-
Bug
-
Resolution: Fixed
-
Critical
-
Jenkins 2.102
Pipeline: 2.5
Pipeline: AWS Steps 1.20
Plain Credentials Plugin 1.4
Credentials Plugin 2.1.16
Credentials Binding Plugin 1.14
Ubuntu 14.04.5 LTS
OpenJDK 1.8.0_141
Creating my first pipeline build, trying to upload output to S3. Getting a SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
Cause in my configuration:
withAWS(credentials:'aws-softwareops') {
s3Upload acl: 'Private', bucket: 'my-bucket', file: 'my-file.zip', path: 'master'
}
Remove this and the build works.
Comment out s3Upload and the build works - proving the cause is definitely s3Upload, not withAWS.
Change the credentials key ("aws-softwareops" above) to something different, and the build fails again, proving the credentials are being picked up from Jenkins correctly.
This is in the logs:
Jan 18, 2018 3:06:58 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
WARNING: java.lang.String$CaseInsensitiveComparator in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/
This doesn't work:
-Dhudson.remoting.ClassFilter=java.lang.String$CaseInsensitiveComparator
(there is no mention of ClassFilter in the Jenkins log at startup - should there be?)
This is a blocking issue for me.
Stack trace:
java.lang.SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator at hudson.remoting.ClassFilter.check(ClassFilter.java:75) at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1826) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2000) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245) at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:552) at java.util.TreeMap.readObject(TreeMap.java:2449) at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2136) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2169) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422) at hudson.remoting.UserRequest.deserialize(UserRequest.java:277) at hudson.remoting.UserResponse.retrieve(UserRequest.java:310) at hudson.remoting.Channel.call(Channel.java:909) at hudson.FilePath.act(FilePath.java:998) at hudson.FilePath.act(FilePath.java:987) at de.taimos.pipeline.aws.S3UploadStep$Execution$1.run(S3UploadStep.java:259)
- is related to
-
JENKINS-49027 Improve diagnostics of rejected objects in Remoting
-
- Resolved
-
- relates to
-
JENKINS-47736
JEP-200: Switch Remoting/XStream blacklist to a whitelist
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- links to
