Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49025

SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • pipeline-aws-plugin
    • Jenkins 2.102

      Pipeline: 2.5
      Pipeline: AWS Steps 1.20
      Plain Credentials Plugin 1.4
      Credentials Plugin 2.1.16
      Credentials Binding Plugin 1.14

      Ubuntu 14.04.5 LTS
      OpenJDK 1.8.0_141

      Creating my first pipeline build, trying to upload output to S3. Getting a SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

      Cause in my configuration:

      withAWS(credentials:'aws-softwareops') {
          s3Upload acl: 'Private', bucket: 'my-bucket', file: 'my-file.zip', path: 'master'
      }

      Remove this and the build works.

      Comment out s3Upload and the build works - proving the cause is definitely s3Upload, not withAWS.

      Change the credentials key ("aws-softwareops" above) to something different, and the build fails again, proving the credentials are being picked up from Jenkins correctly.

      This is in the logs:

      Jan 18, 2018 3:06:58 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
      WARNING: java.lang.String$CaseInsensitiveComparator in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

      This doesn't work:

      -Dhudson.remoting.ClassFilter=java.lang.String$CaseInsensitiveComparator

      (there is no mention of ClassFilter in the Jenkins log at startup - should there be?)

      This is a blocking issue for me.

      Stack trace:

      java.lang.SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
      	at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
      	at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
      	at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1826)
      	at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2000)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
      	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245)
      	at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:552)
      	at java.util.TreeMap.readObject(TreeMap.java:2449)
      	at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
      	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2136)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
      	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245)
      	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2169)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
      	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
      	at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
      	at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
      	at hudson.remoting.Channel.call(Channel.java:909)
      	at hudson.FilePath.act(FilePath.java:998)
      	at hudson.FilePath.act(FilePath.java:987)
      	at de.taimos.pipeline.aws.S3UploadStep$Execution$1.run(S3UploadStep.java:259)

          [JENKINS-49025] SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

          Tom Fanning created issue -
          Tom Fanning made changes -
          Epic Link New: JENKINS-47736 [ 186227 ]
          Tom Fanning made changes -
          Link New: This issue is related to JENKINS-47736 [ JENKINS-47736 ]
          Tom Fanning made changes -
          Link New: This issue relates to JENKINS-47736 [ JENKINS-47736 ]
          Tom Fanning made changes -
          Link Original: This issue is related to JENKINS-47736 [ JENKINS-47736 ]

          Oleg Nenashev added a comment -

          I think that common comparators should be whiitelisted on the core's side

          Oleg Nenashev added a comment - I think that common comparators should be whiitelisted on the core's side

          Tom Fanning added a comment -

          Any idea why the workaround doesn't work?

          (-Dhudson.remoting.ClassFilter=...)

          Tom Fanning added a comment - Any idea why the workaround doesn't work? (-Dhudson.remoting.ClassFilter=...)

          Oleg Nenashev added a comment -

          Oleg Nenashev added a comment - It happens, because EnvVars get serialized over the Remoting channel: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/EnvVars.java . It Happens in RemoteUploder: https://github.com/jenkinsci/pipeline-aws-plugin/blob/de2a2abf961971f6dcaa5354f66dd306250f1331/src/main/java/de/taimos/pipeline/aws/S3UploadStep.java#L288 The fix should be on the core's side

          Oleg Nenashev added a comment -

          tomfanning Probably you specify the option in the wrong place. It should be "java -D.... -jar jenkins.war"

          Oleg Nenashev added a comment - tomfanning Probably you specify the option in the wrong place. It should be "java -D.... -jar jenkins.war"
          Oleg Nenashev made changes -
          Summary Original: SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator in s3Upload New: SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator in EnvVars

            jglick Jesse Glick
            tomfanning Tom Fanning
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: