confluence开发，实现与现有单点登录sso系统对接。 3ff8

confluence 是一套运用广泛的wiki系统。不过是商业软件，需要付费购买license。

购买了licence ，发现他是独立的登录用户系统，公司这么多系统一个个登录是不是太费劲了。对，和公司的单点登录系统对接吧。最近不幸给自己挖了这么一个坑。好不容易填好了。记录下。

1.开发环境准备

confluence 是java开发，看了哈用了Spring，。java环境，你懂得，配置不在赘述，要注意的是你的开发环境和生产环境一致。

2.配置你的开发项目

confluence是支持单点登录的（JIRA也一样，同一个公司出品），他用了一个他们自己开源的单点登录框架Seraph。文档地址：https://docs.atlassian.com/atlassian-seraph/2.6.1-m1/index.html。

所以你需要下载seraph的jar包https://maven.atlassian.com/content/repositories/atlassian-public/com/atlassian/seraph/atlassian-seraph/4.0.0/

然后新建一个Java 项目把seraph的jar包和confluence的jar包都导入进去。

3.开发

要实现一个单点登录，Confluence 2.2 以前是继承一个 Seraph 的 DefaultAuthenticator 类。2.2及其以后要继承com.atlassian.confluence.user.ConfluenceAuthenticator 类，并实现

public Principal getUser(HttpServletRequest request, HttpServletResponse response) 方法

在这个方法里面你可以获取cookie 或者通过token来验证用户是否登录了。然后写入session。

如果验证不通过返回null。验证通过返回一个

Principal user

我这是通过token来验证的，获取了用户的email然后就算登录了。

代码例子：

public Principal getUser(HttpServletRequest request, HttpServletResponse response)
{
Principal user = null;

try
{
if(request.getSession() != null && request.getSession().getAttribute(ConfluenceAuthenticator.LOGGED_IN_KEY) != null)
{
log.info("Session found; user already logged in");
user = (Principal) request.getSession().getAttribute(ConfluenceAuthenticator.LOGGED_IN_KEY);
}
else
{
//获取
String  authToken = request.getParameter("auth");
log.info("Got auth token "+authToken);

if (authToken != null && authToken != "")
{
SSOUserInfo ssoUser = SSOApi.getUserInfoByToken(authToken);
if (ssoUser == null) {
return null;
}

SearchResult <Principal>  userResult = this.getUserAccessor().getUsersByEmail(ssoUser.email);
log.info("Logged in via SSO, with User "+user);
if (userResult == null ) {
return null;
}
Pager<Principal>  userPager =  userResult.pager();
if (userPager.isEmpty()) {
return null;
}
List<Principal>  userList = userPager.getCurrentPage();
user = userList.get(0);
request.getSession().setAttribute(ConfluenceAuthenticator.LOGGED_IN_KEY, user);
request.getSession().setAttribute(ConfluenceAuthenticator.LOGGED_OUT_KEY, null);
}
else
{
log.info("SSOCookie is null; redirecting");
//user was not found, or not currently valid
return null;
}
}
}
catch (Exception e) // catch class cast exceptions
{
log.warn("Exception: " + e, e);
}
return user;
}

你可以根据自己情况改动。

开发完毕打包成jar包。

4.配置调试

jar包放到confluence的WEB-INF/lib 下面。

然后配置WEB-INF/seraph-config.xml

<security-config>
<parameters>
<init-param>
<param-name>login.url</param-name>
<!-- 更换为你的sso 登录地址 ${originalurl} 可以用于回调后跳转回来-->
<param-value>http://youcompany.com/login?calback=${originalurl}</param-value>
</init-param>
<init-param>
<param-name>logout.url</param-name>
<!-- 更换为你的sso 退出登录的地址->
<param-value>http://youcompany.com/logout</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<param-value>/login.action</param-value>
</init-param>
<init-param>
<param-name>cookie.encoding</param-name>
<param-value>cNf</param-value>
</init-param>
<init-param>
<param-name>login.cookie.key</param-name>
<param-value>seraph.confluence</param-value>
</init-param>

<!--only basic authentication available-->
<init-param>
<param-name>authentication.type</param-name>
<param-value>os_authType</param-value>
</init-param>

<!-- Invalidate session on login to prevent session fixation attack -->
<init-param>
<param-name>invalidate.session.on.login</param-name>
<param-value>true</param-value>
</init-param>
<!-- Add names for session attributes that must not be copied to a new session when the old one gets invalidated.
Currently it is empty (i.e. all attributes will be copied). -->
<init-param>
<param-name>invalidate.session.exclude.list</param-name>
<param-value></param-value>
</init-param>
</parameters>

<rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
<controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>

<!-- Default Confluence authenticator, which uses the configured user management for authentication 默认的验证类，你刚刚继承了他，注释掉. -->
<authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>

<!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->

<!-- 你自己的验证类  -->
<authenticator class="com.youcompany.SSOAuthenticator"/>

<!-- Specialised version of the default authenticator which adds authenticated users to confluence-users if they aren't already a member. -->
<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/> -->

<services>
<service class="com.atlassian.seraph.service.PathService">
<init-param>
<param-name>config.file</param-name>
<param-value>seraph-paths.xml</param-value>
</init-param>
</service>
</services>

<elevatedsecurityguard class="com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard"/>

</security-config>

如果你需要调试则要开启日志，日志配置是：

confluence/WEB-INF/classes/log4j.properties文件

讲义打开

###
# Atlassian User
###
log4j.logger.com.atlassian.user=DEBUG
log4j.logger.com.atlassian.confluence.user=DEBUG
log4j.logger.bucket.user=DEBUG
log4j.logger.com.atlassian.seraph=DEBUG
log4j.logger.com.opensymphony.user=DEBUG

然后有添加一个你自己的包名的配置即可有日志了

log4j.logger.com.yourcompany=ALL

完