Block Luntbuild 1.5.1 Anonymous Access
If you are using luntbuild for your continuous integration builds at work, you probably want to remove anonymous user access. In stead of adding that feature to the administrator "Properties" page where I'd expect it, you have to hack the Spring configuration in the webapps directory of luntbuild. Sigh. Here we go:
Open a command prompt and go to the directory where luntbuild is installed. Edit the _/webapps/luntbuild/luntbuild-login.html_ file and remove the following line:<a href="app.do?service=reset/Home&relogin=no">Anonymous</a>
Open the /webapps/luntbuild/WEB-INF/applicationContext.xml file and remove the following 2 Spring Beans:
<bean id="anonymousProcessingFilter"
class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key"><value>anonymous</value></property>
<property name="userAttribute"><value>anonymous,ROLE_ANONYMOUS</value></property>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key"><value>anonymous</value></property>
</bean>
In the same file, searchfor the filterChainProxy bean and remove references to the anonymousProcessingFilter bean, and save the file.
Double check that when you do a cat applicationContext.xml | grep anonymousProcessingFilter, nothing is returned.
Now restart the luntbuild application. Please note that if you were logged in as anonymous before you rebooted the server, your session will still work. This is because you passed the security gates earlier, and Tomcat remembers your session. Press "Forget" and try to login as anonymous. This should no longer work.
I really hope that in luntbuild 2.0, anonymous access is removed or at least configurable from the administation pages, and that the "Forget" and "Logout" links are merged into one, because they seem to do the same thing to the user.