** 这个是PDF格式的原件地址,http://www.blogjava.net/Files/joey/opensso.rar ,大家可以拿去参考,但是请注意这个文档是2006年写的,后来再无更新,所以请注意版本。
这是一个OpenSSO的实际应用实例, 因为是客户要求英文,所以只有英文版,我的英文比较烂,所以请大家包涵了. 其实如果你在用OpenSSO的时候有什么麻烦,我认为最好的求助地方是OpenSSO小组的MailList,在OpenSSO网站上有, 他们真的很热心,基本有问24小时内必复,而且都是OpenSSO小组的成员答复的.真的很棒.
大家对我的文章里有什么疑问也可以给我留言.还有因为原来是PDF格式的, 后转成txt格式, 所以有些地方不是很好看.请大家见谅
Implement SSO with AD
Joey
December 26, 2006
Contents
1 Software Environment 2
2 Create Users in AD 2
3 Join Linux into Windows2003 Domain 2
4 Install JBoss server and JRE 5 3
5 Fix Windows TCP port 3
6 Deploy and Cong Access Manager 4
6.1 Deploy Access Manager . . . . . . . . . . . . . . . . . . . . . . . 4
6.2 Cong Access Manager . . . . . . . . . . . . . . . . . . . . . . . . 4
7 Install Sun Java System Access Manager Policy Agent 6
8 Make Application to support SSO 7
A Cong DHCP Server 8
B Cong Domain controller 9
C Authorize DHCP server 10
1
1 Software Environment
Roles Computer name Platform
Domain Server,DHCP srv-1.contoso.com Window2003 Active Directory
Server,DNS Server
Application server 1 test-1.contoso.com Win2K3/XP, JRE5.0, SJS AM
Policy Agent 2.2 For JBoss
Application server 2 test-2.contoso.com Win2K3/XP, JRE5.0, SJS AM
Policy Agent 2.2 For JBoss
Access Manager server ams.contoso.com Ret Hat Linux, JBoss 4.02 or
above
2 Create Users in AD
Create two group in AD, add one user for each group, and create amadmin as
administrator for AM.
User Group in AD
admin users
danie users
amadmin Users
3 Join Linux into Windows2003 Domain( Only for WIndows2003 DC, Ret Hat Linux )
1. Modify /etc/krb5.conf
Replace ’EXAMPLE.COM’ with your domain name, replace ker-
beros.example.com with your AD server name. (case-sensitive in this
section,just follow this demo).
krb5.conf sample: suppose Domain name is contoso.com,
AD server is srv-1.contoso.com, and IP is 10.0.0.2.
and then keep others default setting in krb5.conf
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
CONTOSO.COM = {
admin_server = srv-1.contoso.com:749
default_domain = contoso.com
kdc = 10.0.0.2:88
}
[domain_realm]
.contoso.com=CONTOSO.COM
2
contoso.com=CONTOSO.COM
2. Modify /etc/samba/smb.cof smb.cof sample:
realm = contoso.com # add this by your self.
workgroup = CONTOSO
security = ADS
3. Get a ticket. run kinit administrator(enter the administrator password
when prompted command) in a shell window.
sample: kinit administrator@CONTOSO.COM
4. Join the domain Run net join in a shell window.
sample: net ads join
5. restart samba or just restart system simply.
4 Install JBoss server and JRE 5
Install JBoss server and JRE 5 on Test-1.contoso.com, Test-2.contoso.com ,an
ams.contoso.com
5 Fix Windows TCP port
1. Start Registry Editor.
2. Locate the following subkey in the registry, and then click Parameters:
HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. On the Edit menu, click New, and then add the following registry entry:
Value Name: MaxUserPort
Value Type: DWORD
Value data: 65534
Valid Range: 5000-65534 (decimal)
Default: 0x1388 (5000 decimal)
Description: This parameter controls the maximum port number that is
used when a program requests any available user port from the system.
Typically , ephemeral (short-lived) ports are allocated between the values
of 1024 and 5000 inclusive.
4. Quit Registry Editor. 2
2 For more information, check here http://support.microsoft.com/default.aspx?scid=kb;EN-
US;196271
3
6 Deploy and Cong Access Manager
Do this step on ams.contoso.com
6.1 Deploy Access Manager
Copy ”opensso.war” to (JBossDIR) \ server\default\deploy
6.2 Cong Access Manager
1. Start JBoss server.
2. In Brower (From any client computer), access the link ”http://ams.contoso.com:8080/opensso”.
See following picture.
3. In Congurator page, you can change anything according your need. But
in this case I keep all default values, just input new password in Super
Administrator password, password is ”12345678”. And cookie Domain:
”.contoso.com”Click Congure button.
4. If everything is ok, you can see this page after few seconds. and you can
click link ”here” or wait for 5 seconds, It will be automatically redirected
to ”Sun Java System Access Manager” login page. See following picture.
5. And we need to login Access Manager. Type ”amadmin” for User Name,
and ”12345678” for password.(This password is we input in 6.2.3)
6. Cong AD Authentication After you nish 6.2.5, use this web link to
access AM. http://ams.contoso.com:8080/opensso.
Set Core Service.
– Click Conguration→ Authentication → Service Name : Core
– Select User Prole : Dynamic
– Click ”Save”, Click ”Back to Conguration”.
Access Control → Realm Name - opensso → Authentication, see
pic 3.
Cong AD Module Instances
– Click ”New” Button in ”Module Instances”.
– Type a Name for new Instances, we use ”AD” in here and select
”Active Directory” for type options, click ok. see pic-4.
– Click ”AD” what we just created in last step. and Input ...
4
Item Values
Primary Active Directory srv-1.contoso.com:389 (remove default value)
Server
DN to Start User Search dc=contoso, dc=com (remove default value)
DN for Root User Bind cn=administrator,cn=users,dc=contoso,
dc=com (remove default value)
Password for Root User Bind (Password of Domain administrator)
Password for Root User Bind (Password of Domain administrator)
(conrm)
Attribute Used to Retrieve cn
User Prole
Attributes Used to Search for cn (remove default value)
a User to be Authenticated
Return User DN to Authenti- DeSelected
cate
– ”Save” and click ”Back to Authentication”.
7. Cong Authentication Chaining.
Click ”New” Button in ”Authentication Chaining”.
Type a name for New Authentication Chain; we use ”ADChain” in
there. Click ”OK” button.
In ”AD Chain-Properties” Page, Click ”Add” button, and select
”AD” for Instance. See pic-5, click ”Save” and ”Back to Authen-
tication”.
Set Default Authentication Chain
Authentication → General,
– select ”ADChain” for ”Default Authentication Chain”
– select ”ADChain” for ”Administrator Authentication Chain”
– click ”Save” button, click ”Realms” button.
Create Agent
Main Page → Access Control , select OpenSSO → Subjects →
Agent → new Agent
ID Agent1
Password (password)
Password (conrm) (password)
Device status Active
5
7 Install Sun Java System Access Manager Pol-
icy Agent
1. Create a pasword le for following step. Just input the agent password
into this le. sample: d:\ deploy\ password.txt
2. Unzip Access Manager Policy Agent.
3. Change to the following directory.
PolicyAgent-base/bin
4. Issue the following command, and ll the values follow this table.
agentadmin –install
Item Values
JBoss Server Cong Directory D:\deploy\jboss-
4.0.5.GA\server\default\conf
Access Manager Services Host ams.contoso.com
Access Manager Services Port 8080
Access Manager Services Pro- http
tocol
Access Manager Services De- /opensso
ployment URI
Agent Host name test-1.contoso.com
Agent permissions gets added false
to java permissions policy le
Application Server Instance 8080
Port number
Protocol for Application http
Server instance
Deployment URI for the Agent /opensso
Application
Encryption Key iF95s8yb4EFZSJQ7qFKybmZdyuXvKofQ
Agent Prole name Agent1
Agent Prole Password le d:\deploy\password.txt
name
6
8 Make Application to support SSO
1. Copy amclientsdk.jar to Application lib directory.
2. Add lter to Application.
In web.xml, add following code.
Agent
com.sun.identity.agents.filter.AmAgentFilter
Agent
/*
REQUEST
INCLUDE
FORWARD
ERROR
3. Get the user name who is login on.
import com. iplanet . sso . SSOTokenManager ;
import com. iplanet . sso . SSOToken ;
import com. iplanet . sso . SSOException ;
. . . . . .
SSOTokenManager manager = SSOTokenManager .
getInstance () ;
SSOToken token = manager . createSSOToken ( request ) ;
// HttpServletRequest request
if (manager . isValidToken ( token ) )
{
String userDN = token . getPrincipal () . getName () ;
String userName = userDN . substring (userDN .
indexOf (”=”) + 1 , userDN . indexOf (” ,”) ) ;
System . out . println (”User DN = ” + userDN) ;
System . out . println (”User Name = ” + userName) ;
}
. . . . .
4. Deploy this application.
If this application has been deployed before, you better undeploy it and
clean JBoss temp directory.
7
A Cong DHCP Server
DHCP server conguration steps, do it on srv-1.contoso.com
1. In ”Manage You Server” click ”Add or remove a role”.
2. ”Congure Your Server Wizard”, click ”Next”.
3. Select ”Custom conguration”, click ”Next”.
4. Select ”DHCP server” click ”Next”.
5. Summary, Click ”Next”.
6. ”New Scope Wizard” click ”Next”
7. ”Scope Name”, set Name is ”Contoso HQ”. Click ”Next”.
8. ”IP Address Range”, set ”start IP address” is 10.0.0.10; ”End IP address”
is 10.0.0.254. click ”Next”
9. ”Add Exclusions”, no need do nothing, just click ”Next”
10. ”Lease Duration”, click ”Next”.
11. ” Congure DHCP Options”, click ”Next”
12. ”Router (Default Gateway)”, set IP address 10.0.0.1, click add, next.
13. ”Domain Name and DNS servers” set parent domain as ”contoso.com”,
for IP address, add 10.0.0.2. click ”Next”
14. ”WINS servers”, just click ”Next”.
15. ”Activate Scope”, select ”Yes, I want to active this scope now”, click
”next”.
16. Click nish (twice).
8
B Cong Domain controller
Steps for cong Domain controller On server srv-1.contoso.com
1. Run command ”DCPROMO”.
2. ”Welcome to the Active Directory Installation Wizard”, click ”Next”.
3. ”Operating System Compatibility”, click ”Next”.
4. ”Domain Controller type”, select ”Domain controller for a new domain”,
click ”Next”.
5. ”Create New Domain”, select ”Domain in a new forest”, and click ”Next”.
6. ”Install or Congure DNS”, select ”No, just install and congure DNS on
this computer”, click ”Next”.
7. ”New Domain Name”, type ”contoso.com”, clicks ”Next ”.
8. ”NetBIOS Domain Name”, accept ”CONTOSO” as Domain NetBIOS
Name. Click ”Next”.
9. ”Database and Log Folders”, accept default value for Database and Log
folder. Click ”Next”.
10. ”Shared System Volume”, accept default for Folder location, click ”Next”.
11. ”Permissions”, select ”Permissions compatible only with Windows 2000
or Windows Server2003 operating systems”. Click ”Next”.
12. ”Directory Services Restore Mode Administrator Password”, type pass-
word, clicks ”Next”.
13. ”Summary”, click ”Next”.
14. ”Optional Networking Components”(a modal dialog).click ”ok”.
15. ”Local Area Connection Properties” pops up. Select TCP/IP, assign
10.0.0.2 to IP address, type TAB two times, assign 10.0.0.1 to Default
gateway. Assign 127.0.0.1 to Preferred DNS server. Click ”Ok” and then
click ”Close”.
16. ”Completing the Active Directory Installation Wizard” click ”Finish”.
17. Click Restart Now.
9
C Authorize DHCP server
On server srv-1.contoso.com
Manage your Server → Manage this DHCP server → right click ”srv-1.contoso.com”,
select ”Authorize”.
10
http://www.ftponline.com/javapro/2002_05/magazine/columns/weblication/default.aspx
The Jakarta Stuts project takes care of some of the details when combining servlets and JavaBeans with JavaServer Pages
by Peter Varhol
May 2002 Issue
The Model-View-Controller (MVC) architecture leverages the strengths of servlets and JavaServer Pages (JSP), while minimizing their weaknesses. In essence, user requests are sent to a controller servlet, which determines the nature of the request and passes it off to the appropriate handler for that request type. Each handler is associated with a particular model, which encapsulates business logic to perform a specific and discrete set of functions. Once the operation is completed, the results are sent back to the controller, which determines the appropriate view and displays it (see my Weblication column "Strut Your Stuff," April 2002).
Struts, a Jakarta project, provides a framework for writing applications using the MVC architecture. Struts uses "ActionMapping," which enables the servlet to turn user requests into application actions. ActionMapping usually specifies a request path, the object type to act upon the request, and other properties as needed.
The Action object used as a part of the ActionMapping is responsible for either handling the request and sending the response back to the appropriate view (normally a Web browser), or passing the request along to the appropriate model.
The bridge between the model and the view is a form bean that can be created by subclassing org.apache.struts.action.ActionForm. The form bean can be used to hold data from the user prior to processing, or from a model prior to display back to the user. Struts includes custom tags that can automatically populate fields from the form bean created.
In practice, here's an outline of how Struts may work. A user enters a request on a JSP page for, say, information on train schedules between two cities. The controller servlet receives the request and determines where in the application it can be processed. The Action object passes the request on to a JavaBean that contains the appropriate schedule-retrieving business logic. That business-logic bean will connect to and query the database, receive the results, and return the results to the Action object. The Action object stores the result in a form bean as a part of the request. Once all of the data needed to fulfill the request has been collected, it's ready to be formatted and displayed. The last step is when the JavaServer Page displays the result to the view in HTML form.
The Controller, Model, and View
The primary component of the controller in Struts is the servlet defined from the class ActionServlet, which is configured by the ActionMappings. The ActionMapping class represents the name and location of the Action object. When a request comes into the controller, it maps the path of the request to the location of the Action, and the request is passed off to that Action. Struts' ActionMapping classes may also contain other information that may be unique to your application, like local variables, environment-specific data, or other URIs.
The activities surrounding the controller are the key to Struts. The Struts controller servlet maps events to classes (an event generally being an HTTP POST, GET, or similar request). ActionServlet is the command part of the MVC design pattern and is the core of the Struts framework. ActionServlet creates and uses Action, an ActionForm, and ActionForward. The struts-config.xml file configures the Action. During the creation of the Web application, you extend Action and ActionForm to solve the problem of how to respond to a user's request. The struts-config.xml file instructs ActionServlet on how to use the extended classes. You can also extend ActionServlet to provide your Struts application with custom features.
This approach has several advantages. First, the entire logical flow of the application is in a hierarchical text file. This makes it easier to view and understand, especially with large applications. Second, the HTML writer doesn't have to search through Java code to understand the flow of the application to make page changes, and the Java developer doesn't have to recompile code when making flow changes.
ActionForm maintains the session state for the Web application. ActionForm is an abstract class that is subclassed for each input form model. It represents a general concept of data that is set or updated by an HTML form. For instance, your application may have a UserActionForm that is set by an HTML Form. The Struts framework will check to see if a UserActionForm exists; if not, it creates an instance of the class. Struts will set the state of the UserActionForm using corresponding fields from the HttpServletRequest. The Struts framework updates the state of the UserActionForm before passing it to the business wrapper UserAction.
The Struts model consists of the state of the system and the actions that can be performed on it. You can use a wide variety of structures to represent the model (other servlets or JSP, for example), but most of the time you'll use JavaBeans. The JavaBean properties—or data drawn from external data sources in the case of Enterprise JavaBeans (EJBs)—represent the state, while the methods represent the actions that can be performed. The actions do not need to be defined by JavaBean methods; in simple cases, the actions can be embedded into the Action object, although this tends to blur the distinction between processing and orchestration.
The view of a Struts MVC application typically is constructed using JSP, which provide for a way of statically formatting pages using HTML or XML, plus a method for dynamically inserting customized content in response to a user request. A key aspect of Struts is its custom tag library, which provides a way to create user interfaces easily using JSP.
The Struts framework includes custom tag libraries, which are used in a variety of ways. Although these libraries aren't required to use the framework, they contain tags that will be useful in many of your applications. Some of the Struts tag libraries included are:
* struts-html tag library. This library can be used for creating dynamic HTML user interfaces and forms.
* struts-bean tag library. This library provides substantial enhancements to the basic capability of bringing JavaBean code into a JSP page, which is provided by <jsp:useBean> tag.
* struts-logic tag library. This library can manage conditional generation of output text, looping over object collections for repetitive generation of output text, and application flow management.
* struts-template tag library. This library contains tags that are useful in creating dynamic JSP templates for pages that share a common look and feel, or common format.
You use these tag libraries just as you would any such library. Because the library is already written, all you have to do is tell the servlet engine about it. In Tomcat, you use the <taglib> tag in the web.xml file to specify the URI of the tag library, and the location of the tag library descriptor file on the Web server system.
The Small Print
The Jakarta project enables you to download either a binary distribution of Struts, or build it directly from source code. The binary usually works just fine, but if you have an unusual software platform, or want to build it as a learning experience, it's not difficult to do. Whichever you decide, Struts has several software prerequisites:
# Java Development Kit (JDK). You have to download and install a Java 2 JDK implementation for your operating-system platform.
# Servlet container. You also have to download and install a servlet container that is compatible with the Servlet API specification, version 2.2 or later, and the JSP specification, version 1.1 or later. One good choice is to download Apache's Tomcat, which provides the ability to both serve Web pages and run servlets and JSP.
# XML parser. Struts requires the presence of an XML parser that is compatible with the Java API for XML Parsing (JAXP) specification, 1.1 or later.
# Servlet API classes. To compile Struts, or applications that use Struts, you will need a servlet.jar file containing the servlet and JSP API classes. Most servlet containers include this JAR file.
# JDBC 2.0 optional package classes. Struts supports an optional implementation of javax.sql.DataSource, so it requires that the API classes be compiled. You can download these package classes from http://java.sun.com/products/jdbc/download.html.
To use Struts to build an application, you need to follow these steps. First, copy the files lib/commons-*.jar and lib/struts.jar from the Struts distribution into the WEB-INF/lib directory of your application. Then copy the entire tag library descriptor file in lib/struts-*.tld from the Struts distribution into the WEB-INF directory of your Web application.
Once you have the files copied over, you can modify the web.xml file for your Web application to include a <servlet> element to define the controller servlet, and a <servlet-mapping> element to establish which request URIs are mapped to this servlet. If you are doing a standard installation with default directories, you can use the web.xml file from the Struts example application for an example of how to do this. Modify the web.xml file of your Web application to include the appropriate tag library declarations. Once again, you can follow the example of these declarations in the Struts example application.
After finishing the web.xml file, create a file called struts-config.xml in the WEB-INF directory that defines the action mappings and other characteristics of your specific application. Last, at the top of each JSP page that will use the Struts custom tags, add lines declaring the Struts custom tag libraries used on that particular page.
Struts was named for the type of supporting wires and frameworks used in buildings and old airplanes. Its intent is to provide a software framework to help you overcome the time-consuming aspects of applying the MVC design pattern in Web applications. You still have to learn and apply the framework, but it will accomplish some of the heavy lifting. If you want to build scalable applications combining the advantages of both servlets and JSP, Struts can get you a good part of the way there.
About the Author
Peter Varhol is a technical evangelist for Compuware Corporation. You can reach him at Peter.Varhol@ compuware.com.