接著上一個的jira 4.0.1 war 方式的安裝過程，使用mysql，把jira的login加上crowd，為之后增加confluence和svn的sso做準備

第一步先把jira的認證改成使用crowd，接著上次安裝完jira的tomcat，繼續(xù)安裝

1. 準備mysql
　　a)創(chuàng)建一個庫create database crowd character set utf8;
　　b)在my.ini中增加一行
　　[mysqld]
　　transaction-isolation = READ-COMMITTED
2. 準備tomcat
　　a)修改$catalina_home\conf\server.xml，增加useBodyEncodingForURI="true"，如下：
　　<Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" useBodyEncodingForURI="true"/>
　　b)下載javamail api，放到$catalina_home\lib目錄下
3. 準備crowd
　　a)下載atlassian-crowd-2.0.3-war.zip，并解壓到$crowd_home
　　b)修改$crowd_home\WEB-INF\classes\crowd-init.properties，增加配置crowd.home=$crowd_home（$crowd_home替換成實際目錄）
　　c)創(chuàng)建crowd.xml，內(nèi)容為<Context path="/crowd" docBase="$crowd_home" reloadable="false"/>（$crowd_home替換成實際目錄），將這個文件放到$catalina_home\conf\Catalina\localhost目錄下
　　d)啟動tomcat，進入crowd，如：http://localhost:8080/crowd
　　e)到applications中add application，類型選jira，name: jira, password: haha, url: http://localhost:8080/jira, ip最好手工填, directories選一個需要的，Allow all users to authenticate我選上了，成功
　　f)import jira users在users里面選import users，import 的時候注意把dbname修改為jiradb就可以了。
4. 準備jira
　　a)修改$jira_home\WEB-INF\classes\crowd.properties，如
　　application.name                        jira
　　application.password                    haha
　　application.login.url                   http://hostname/jira/
　　crowd.server.url                        http://hostname/crowd/services/
　　...
　　其它的不需要修改
　　b)修改$jira_home\WEB-INF\classes\osuser.xml，內(nèi)容如下：

<!-- This is where JIRA's credentials checking can be configured.  For instance, see
http://www.atlassian.com/software/jira/docs/latest/ldap.html -->
<opensymphony-user>

    <authenticator class="com.opensymphony.user.authenticator.SmartAuthenticator" />

<!-- CROWD:START
    You will need to uncomment the Crowd providers below to enable Crowd integration
    and comment out the default providers that are located further down in this file.
-->
    <provider class="com.atlassian.crowd.integration.osuser.CrowdCredentialsProvider"/>
    <provider class="com.atlassian.crowd.integration.osuser.CrowdAccessProvider"/>
    <provider class="com.atlassian.crowd.integration.osuser.DelegatingProfileProvider">
        <property name="provider-1">com.atlassian.crowd.integration.osuser.CrowdProfileProvider</property>
        <property name="provider-2">com.atlassian.jira.user.ExternalEntityJiraProfileProvider</property>
        <property name="provider-2-exclusive-access">true</property>
    </provider>
<!-- CROWD:END -->

<!-- CROWD:START  - The providers below here will need to be commented out for Crowd integration -->
<!--
    <provider class="com.atlassian.core.ofbiz.osuser.CoreOFBizCredentialsProvider">
        <property name="exclusive-access">true</property>
    </provider>

    <provider class="com.atlassian.jira.user.osuser.JiraOFBizProfileProvider">
        <property name="exclusive-access">true</property>
    </provider>

    <provider class="com.atlassian.jira.user.osuser.JiraOFBizAccessProvider">
        <property name="exclusive-access">true</property>
    </provider>
-->
<!-- CROWD:END -->

</opensymphony-user>

　　c)修改$jira_home\WEB-INF\classes\seraph-config.xml，內(nèi)容如下：

<security-config>
    <parameters>
        <init-param>
            <!--
              The login URL to redirect to when the user tries to access a protected resource (rather than clicking on
              an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
                - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
                - else the context path will be prepended to this URL

                If '${originalurl}' is present in the URL, it will be replaced with the URL that the user requested.
                This gives SSO login pages the chance to redirect to the original page
            -->
            <param-name>login.url</param-name>
            <param-value>/login.jsp?os_destination=${originalurl}</param-value>
            <!--<param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value>-->
        </init-param>
        <init-param>
            <!--
              the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
              trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
                - same properties as login.url above
            -->
            <param-name>link.login.url</param-name>
            <param-value>/login.jsp?os_destination=${originalurl}</param-value>
            <!--<param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>-->
            <!--<param-value>http://sso.mycompany.com/login?redirectTo=${originalurl}</param-value>-->
        </init-param>
        <init-param>
            <!-- URL for logging out.
                 - If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
                 - If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
                 -->
            <param-name>logout.url</param-name>
            <param-value>/secure/Logout!default.jspa</param-value>
            <!--<param-value>http://sso.mycompany.com/logout</param-value>-->
        </init-param>
        <!-- The key that the original URL is stored with in the session -->
        <init-param>
            <param-name>original.url.key</param-name>
            <param-value>os_security_originalurl</param-value>
        </init-param>
        <init-param>
            <param-name>login.cookie.key</param-name>
            <param-value>seraph.os.cookie</param-value>
        </init-param>
        <!-- This property controls how your cookie is encrypted.  If you truly want to secure your cookies, you need
            to change this to a secure password -->
        <init-param>
            <param-name>cookie.encoding</param-name>
            <param-value>jiracookie</param-value>
        </init-param>
        <!-- This property sets the default cookie timeout in seconds.  It is currently set to 1 year -->
        <init-param>
            <param-name>autologin.cookie.age</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <!-- Basic Authentication can be enabled by passing the authentication type as a configurable url parameter.
        With this example, you will need to pass http://mycompany.com/anypage?os_authType=basic in the url to enable Basic Authentication -->
        <init-param>
            <param-name>authentication.type</param-name>
            <param-value>os_authType</param-value>
        </init-param>
        <!--  If this parameter is set to true, the cookie will never be set secure.  This is useful if you're logging
              into JIRA via https, but want to browse JIRA over http.  This flag will ensure that the remember me option
              works correctly.
        <init-param>
            <param-name>insecure.cookie</param-name>
            <param-value>true</param-value>
        </init-param> -->
    </parameters>

    <rolemapper class="com.atlassian.jira.security.JiraRoleMapper"/>

    <!-- CROWD:START - If enabling Crowd SSO integration uncomment the following JIRAAuthenticator and comment out the DefaultAuthenticator below -->
    <authenticator class="com.atlassian.crowd.integration.seraph.JIRAAuthenticator"/>
    <!-- CROWD:END -->

    <!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration -->
    <!--
    <authenticator class="com.atlassian.jira.security.login.JiraOsUserAuthenticator"/>
    -->
    <!-- CROWD:END -->

    <!-- NB: the URL to redirect to is now specified by login.url above -->
    <services>
        <service class="com.atlassian.seraph.service.PathService">
            <init-param>
                <param-name>config.file</param-name>
                <param-value>/seraph-paths.xml</param-value>
            </init-param>
        </service>

        <service class="com.atlassian.seraph.service.WebworkService">
            <init-param>
                <param-name>action.extension</param-name>
                <param-value>jspa</param-value>
            </init-param>
        </service>
    </services>

    <interceptors>
        <interceptor class="com.atlassian.jira.portal.PortalPageInterceptor"/>
        <interceptor class="com.atlassian.jira.user.preferences.UserPreferencesResetInterceptor"/>
    </interceptors>
</security-config>

　　d)重啟tomcat

一切搞定，可以使用crowd的用戶登錄jira了，而且只要在一邊登錄，兩邊就都登錄了。

另外把遇到的問題寫一下
1. 在crowd中import jira users的時候，將connection url改正確了之后，就是把dbname改成jiradb，依然無法連接，后來發(fā)現(xiàn)是crowd沒有mysql jdbc驅(qū)動，停掉crowd，將mysql jdbc驅(qū)動放到crowd WEB-INF\lib目錄，重試就可以了。
2. 所有的都配置好了之后，到j(luò)ira里面仍然無法登錄，通過查看crowd log，發(fā)現(xiàn)有這句話[crowd.service.soap.SOAPService] Client host is invalid: 10.40.155.43 / 10.40.155.43，明白了，因為在crowd里面add application的時候，使用的是自動得到IP，得到的是127.0.0.1。解決這個問題的辦法就是在IP里面，把這個10.40.155.43也加上，就可以了。