• Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • artifactory-plugin
    • Jenkins Artifactory Plugin version: 2.14.0
      Suse Enterprise Linux 12
      Jenkins 2.102 (Windows Master - Linux Slave)

      Pipeline build is failing after deploying artifact to Artifactory.

      I have added JVM arg to both slave and master 
      -Dhudson.remoting.ClassFilter=org.jfrog.build.client.DeployDetails
      Error from log:

      java.lang.SecurityException: Rejected: org.jfrog.build.client.DeployDetails
      	at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
      	at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
      	at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
      	at java.io.ObjectInputStream.readClassDesc(Unknown Source)
      	at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
      	at java.io.ObjectInputStream.readObject0(Unknown Source)
      	at java.io.ObjectInputStream.readObject(Unknown Source)
      	at java.util.ArrayList.readObject(Unknown Source)
      	at sun.reflect.GeneratedMethodAccessor123.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      	at java.lang.reflect.Method.invoke(Unknown Source)
      	at java.io.ObjectStreamClass.invokeReadObject(Unknown Source)
      	at java.io.ObjectInputStream.readSerialData(Unknown Source)
      	at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
      	at java.io.ObjectInputStream.readObject0(Unknown Source)
      	at java.io.ObjectInputStream.readObject(Unknown Source)
      	at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
      	at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
      	at hudson.remoting.Channel.call(Channel.java:909)
      	at hudson.FilePath.act(FilePath.java:998)
      	at hudson.FilePath.act(FilePath.java:987)
      	at org.jfrog.hudson.pipeline.types.buildInfo.BuildInfo.appendDeployableArtifacts(BuildInfo.java:159)
      	at org.jfrog.hudson.pipeline.steps.ArtifactoryMavenBuild$Execution.run(ArtifactoryMavenBuild.java:112)
      	at org.jfrog.hudson.pipeline.steps.ArtifactoryMavenBuild$Execution.run(ArtifactoryMavenBuild.java:61)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
      	at hudson.security.ACL.impersonate(ACL.java:274)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
      	at java.util.concurrent.FutureTask.run(Unknown Source)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      	at java.lang.Thread.run(Unknown Source)
      

          [JENKINS-48991] Artifactory plugin affected by JEP in 2.102

          Oleg Nenashev added a comment -

          BTW I have updated the PR. The current version works for me in some cases, but it's definitely not enough to cover all usage paths in the plugin

          Oleg Nenashev added a comment - BTW I have updated the PR. The current version works for me in some cases, but it's definitely not enough to cover all usage paths in the plugin

          Oleg Nenashev added a comment -

          AbstractListMultimap is abstract for sure: http://grepcode.com/file/repo1.maven.org/maven2/com.google.guava/guava/11.0.1/com/google/common/collect/AbstractListMultimap.java?av=f
          jglick IIUC it may happen only if we have custom messaging for anonymous classes which loses some info, WDYT?

          Oleg Nenashev added a comment - AbstractListMultimap is abstract for sure: http://grepcode.com/file/repo1.maven.org/maven2/com.google.guava/guava/11.0.1/com/google/common/collect/AbstractListMultimap.java?av=f jglick IIUC it may happen only if we have custom messaging for anonymous classes which loses some info, WDYT?

          Jesse Glick added a comment -

          AbstractSetMultimap was already whitelisted; this could be too. Serialization will pay attention to abstract supertypes when they are Serializable IIRC.

          Jesse Glick added a comment - AbstractSetMultimap was already whitelisted; this could be too. Serialization will pay attention to abstract supertypes when they are Serializable IIRC.

          Oleg Nenashev added a comment -

          Ack, will whitelist them

          Oleg Nenashev added a comment - Ack, will whitelist them

          Ajit Surana added a comment -

          Is this resolved? I'm facing the following error -

          ERROR: Rejected: org.jfrog.build.api.Artifact
          java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact
          	at hudson.remoting.ClassFilter.check(ClassFilter.java:75)

          We have a master slave Jenkins system. I tried to add the -Dhudson.remoting.ClassFilter.DEFAULTS_OVERRIDE_LOCATION= parameter with appropriate file during slave start up to safeguard the org.jfrog.build.api.Artifact class but it does not work.

          The file content is as follows (Please note: I know it may stop other plugins to work but my focus was to make org.jfrog.build.api.Artifact working first).

          ^org[.]jfrog[.]build[.]api[.].*
          ^org[.]jfrog[.]build[.]api[.].Artifact
          

          I can see if I give some wrong content to the file, an exception is being thrown during start up so I'm sure that this file is loaded during slave startup. But still unsure by this mechanism does not work.

          One more point: I'm only trying these options with slave node and master is untouched. Can this issue resolved by changing the master node similarly? Any help would be appreciated.

          Ajit Surana added a comment - Is this resolved? I'm facing the following error - ERROR: Rejected: org.jfrog.build.api.Artifact java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact at hudson.remoting.ClassFilter.check(ClassFilter.java:75) We have a master slave Jenkins system. I tried to add the -Dhudson.remoting.ClassFilter.DEFAULTS_OVERRIDE_LOCATION= parameter with appropriate file during slave start up to safeguard the org.jfrog.build.api.Artifact class but it does not work. The file content is as follows (Please note: I know it may stop other plugins to work but my focus was to make org.jfrog.build.api.Artifact working first). ^org[.]jfrog[.]build[.]api[.].* ^org[.]jfrog[.]build[.]api[.].Artifact I can see if I give some wrong content to the file, an exception is being thrown during start up so I'm sure that this file is loaded during slave startup. But still unsure by this mechanism does not work. One more point: I'm only trying these options with slave node and master is untouched. Can this issue resolved by changing the master node similarly? Any help would be appreciated.

          kgiloo added a comment -

          for me, the options below do the workaround

          (as suggested in https://github.com/jenkinsci/artifactory-plugin/pull/30)

          JENKINS_JAVA_OPTIONS="-Dhudson.remoting.ClassFilter=org.jfrog.build.api.Artifact,org.jfrog.build.api.BaseBuildFileBean,org.jfrog.build.api.BaseBuildBean"

          kgiloo added a comment - for me, the options below do the workaround (as suggested in https://github.com/jenkinsci/artifactory-plugin/pull/30 ) JENKINS_JAVA_OPTIONS="-Dhudson.remoting.ClassFilter=org.jfrog.build.api.Artifact,org.jfrog.build.api.BaseBuildFileBean,org.jfrog.build.api.BaseBuildBean"

          Ajit Surana added a comment - - edited

          I ran the following command to start the slave node as I've only access to slave node (a Windows node):

          C:\Users\jenkins\Desktop\Artifactory>java -Dhudson.remoting.ClassFilter=org.jfrog.build.api.Artifact -jar agent.jar -jnlpUrl https://localjenkins.com/sds/computer/jenkinsw104/slave-agent.jnlp -secret f9404edf68730facd646cb20b86a310db4296a89b4a8b62ff74e0d3ea5a4ef0b
          

          It still gives the error:

          ERROR: Rejected: org.jfrog.build.api.Artifact
          java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact
          	at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
          

          Did you add the JENKINS_JAVA_OPTIONS in /etc/sysconfig/jenkins in the Master node? Or in the slave node if having Jenkins master-slave configuration?

          Ajit Surana added a comment - - edited I ran the following command to start the slave node as I've only access to slave node (a Windows node): C:\Users\jenkins\Desktop\Artifactory>java -Dhudson.remoting.ClassFilter=org.jfrog.build.api.Artifact -jar agent.jar -jnlpUrl https://localjenkins.com/sds/computer/jenkinsw104/slave-agent.jnlp -secret f9404edf68730facd646cb20b86a310db4296a89b4a8b62ff74e0d3ea5a4ef0b It still gives the error: ERROR: Rejected: org.jfrog.build.api.Artifact java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact at hudson.remoting.ClassFilter.check(ClassFilter.java:75) Did you add the JENKINS_JAVA_OPTIONS in /etc/sysconfig/jenkins in the Master node? Or in the slave node if having Jenkins master-slave configuration?

          kgiloo added a comment -

          ajitsurana startup on master

          kgiloo added a comment - ajitsurana startup on master

          Oleg Nenashev added a comment -

          Yes, options need to be added to the master-side only. Agents still use a blacklist instead of whitelist, no plans to change it soon.

          Oleg Nenashev added a comment - Yes, options need to be added to the master-side only. Agents still use a blacklist instead of whitelist, no plans to change it soon.

          Ajit Surana added a comment -

          kgiloo, oleg_nenashev: Thanks for your prompt response. I will modify the master as per the suggestion.

          Ajit Surana added a comment - kgiloo , oleg_nenashev : Thanks for your prompt response. I will modify the master as per the suggestion.

            oleg_nenashev Oleg Nenashev
            ntones Nicholas Tones
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: