Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49025

SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • pipeline-aws-plugin
    • Jenkins 2.102

      Pipeline: 2.5
      Pipeline: AWS Steps 1.20
      Plain Credentials Plugin 1.4
      Credentials Plugin 2.1.16
      Credentials Binding Plugin 1.14

      Ubuntu 14.04.5 LTS
      OpenJDK 1.8.0_141

      Creating my first pipeline build, trying to upload output to S3. Getting a SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

      Cause in my configuration:

      withAWS(credentials:'aws-softwareops') {
          s3Upload acl: 'Private', bucket: 'my-bucket', file: 'my-file.zip', path: 'master'
      }

      Remove this and the build works.

      Comment out s3Upload and the build works - proving the cause is definitely s3Upload, not withAWS.

      Change the credentials key ("aws-softwareops" above) to something different, and the build fails again, proving the credentials are being picked up from Jenkins correctly.

      This is in the logs:

      Jan 18, 2018 3:06:58 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
      WARNING: java.lang.String$CaseInsensitiveComparator in JRE might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

      This doesn't work:

      -Dhudson.remoting.ClassFilter=java.lang.String$CaseInsensitiveComparator

      (there is no mention of ClassFilter in the Jenkins log at startup - should there be?)

      This is a blocking issue for me.

      Stack trace:

      java.lang.SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
      	at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
      	at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
      	at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1826)
      	at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2000)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
      	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245)
      	at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:552)
      	at java.util.TreeMap.readObject(TreeMap.java:2449)
      	at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
      	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2136)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
      	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245)
      	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2169)
      	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027)
      	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
      	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
      	at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
      	at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
      	at hudson.remoting.Channel.call(Channel.java:909)
      	at hudson.FilePath.act(FilePath.java:998)
      	at hudson.FilePath.act(FilePath.java:987)
      	at de.taimos.pipeline.aws.S3UploadStep$Execution$1.run(S3UploadStep.java:259)

          [JENKINS-49025] SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

          Tom Fanning created issue -
          Tom Fanning made changes -
          Epic Link New: JENKINS-47736 [ 186227 ]
          Tom Fanning made changes -
          Link New: This issue is related to JENKINS-47736 [ JENKINS-47736 ]
          Tom Fanning made changes -
          Link New: This issue relates to JENKINS-47736 [ JENKINS-47736 ]
          Tom Fanning made changes -
          Link Original: This issue is related to JENKINS-47736 [ JENKINS-47736 ]
          Oleg Nenashev made changes -
          Summary Original: SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator in s3Upload New: SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator in EnvVars
          Oleg Nenashev made changes -
          Component/s New: core [ 15593 ]
          Oleg Nenashev made changes -
          Priority Original: Major [ 3 ] New: Critical [ 2 ]
          Jesse Glick made changes -
          Summary Original: SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator in EnvVars New: SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
          Tom Fanning made changes -
          Description Original: Creating my first pipeline build, trying to upload output to S3. Getting a SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

          Cause in my configuration:

          {{withAWS(credentials:'aws-softwareops') \{}}
          {{    s3Upload acl: 'Private', bucket: 'my-bucket', file: 'my-file.zip', path: 'master'}}
          {{}}}

          Remove this and the build works.

          Comment out s3Upload and the build works - proving the cause is definitely s3Upload, not withAWS.

          Change the credentials key ("aws-softwareops" above) to something different, and the build fails again, proving the credentials are being picked up from Jenkins correctly.

          This is in the logs:

          Jan 18, 2018 3:06:58 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
          WARNING: java.lang.String$CaseInsensitiveComparator in JRE might be dangerous, so rejecting; see [https://jenkins.io/redirect/class-filter/]

          This doesn't work:

          -Dhudson.remoting.ClassFilter=java.lang.String$CaseInsensitiveComparator

          (there is no mention of ClassFilter in the Jenkins log at startup - should there be?)

          This is a blocking issue for me.
          New: Creating my first pipeline build, trying to upload output to S3. Getting a SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator

          Cause in my configuration:

          {{withAWS(credentials:'aws-softwareops') \{}}
           {{    s3Upload acl: 'Private', bucket: 'my-bucket', file: 'my-file.zip', path: 'master'}}
           {{}}}

          Remove this and the build works.

          Comment out s3Upload and the build works - proving the cause is definitely s3Upload, not withAWS.

          Change the credentials key ("aws-softwareops" above) to something different, and the build fails again, proving the credentials are being picked up from Jenkins correctly.

          This is in the logs:

          Jan 18, 2018 3:06:58 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
           WARNING: java.lang.String$CaseInsensitiveComparator in JRE might be dangerous, so rejecting; see [https://jenkins.io/redirect/class-filter/]

          This doesn't work:

          -Dhudson.remoting.ClassFilter=java.lang.String$CaseInsensitiveComparator

          (there is no mention of ClassFilter in the Jenkins log at startup - should there be?)

          This is a blocking issue for me.

          Stack trace:
          {noformat}
          java.lang.SecurityException: Rejected: java.lang.String$CaseInsensitiveComparator
          at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
          at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
          at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1826)
          at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
          at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2000)
          at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
          at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245)
          at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:552)
          at java.util.TreeMap.readObject(TreeMap.java:2449)
          at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:498)
          at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1058)
          at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2136)
          at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027)
          at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
          at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2245)
          at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2169)
          at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2027)
          at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
          at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
          at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
          at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
          at hudson.remoting.Channel.call(Channel.java:909)
          at hudson.FilePath.act(FilePath.java:998)
          at hudson.FilePath.act(FilePath.java:987)
          at de.taimos.pipeline.aws.S3UploadStep$Execution$1.run(S3UploadStep.java:259){noformat}
          Jesse Glick made changes -
          Assignee Original: Thorsten Hoeger [ hoegertn ] New: Jesse Glick [ jglick ]

            jglick Jesse Glick
            tomfanning Tom Fanning
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: