【IT168 技术文章】
近日自己搭建了一个RQM(Rational Quality Manager)server, 有一些使用心得分享出来。RQM是一个基于Jazz 协作平台的应用,而Jazz Team Server 是一个基于 Java 的 Web 应用程序,伴随 Rational Team Concert 1.0(简称 RTC1.0)一同发布。用户通过将 Jazz Team Server 部署在应用服务器(例如,IBM WehSphere Application Server;Apache Tomcat)上来为RQM提供底层 Web 服务平台。
基于 Jazz Team Server 的 RQM在运行过程中,用户的认证管理与权限管理分别作为两个独立的部分进行管理。Jazz Team Server 将用户认证工作剥离出去,交给 Jazz Team Server 运行所在的应用服务器(Application Server)实现。本文将以Apache Tomcat为例详细讲述如何实现应用服务器与企业常用的轻量级目录访问管理协议 LDAP 的集成来进行用户认证管理。
本文将分四个部分来讲述LDAP的配置:配置Tomcat, 配置Jazz Team Server, 导入用户和用户授权,将用户加入Quality Manager项目区域。
1. 配置Tomcat
在配置Tomcat之前,需要停止RQM服务器。然后修改两个XML文件。
server.xml [root]\jazz\server\tomcat\conf\server.xml
web.xml [root]\jazz\server\tomcat\webapps\jazz\WEB-INF\web.xml
1.1 修改server.xml
替换如下部分:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
为:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="9"
connectionURL="ldap://<ldap.server>:389"
userBase="ou=test,o=test"
userSearch="(preferredIdentity={0})"
userSubtree="true"
roleBase="ou=memberlist,ou=test,o= test"
roleSubtree="false"
roleSearch="(uniquemember={0})"
roleName="cn"
/>
其中,红色斜体内容可替换成实际环境中的配置。
1.2 修改web.xml
增加如下四个部分 (红色斜体标记的为添加的部分):
1. 首先映射LDAP组和安全角色.
这里用户可以定义一个 LDAP组,然后赋予四种安全角色:JazzAdmins, JazzDWAadmins, JazzGuests, JazzUsers.也可以为四种安全角色定义不同的LDAP组。
<web-app id="WebApp">
<servlet id="bridge">
<servlet-name>equinoxbridgeservlet</servlet-name>
<display-name>Equinox Bridge Servlet</display-name>
<description>Equinox Bridge Servlet</description>
<servlet-class>org.eclipse.equinox.servletbridge.BridgeServlet</servlet-class>
<init-param><!-- ... --></init-param>
<!-- ... -->
<load-on-startup>1</load-on-startup>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<security-role-ref>
<role-name>JazzAdmins</role-name>
<role-link>[LDAP Group for Jazz admins]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzDWAdmins</role-name>
<role-link>[LDAP Group for Jazz Data Warehouse Admin]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzGuests</role-name>
<role-link>[LDAP Group for Jazz guest]</role-link>
</security-role-ref>
<security-role-ref>
<role-name>JazzUsers</role-name>
<role-link>[LDAP Group for Jazz users]</role-link>
</security-role-ref>
<!-- End Addendum -->
</servlet>
<!-- ... -->
</web-app>
2. 声明LDAP组为安全角色.
<web-app id="WebApp">
<servlet id="bridge">
<!-- ... -->
</servlet>
<!-- ... -->
<security-role>
<role-name>JazzAdmins</role-name>
<role-name>JazzDWAdmins</role-name>
<role-name>JazzUsers</role-name>
<role-name>JazzGuests</role-name>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<role-name>[LDAP Group for Jazz admins]</role-name>
<role-name>[LDAP Group for Jazz users]</role-name>
<role-name>[LDAP Group for Jazz Data Warehouse Admin]</role-name>
<role-name>[LDAP Group for Jazz guest]</role-name>
<!-- End Addendum -->
</security-role>
<!-- ... -->
</web-app>
3. 添加组名称到一套安全角色,使得该组的用户被授予获得相匹配的网络资源。
<web-app id="WebApp">
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JazzUsers</role-name>
<role-name>JazzAdmins</role-name>
<role-name>JazzGuests</role-name>
<role-name>JazzDWAdmins</role-name>
<!-- Addendum
If the names of your LDAP Groups are the same as the default Jazz roles
you don't need to add the following tags
-->
<role-name>[LDAP Group for Jazz admins]</role-name>
<role-name>[LDAP Group for Jazz users]</role-name>
<role-name>[LDAP Group for Jazz Data Warehouse Admin]</role-name>
<role-name>[LDAP Group for Jazz guest]</role-name>
<!-- End Addendum -->
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- ... -->
</web-app>
4. 映射LDAP-JazzAdmins组和安全限制.
<web-app id="WebApp">
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>adminsecure</web-resource-name>
<url-pattern>/admin/cmd/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JazzAdmins</role-name>
<!-- Addendum -->
<role-name>[LDAP Group for Jazz admins]</role-name>
<!-- End Addendum -->
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- ... -->
</web-app>
完成修改server.xml和web.xml后,在Tomcat端的配置就完成了。