CI持续集成之cruiserControl用户安全处理

最近使用开源持续集成框架CruiserControl进行项目持续集成，相关资料可以到官网查阅。

关键的CruiserControl在处理打包后可以下载，但是没有用户登录模块，也是一大缺陷，可以通过反编译进行处理。如下载会通过这个类处理DownloadController：

修改后：

package net.sourceforge.cruisecontrol.dashboard.web;import java.io.File;import java.util.Map;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import net.sourceforge.cruisecontrol.dashboard.service.ConfigurationService;import net.sourceforge.cruisecontrol.dashboard.utils.DashboardUtils;import net.sourceforge.cruisecontrol.dashboard.web.binder.DownLoadLogBinder;import net.sourceforge.cruisecontrol.dashboard.web.binder.DownloadArtifactsBinder;import net.sourceforge.cruisecontrol.dashboard.web.command.DownLoadArtifactsCommand;import net.sourceforge.cruisecontrol.dashboard.web.command.DownLoadFile;import net.sourceforge.cruisecontrol.dashboard.web.command.DownloadLogCommand;import net.sourceforge.cruisecontrol.dashboard.web.validator.DownLoadFileValidator;import org.springframework.validation.BindingResult;import org.springframework.validation.ObjectError;import org.springframework.validation.Validator;import org.springframework.web.bind.ServletRequestDataBinder;import org.springframework.web.servlet.ModelAndView;public class DownloadController extends BaseMultiActionController{  private ConfigurationService configuration;  public DownloadController(ConfigurationService configuration)  {    this.configuration = configuration;    setSupportedMethods(new String[] { "GET" });    setValidators(new Validator[] { new DownLoadFileValidator() });  }  protected ServletRequestDataBinder createBinder(HttpServletRequest request, Object command) throws Exception  {    if ((command instanceof DownloadLogCommand)) {      return new DownLoadLogBinder(command);    }    return new DownloadArtifactsBinder(command);  }  public ModelAndView artifacts(HttpServletRequest request, HttpServletResponse response)    throws Exception  {    return download(request, new DownLoadArtifactsCommand(this.configuration));  }  public ModelAndView log(HttpServletRequest request, HttpServletResponse response) throws Exception  {    return download(request, new DownloadLogCommand(this.configuration));  }  private ModelAndView download(HttpServletRequest request, DownLoadFile command) throws Exception  {  String userName = (String)request.getSession().getAttribute("icell-username");  String password = (String)request.getSession().getAttribute("icell-password");  if("userName".equals(userName)&& "passWord".equals(password)){  BindingResult bindingResult = bindObject(request, command);    if (bindingResult.hasErrors()) {      ModelAndView mov = new ModelAndView("page_error");      mov.getModel().put("errorMessage", bindingResult.getGlobalError().getDefaultMessage());      return mov;     }    File downLoadFile = command.getDownLoadFile();    ModelAndView mov = new ModelAndView(DashboardUtils.getFileType(downLoadFile) + "View");    mov.getModel().put("targetFile", downLoadFile);    return mov;    }else{     //BindingResult bindingResult = bindObject(request, command);     ModelAndView mov = new ModelAndView("page_error");     mov.getModel().put("errorMessage", "no permission now,please login at (http://xxxx/dashboard/login.jsp)");     return mov;    }            }}

这里是直接固化在程序中。当然也可以直接编写配置文件进行处理，然后读取判断，前端通过定义一个login.jsp页面进行处理，如下简单页面：

<%@ page contentType="text/html;charset=UTF-8" language="java"    pageEncoding="utf-8"%><script type="text/javascript">  function submit(){ var username = document.getElementById("user").value;     var pwd = document.getElementById("pwd").value;     if (username == "" || pwd == "") {         alert("用户名或者密码为空！");     }else{     document.getElementById("ds-form").submit();     }      } </script><html><head><title>身份验证</title></head><body><div style="text-align: center"><form action="ok.jsp" method="post" id="ds-form"><table>            <tr>                <td colspan=2>登录界面</td>              </tr>            <tr>                <td>user:</td>                <td><input type="text" name="user" id="user" size="16"></td>            </tr>            <tr>                <td>pwd:</td>                <td><input type="password"  name="pwd" id="pwd" size="16"></td>            </tr>            <tr>                <td colspan="2"></td>            </tr>        </table></form><input type="button" value="submit" onclick="submit();"></div></body></html>

ok.jsp是一个中间页面：

<%@ page contentType="text/html;charset=UTF-8" language="java"    pageEncoding="utf-8"%><%String username = request.getParameter("user");String password = request.getParameter("pwd");        session.setAttribute("icell-username",username);        session.setAttribute("icell-password",password);        %><html ><head><title>身份验证</title></head><body>go go</body><script type="text/javascript">window.location.href="tab/dashboard";     </script></html>

这样就可以通过设置的用户密码进行打包的数据下载了。