd SSO integration uncomment the following JIRAAuthenticator and comment out the DefaultAuthenticator below -->
< authenticator class ="com.atlassian.crowd.integration.seraph.JIRAAuthenticator" />
<!-- CROWD:END -->
<!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration -->
<!--
<authenticator class="com.atlassian.jira.security.login.JiraOsUserAuthenticator"/>
-->
<!-- CROWD:END -->
<!-- NB: the URL to redirect to is now specified by login.url above -->
< services >
< service class ="com.atlassian.seraph.service.PathService" >
< init-param >
< param-name > config.file </ param-name >
< param-value > /seraph-paths.xml </ param-value >
</ init-param >
</ service >
< service class ="com.atlassian.seraph.service.WebworkService" >
< init-param >
< param-name > action.extension </ param-name >
< param-value > jspa </ param-value >
</ init-param >
</ service >
</ services >
< interceptors >
< interceptor class ="com.atlassian.jira.portal.PortalPageInterceptor" />
< interceptor class ="com.atlassian.jira.user.preferences.UserPreferencesResetInterceptor" />
</ interceptors >
</ security-config >
d)重启tomcat
一切搞定,可以使用crowd的用户登录jira了,而且只要在一边登录,两边就都登录了。
另外把遇到的问题写一下
1. 在crowd中import jira users的时候,将connection url改正确了之后,就是把dbname改成jiradb,依然无法连接,后来发现是crowd没有mysql jdbc驱动,停掉crowd,将mysql jdbc驱动放到crowd WEB-INF\lib目录,重试就可以了。
2. 所有的都配置好了之后,到jira里面仍然无法登录,通过查看crowd log,发现有这句话[crowd.service.soap.SOAPService] Client host is invalid: 10.40.155.43 / 10.40.155.43,明白了,因为在crowd里面add application的时候,使用的是自动得到IP,得到的是127.0.0.1。解决这个问题的办法就是在IP里面,把这个10.40.155.43也加上,就可以了。