CruiseControl.net web dashboard security - cruisecontrol.net

I am have extreme problems with adding security to the web dashboard. I am trying to set up security for a bunch of web app projects. Everything works with no security enabled.
The security i want is fairly simple. 2 roles "Releasers" and "Testers", releasers can do anything, testsers can force build the test deployment project and only view the rest of the projects which all upgrade the live installations. However I just can't get it to work. As a start i think i have just allowed everything for everyone and i get a few differnt problem depending on how i set up various things. In all cases the config file validates with the validator util.
Server Config
<internalSecurity>
<users>
<ldapUser name="ccnet" domain="localhost" />
<passwordUser name="ccnetadmin" password="NotTheRealPW" />
</users>
<permissions>
<rolePermission name="Releasers" defaultRight="Allow">
<users>
<userName name="ccnetadmin"/>
</users>
</rolePermission>
<rolePermission name="Testers" defaultRight="Allow">
<users>
<userName name="ccnet"/>
</users>
</rolePermission>
</permissions>
</internalSecurity>
Project Security
<security type="defaultProjectSecurity" defaultRight="Inherit">
<permissions>
<rolePermission name="Testers" ref="Testers"/>
<rolePermission name="Releasers" ref="Releasers"/>
</permissions>
</security>
Dashboard.config
There are 3 things that are not clear from the documentation.
What kind of authentication needs to be set up in IIS.
What kind of users do i need to set up in the ccnet.config server
security section.
In the dashboard config what do i need in the <securityPlugins> section.
I have tried forms and windows integrated in the web.config and in iis. With forms it essentially complains that there is no login.aspx, which there isn't so i suspect that this is correct. With windows integrated i can access the dashboard. Any projects that have no security element i can see in the list but any action result in a security exception saying i don't have the ViewProject permission. Any projects that have the security element simply don't show in the list. I get the same behaviour whichever user type i use simpleUser, passwordUser or ldapUser. I cannot find anywhere that mentions any other value that i can put in the securityPlugins section other than simpleSecurity, are there any other values and if so what are they.
I have searched this documentation and i cannot find any answers to any of these questions.
EDIT
Whoever can suggest a what i can achieve the below goal gets the bounty, even if it is a totally different way than i have described above.
I want a set of users who can view all CC.net projects and force build 1 specific project. I want another set of users who can view and force build all projects. I want it to be with one single cc.net dashboard, one config file, but with different user accounts.
EDIT 2
As the bounty is running out soon i will also give it so anyone that can offer some kind of compelling evidence that the security in cc.net does not work, so at least i know not to waste my time on it any longer. Also I have tried to log an issue or post to the cc.net forum about this but they seem to have transitioned to a new system and that doesn't work seem to work either, it simply won't let you sign up for a user account, it requires email verification but the email never comes through.

OK I finally worked it out. Everything was set up perfectly fine. However what the documentation doesn't mention at all is HOW TO LOG IN. What kind of security do you setup in iis/web.config. The answer to this is it is irrelevant as cc.net does not use any of these kinds of security. The documentation mentioned enabling log ins by adding a <securityPlugins> section to dashboard config with a element in it to "enable log in". But it did not mention how to log in. What i have JUST noticed is that if in the web dashboard you select a server from the list then it gives you a log in button. Thing is i rarely look at the server report, i only have 1 server so the "farm report" is the same list of projects as the "server report" and it just seemed pointless. But the login button only appears if are viewing a server report. I feel a bit silly but a simple - "you can't log in from the farm report; you need to select a server report to log in" - in the docs would have saved me literally days of frustration. I.E. it has taken me days to find the bloody log in button.

I'd be curious also and will try to figure this out again, but last time I tried I was also stumped.
My interim workaround was to configure the web.config to define who has access to CC.NET only for GET requests, and who has access altogether (includes POST requests which are necessary for any kickoff actions).
<configuration>
<system.web>
<authorization>
<allow verbs="GET" roles="DOMAIN\ccnetreadonly" />
<allow roles="DOMAIN\ccnetcanperformactions" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Not the best, but it did work...

Related

How to disable hybris soft login?

I want to disable hybris in-build soft login functionality.I have restarted the hybris server still able to see the customer as logged customer.
I tried with changging the some tomacat server properties like context.xml
<Manager pathname="" />
Still its not working.
Hybris in-build soft login functionality or remember-me tag functionality can be disabled using two ways, the first that I suggest :
First : Remove the remember-me configuration from spring security file spring-security.xml :
<security:remember-me key="myKey" token-validity-seconds="864000" />
Seconde : Remove the input checkbox from jsp (not recommended)
<input id="j_remember" name="_spring_security_remember_me" type="checkbox">
Hybris Soft login is a feature of spring security.A soft logged in user can browse the application, but pages like account page and checkout pages are secured by hard login. To access these pages, he has to provide password again.
Comment the security:remember-me tag in the spring-security.xml file
<!-- <security:remember-me key="hybrisshopstorefront" services-ref="rememberMeServices"/> -->
Thanks.

'Admin' user getting redirected to $$LoginUserForm

I have a user, Admin Mustermann/magerman, who is defined as an Editor Person in the ACL of my application and who has the role [Admin].
After logging in I can see that that user has the role [Admin].
but whenever I try to access my admin.xsp page, I am getting redirected to the $$LoginUserForm of my database.
The admin.xsp Page is controlled by the following ACL Access:
<xp:this.acl>
<xp:acl>
<xp:this.entries>
<xp:aclEntry
type="DEFAULT"
right="NOACCESS">
</xp:aclEntry>
<xp:aclEntry
type="ROLE"
right="EDITOR"
name="[Admin]"
fullName="Admin">
</xp:aclEntry>
</xp:this.entries>
</xp:acl>
</xp:this.acl>
I've also tried with the following syntax:
<xp:aclEntry
type="ROLE"
right="EDITOR">
<xp:this.name><![CDATA[[Admin]]]></xp:this.name>
<xp:this.fullName><![CDATA[[Admin]]]></xp:this.fullName>
</xp:aclEntry>
but to no avail.
Update:
I'm no longer sure it has something to do with the ACL entries on the XPage itself. Once I removed them, I land to the page but the XPages Debug Toolbar shows that I am now 'Anonymous'.
I should also mention that I'm using two directories for authentication (with directory assistance).
I don't know if this is related, but the XPages Debug Toolbar is sometimes also unresponsive (i.e. I click on the headers but nothing happens).
Is there a way of letting me track the whole authentication procedure that my server is doing? The server log is not very talky.
I wonder why you set ACL options to your XPage at all. I never used it and when I did (when I started with XPages) I always faced problems as those entries disturbed the general ACL settings when they should refine them. Never used them later.
If you want to restrict access to a special page you can workaround it with doing some scripting in the beforePageLoad event. Check roles and access and - if needed - redirect to another page.
Duh.
My 'Internet Website'/ domcfg.nsf setup was not correctly set up.
It's all well explained by John Daalsgard in this question:
Lotus Domino Internet site document.
Ironically, I have commented this as well, so I can't even pretend that I didn't know it.

User from the first website is logged to another website issue

I created two websites in ASP .NET MVC4. Both are having different names.
I registered a new "userA" for the website #1 and signed in.
When I start the website #2 I see that the "userA" is already logged in.
How is it possible?
What do I have to do so website #2 is not going to work like that?
What exactly I have to change to get rid of that? web.config, cookies or what and how?
Thanks!
Try changing the name of the Forms Authentication Ticket, by default it is set to .ASPXAUTH which can cause issues if you're running multiple apps locally. This caught me up a few weeks back.
<forms
name=".myappauth"
loginUrl="~/Account/Login"
protection="All"
timeout="30">
<credentials>...</credentials>
</forms>
MSDN Documentation
http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.85%29.aspx

Groups taking so long.... finally timedout?

I have around 300,000 users in the site collection and around 250 groups in the same site collection. When I am trying to open any group to get users in it. It is taking so long and finally it is showing "Request time out". another than that.... site collection is working fine.
How can open groups normally with out delay?
I would advice to try to increase the default execution timeout in the shared web.config under the \12\TEMPLATE\LAYOUTS
By default, it's 6 minutes (360s), you can try to increase it to 20 minutes
<system.web>
<httpRuntime executionTimeout="1200" />
</system.web>
That will allow more time for the working process to execute its job. It will thus not solve your question "opening without delay" but it will hopefully avoid the dreaded "request has timed out"
I guess a little peak through Reflector might see something dirty in the way the UI is managing / retrieving the group users... A custom, code improved, administration page that will replace the built-in group management might thus be a possible solution.

Why does HttpContext.Current.User.Identity.Name return the wrong username when used in a webpart?

In a Sharepoint web page I am having a problem identifying the logged in user!
The Masterpage contains a normal ootb control that displays the username
<%# Register TagPrefix="wssuc" TagName="Welcome" Src="~/_controltemplates/Welcome.ascx" %>
.....
.....
<wssuc:Welcome id="explitLogout" runat="server" />
This always displayed the correct logged on user.
However if I call
HttpContext.Current.User.Identity.Name
from within a webpart then In 1 or 2 % of cases I will get the incorrect name returned.
This gives me a page that will have the correct username at the top, and the incorrect one in the webpart. Other methods of getting the name in the webpart return the same incorrect name. If the name checker webpart is on the same page multiple times then very rarely the second copy of the webpart will have the correct name or a third incorrect identity!
The identities are stored in Active Directory, and the users authenticate against and ISA server, users are not on the same domain as the SharePoint infrastructure. The sharepoint farm is rather complex with the ISA servers, four web front ends, an apps server and finally a database server.
Has anyone had this happen before? or have any clue as to the direction I should take to investigate the problem!
The servers are running IIS6 on server 2003. Sharepoint is at SP2 but without the latest bunch of patches.
Additional:
Output Cache is enabled. Authenticated Cache Profile is "Intranet"
The settings for that profile are as follows
Title Intranet (Collaboration Site)
Display Name (BLANK)
Display Description Optimized for collaboration sites where authoring, web part cusomization, and minor version are enabled.
Perform ACL Check Yes
Enabled Yes
Duration 180
Check for Changes Yes
Vary by Custom Parameter (BLANK)
Vary by HTTP Header Browser
Vary by Query String Parameters (BLANK)
Vary by User Rights Yes
Cacheability ServerAndPrivate
Safe for Authenticated Use Yes
Allow writers to view cached content (BLANK)
SharePoint runs under the application pool account. You need to use
SPContext.Current.Web.CurrentUser.LoginName
to get the current user.
This was a while ago and I am sorry for not reporting back our solution... and now I don't remember clearly what it was! Something to do with Donut Caching that we had misunderstood.
http://blogs.catapultsystems.com/tlingenfelder/archive/2011/03/24/sharepoint-caching-techniques.aspx

Resources