web dashboard security

Tag: , ccnet-config Author: pengxiaobao Date: 2011-09-04

I am have extreme problems with adding security to the web dashboard. I am trying to set up security for a bunch of web app projects. Everything works with no security enabled.

The security i want is fairly simple. 2 roles "Releasers" and "Testers", releasers can do anything, testsers can force build the test deployment project and only view the rest of the projects which all upgrade the live installations. However I just can't get it to work. As a start i think i have just allowed everything for everyone and i get a few differnt problem depending on how i set up various things. In all cases the config file validates with the validator util.

Server Config

      <ldapUser name="ccnet" domain="localhost" />
      <passwordUser name="ccnetadmin" password="NotTheRealPW" />      
      <rolePermission name="Releasers" defaultRight="Allow">
          <userName name="ccnetadmin"/>
      <rolePermission name="Testers" defaultRight="Allow">
          <userName name="ccnet"/>

Project Security

<security type="defaultProjectSecurity" defaultRight="Inherit">
        <rolePermission name="Testers" ref="Testers"/>
        <rolePermission name="Releasers" ref="Releasers"/>        


There are 3 things that are not clear from the documentation.

  • What kind of authentication needs to be set up in IIS.
  • What kind of users do i need to set up in the ccnet.config server security section.
  • In the dashboard config what do i need in the <securityPlugins> section.

I have tried forms and windows integrated in the web.config and in iis. With forms it essentially complains that there is no login.aspx, which there isn't so i suspect that this is correct. With windows integrated i can access the dashboard. Any projects that have no security element i can see in the list but any action result in a security exception saying i don't have the ViewProject permission. Any projects that have the security element simply don't show in the list. I get the same behaviour whichever user type i use simpleUser, passwordUser or ldapUser. I cannot find anywhere that mentions any other value that i can put in the securityPlugins section other than simpleSecurity, are there any other values and if so what are they.

I have searched this documentation and i cannot find any answers to any of these questions.


Whoever can suggest a what i can achieve the below goal gets the bounty, even if it is a totally different way than i have described above.

I want a set of users who can view all projects and force build 1 specific project. I want another set of users who can view and force build all projects. I want it to be with one single dashboard, one config file, but with different user accounts.


As the bounty is running out soon i will also give it so anyone that can offer some kind of compelling evidence that the security in does not work, so at least i know not to waste my time on it any longer. Also I have tried to log an issue or post to the forum about this but they seem to have transitioned to a new system and that doesn't work seem to work either, it simply won't let you sign up for a user account, it requires email verification but the email never comes through.

Best Answer

OK I finally worked it out. Everything was set up perfectly fine. However what the documentation doesn't mention at all is HOW TO LOG IN. What kind of security do you setup in iis/web.config. The answer to this is it is irrelevant as does not use any of these kinds of security. The documentation mentioned enabling log ins by adding a <securityPlugins> section to dashboard config with a element in it to "enable log in". But it did not mention how to log in. What i have JUST noticed is that if in the web dashboard you select a server from the list then it gives you a log in button. Thing is i rarely look at the server report, i only have 1 server so the "farm report" is the same list of projects as the "server report" and it just seemed pointless. But the login button only appears if are viewing a server report. I feel a bit silly but a simple "you can't log in from the farm report you need to select a server report" in the docs would have saved me literally days of frustration. I.E. it has taken me days to find the bloody log in button.


Can you specify more details? I don't know what to put into <securityPlugins>. Documentation for security plugins at returns 404
The details are that i found the login button, everything else I had setup did in fact work OK,

Other Answer1

I'd be curious also and will try to figure this out again, but last time I tried I was also stumped.

My interim workaround was to configure the web.config to define who has access to CC.NET only for GET requests, and who has access altogether (includes POST requests which are necessary for any kickoff actions).

            <allow verbs="GET" roles="DOMAIN\ccnetreadonly" />
            <allow roles="DOMAIN\ccnetcanperformactions" />
            <deny users="*" />

Not the best, but it did work...


Thanks, unfortunately it won't work for me. I have a bunch of "live" projects that build and deploy live web applications and a staging project that builds and deploys the staging/testing web app. I want a limited number of users to be able to force build the live projects but all other users can view the live but also force build the staging/test project. As such all users need to be able to post.