Securing the CruiseControl JMX interface

by Julian Simpson on August 29, 2008

(image taken from Roney’s photostream)

Jim Huang commented on the CruiseControl series page about an issue on his project:

We integrate our build with automation deployment and test running. The problem we have is how to prevent people from clicking the force build button by mistake. Anyone clicking the button will lead to another QA deployment. There is no access control from cruisecontrol. Do you have any solution for this?

Jim, you didn’t say if you were using the classic reporting application, or the new dashboard. And I’m not sure what operating system you’re using. So here’s some vague advice: you can block access to the JMX port. CruiseControl exposes all the state information and some commands via JMX over a TCP port. So securing that port is one way to stop accidental or deliberate messing with your CI server. On a Linux system you can block access to the port from certain machines using Iptables. Your options for Windows vary depending on your version that you have.

Just promise me that you’ll be careful, Jim.

Share with the group:
  • Digg
  • del.icio.us
  • Facebook
  • DZone
  • LinkedIn
  • Slashdot
  • StumbleUpon
ThoughtWorks (UK) Ltd is looking for a Configuration Manager @ ThoughtWorks UK
Looking for a job? Got a position to fill? Check out the Job Board.

Related posts:

  1. Cruise != CruiseControl Newsflash: there are three versions of CruiseControl. The Java...
  2. CruiseControl.rb gets official Git support I’m not a fan, but this is about time:...
  3. The quest for a decent Ruby Continuous Integration tool Git has become very popular in the Ruby community....

Related posts brought to you by Yet Another Related Posts Plugin.

Tagged as: cruisecontrol

blog comments powered by Disqus

Previous post: All build tools began with Make

Next post: How to make Vim and Perforce work together in three easy steps