continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wendy Smoak <wsm...@gmail.com>
Subject Build agent security
Date Tue, 28 Dec 2010 21:39:19 GMT
This bit of CONTINUUM-2599 caught my eye:

"Current workaround to get Build Agent's installation is by directly
using the Build Agent Web Service."

I was under the impression that while the build agent would accept
XML-RPC requests from anyone, it would only send responses back to the
master defined in its config file. (See CONTINUUM-2044)

Did something change and you are now able to connect directly to the
agent and do things/get information without an authorization check?
(There is no authentication/authorization on the build agent.
(right?))

In addition, a comment on 2044 reminded me that CONTINUUM-2545 added
unsecured webdav access to the working copy.

Any thoughts on whether build agents should be better secured, and if so how?

* http://jira.codehaus.org/browse/CONTINUUM-2599
* http://jira.codehaus.org/browse/CONTINUUM-2044
* http://jira.codehaus.org/browse/CONTINUUM-2545

-- 
Wendy

Mime
View raw message