ccnet webdashboard authentication forms mode how to set it up so its secure

Question

Hi all,

I am sure I am just doing this wrong but for the life of me I can not get things to play nicely. I am just starting to install and configure CruiseControl.net on a WS2008 X64 VM. The install seemed to go a little funny as it didn't create an IIS site for the dashboard, I ended up just doing that my self and pointing it at:

C:\Program Files (x86)\CruiseControl.NET\webdashboard

(had to add permissions for iis_iusrs for it to deal with config files, not sure how good that actually is).

Anyway, so I can view the web dashboard now and get into the admin section etc. Ultimately I want this site to be accessible online for ease of use by the team so it needs to be locked down and secure. So to that end I put the following sections on the web.config:

<authentication mode="Forms">
        <forms name="appNameAuth" path="/" loginUrl="server/local/SimpleUserLogin.aspx" protection="All" timeout="30">
            <credentials passwordFormat="Clear">
                <user name="jon" password="test" />
                <user name="mike" password="test" />
            </credentials>
        </forms>
    </authentication>

If I put the following section in I can get to the login screen but will always be sent back to it even after I login and can never see any other pages:

    <authorization>         
        <deny users="?" />
    </authorization>

I also have this outside of the system.web section:

<location path="server/local/SimpleUserLogin.aspx">
    <system.web>
        <authorization>
            <allow users ="*" />
        </authorization>
    </system.web>
</location>

My goal is to direct all non logged in users to the login page and no where else, once logged in they can view any page. Am I being a blonker here?

Thanks

Answer 1

Ok, So found out I was going about this all wrong. As I am using 1.5 there is a new feature for security:

http://confluence.public.thoughtworks.org/display/CCNET/Configuring+the+Server

The link above shows all the settings with some example configs. Basically I put the following in the ccnet.config:

<internalSecurity>
 <users>
  <!-- Authenticated users -->
  <passwordUser name="bob" display="Bob (Team Lead)" password="bob1"/>
  <passwordUser name="jane" display="Jane (BA)" password="jane2"/>
  <passwordUser name="john" display="John (QA)" password="john3"/>
  <passwordUser name="joe" display="Joe (QA)" password="joe4"/>
  <!-- Generic role -->
  <simpleUser name="*"/>
</users>
<permissions>
  <!-- Roles -->
  <rolePermission name="Testers" forceBuild="Allow" defaultRight="Deny">
    <users>
      <userName name="john"/>
      <userName name="joe"/>
    </users>
  </rolePermission>
  <rolePermission name="Releasers" forceBuild="Allow" defaultRight="Deny">
    <users>
      <userName name="bob"/>
      <userName name="jane"/>
    </users>
  </rolePermission>
</permissions>

this worked great with a bit of tweeking. Hope it can help someone else.