Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49543

Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl on Old Apache TomCat 8.x versions

      Workaround: Update to Apache Tomcat 8.0.50 or above

      When saving on the configuration page for a user (http://cool.jenkins.url/user/user.name/configure) I get the following stack trace.

      Adding "-Dhudson.remoting.ClassFilter=org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl" fixes the issue.

      This seems to also be causing issues for workflow-cps-global-lib-plugin's local git repository.

      Stack Trace:

      java.lang.UnsupportedOperationException: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl for security reasons; see https://jenkins.io/redirect/class-filter/
      	at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
      	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
      	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
      Caused: java.lang.RuntimeException: Failed to serialize hudson.model.User#properties for class hudson.model.User
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
      	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
      	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
      	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
      	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
      	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
      	at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
      	at hudson.XmlFile.write(XmlFile.java:193)
      Caused: java.io.IOException
      	at hudson.XmlFile.write(XmlFile.java:200)
      	at hudson.model.User.save(User.java:827)
      	at hudson.model.User.doConfigSubmit(User.java:901)
      	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
      	at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
      	at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
      	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
      	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
      	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
      	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      	at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at com.smartcodeltd.jenkinsci.plugin.assetbundler.filters.LessCSS.doFilter(LessCSS.java:47)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:237)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:214)
      	at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
      	at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:59)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:534)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
      	at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      

      Plugins

      ace-editor 1.1
      active-directory 2.6
      analysis-core 1.94
      ansicolor 0.5.2
      ant 1.8
      antisamy-markup-formatter 1.5
      apache-httpcomponents-client-4-api 4.5.3-2.1
      artifactory 2.14.0
      authentication-tokens 1.3
      aws-credentials 1.23
      aws-java-sdk 1.11.264
      blueocean 1.4.1
      blueocean-autofavorite 1.2.1
      blueocean-bitbucket-pipeline 1.4.1
      blueocean-commons 1.4.1
      blueocean-config 1.4.1
      blueocean-core-js 1.4.1
      blueocean-dashboard 1.4.1
      blueocean-display-url 2.2.0
      blueocean-events 1.4.1
      blueocean-git-pipeline 1.4.1
      blueocean-github-pipeline 1.4.1
      blueocean-i18n 1.4.1
      blueocean-jira 1.4.1
      blueocean-jwt 1.4.1
      blueocean-personalization 1.4.1
      blueocean-pipeline-api-impl 1.4.1
      blueocean-pipeline-editor 1.4.1
      blueocean-pipeline-scm-api 1.4.1
      blueocean-rest 1.4.1
      blueocean-rest-impl 1.4.1
      blueocean-web 1.4.1
      bouncycastle-api 2.16.2
      branch-api 2.0.18
      build-blocker-plugin 1.7.3
      build-failure-analyzer 1.19.2
      build-history-metrics-plugin 1.2
      build-monitor-plugin 1.12+build.201708172343
      build-token-root 1.4
      build-user-vars-plugin 1.5
      cloud-stats 0.16
      cloudbees-bitbucket-branch-source 2.2.9
      cloudbees-disk-usage-simple 0.9
      cloudbees-folder 6.3
      command-launcher 1.2
      conditional-buildstep 1.3.6
      config-autorefresh-plugin 1.0
      config-file-provider 2.17
      configurationslicing 1.47
      credentials 2.1.16
      credentials-binding 1.15
      custom-tools-plugin 0.5
      cvs 2.13
      display-url-api 2.2.0
      docker-commons 1.11
      docker-slaves 1.0.7
      docker-workflow 1.15
      dropdown-viewstabbar-plugin 1.7
      durable-task 1.17
      dynamicparameter 0.2.0
      email-ext 2.61
      extended-choice-parameter 0.76
      external-monitor-job 1.7
      extra-columns 1.18
      favorite 2.3.1
      flexible-publish 0.15.2
      fortify-on-demand-uploader 3.0.6
      ghprb 1.40.0
      git 3.7.0
      git-client 2.7.1
      git-server 1.7
      github 1.29.0
      github-api 1.90
      github-branch-source 2.3.2
      github-organization-folder 1.6
      google-oauth-plugin 0.5
      gradle 1.28
      greenballs 1.15
      groovy 2.0
      handlebars 1.1.1
      handy-uri-templates-2-api 2.1.6-1.0
      hipchat 2.1.1
      htmlpublisher 1.14
      icon-shim 2.0.3
      ivy 1.28
      jackson2-api 2.8.11.1
      jacoco 2.2.1
      javadoc 1.4
      jenkins-design-language 1.4.1
      jenkins-jira-plugin 3.1.0
      jenkinslint 0.14.0
      jira 2.5
      jira-steps 1.3.1
      jquery 1.12.4-0
      jquery-detached 1.2.1
      jquery-ui 1.0.2
      jsch 0.1.54.1
      junit 1.24
      kpp-management-plugin 1.0.0
      kubernetes 1.2
      kubernetes-credentials 0.3.0
      kubernetes-pipeline-aggregator 1.5
      kubernetes-pipeline-arquillian-steps 1.5
      kubernetes-pipeline-devops-steps 1.5
      kubernetes-pipeline-steps 1.5
      last-changes 2.6
      ldap 1.19
      ldapemail 0.8 false
      lockable-resources 2.1
      logstash 1.4.0
      mailer 1.20
      mapdb-api 1.0.9.0
      matrix-auth 2.2
      matrix-project 1.12
      maven-plugin 3.1
      mercurial 2.2
      metrics 3.1.2.10
      momentjs 1.1.1
      monitoring 1.71.0
      multiple-scms 0.6
      newrelic-deployment-notifier 1.3
      next-build-number 1.5
      nodejs 1.2.4
      oauth-credentials 0.3
      pam-auth 1.3
      parameter-pool 1.0.3
      parameter-separator 1.0
      parameterized-trigger 2.35.2
      persistent-parameter 1.1
      pipeline-build-step 2.7
      pipeline-github-lib 1.0
      pipeline-graph-analysis 1.6
      pipeline-input-step 2.8
      pipeline-maven 3.3.0
      pipeline-milestone-step 1.3.1
      pipeline-model-api 1.2.7
      pipeline-model-declarative-agent 1.1.1
      pipeline-model-definition 1.2.7
      pipeline-model-extensions 1.2.7
      pipeline-rest-api 2.9
      pipeline-stage-step 2.3
      pipeline-stage-tags-metadata 1.2.7
      pipeline-stage-view 2.9
      pipeline-utility-steps 1.5.1
      plain-credentials 1.4
      play-autotest-plugin 1.0.2
      port-allocator 1.8
      publish-over 0.21
      publish-over-ssh 1.18
      pubsub-light 1.12
      quality-gates 2.5
      resource-disposer 0.8
      restification 1.1.1
      ruby 1.2
      ruby-runtime 0.13
      run-condition 1.0
      rvm 0.6
      saferestart 0.3
      sauce-ondemand 1.171
      scm-api 2.2.6
      script-security 1.41
      scriptler 2.9
      sidebar-link 1.9.1
      sonar 2.6.1
      sse-gateway 1.15
      ssh-agent 1.15
      ssh-credentials 1.13
      ssh-slaves 1.25.1
      structs 1.13
      subversion 2.10.2
      test-stability 2.3
      thinBackup 1.9
      timestamper 1.8.9
      token-macro 2.3
      variant 1.1
      versioncolumn 2.0
      warnings 4.65
      windows-slaves 1.3.1
      workflow-aggregator 2.5
      workflow-api 2.25
      workflow-basic-steps 2.6
      workflow-cps 2.44
      workflow-cps-global-lib 2.9
      workflow-durable-task-step 2.18
      workflow-job 2.17
      workflow-multibranch 2.17
      workflow-scm-step 2.6
      workflow-step-api 2.14
      workflow-support 2.18
      ws-cleanup 0.34
      yet-another-docker-plugin 0.1.0-rc47

          [JENKINS-49543] Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl on Old Apache TomCat 8.x versions

          Jesse Glick added a comment -

          Indeed that URL pattern is not currently recognized; rather than the expected file:/srv/tomcat/tomcat_app/webapps/jenkins/WEB-INF/lib/ssh-cli-auth-1.4.jar Tomcat is producing jar:file:/srv/tomcat/tomcat_app/webapps/jenkins/WEB-INF/lib/ssh-cli-auth-1.4.jar!/. Fix should be trivial but let me see if I can reproduce it.

          Jesse Glick added a comment - Indeed that URL pattern is not currently recognized; rather than the expected file:/srv/tomcat/tomcat_app/webapps/jenkins/WEB-INF/lib/ssh-cli-auth-1.4.jar Tomcat is producing jar: file:/srv/tomcat/tomcat_app/webapps/jenkins/WEB-INF/lib/ssh-cli-auth-1.4.jar!/ . Fix should be trivial but let me see if I can reproduce it.

          Jesse Glick added a comment -

          Reproduced using the same setup as in JENKINS-49147 but extended by configuring a security realm, logging in as some user, and attempting to reconfigure that user.

          Jesse Glick added a comment - Reproduced using the same setup as in  JENKINS-49147 but extended by configuring a security realm, logging in as some user, and attempting to reconfigure that user.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/security/ClassFilterImpl.java
          http://jenkins-ci.org/commit/jenkins/376c6a0add41e0c2049b64edfdd464bb8717ed1b
          Log:
          JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ClassFilterImpl.java http://jenkins-ci.org/commit/jenkins/376c6a0add41e0c2049b64edfdd464bb8717ed1b Log: JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules.

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/main/java/jenkins/security/ClassFilterImpl.java
          http://jenkins-ci.org/commit/jenkins/262a7a1345e6847a7f075eba0bde3a3d31bda6fa
          Log:
          Merge pull request #3313 from jglick/Tomcat-redux-JENKINS-49543

          JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules

          Compare: https://github.com/jenkinsci/jenkins/compare/c33f14620425...262a7a1345e6

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/jenkins/security/ClassFilterImpl.java http://jenkins-ci.org/commit/jenkins/262a7a1345e6847a7f075eba0bde3a3d31bda6fa Log: Merge pull request #3313 from jglick/Tomcat-redux- JENKINS-49543 JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules Compare: https://github.com/jenkinsci/jenkins/compare/c33f14620425...262a7a1345e6

          Oleg Nenashev added a comment -

          It has been merged towards 2.110.
          olivergondza We do not know how many users run on the old Tomcat versions. Since the fix is narrow-scoped, would it make sense to add it to 2.107.1-rc? Or should we add it to known issues in the upgrade guide and postpone it till .2?

          Oleg Nenashev added a comment - It has been merged towards 2.110. olivergondza We do not know how many users run on the old Tomcat versions. Since the fix is narrow-scoped, would it make sense to add it to 2.107.1-rc? Or should we add it to known issues in the upgrade guide and postpone it till .2?

          Jesse Glick added a comment -

          Though it certainly does not meet the usual “soak period” criteria, I would advocate backporting this to 2.107.1 since the fix seems pretty safe and demonstrably fixes a serious regression (compared to the previous LTS) for users in this environment. But waiting for 2.107.2 is probably acceptable as well if the issue is noted in the upgrade guide—the workaround after all is to just upgrade Tomcat (or stop using it altogether).

          Jesse Glick added a comment - Though it certainly does not meet the usual “soak period” criteria, I would advocate backporting this to 2.107.1 since the fix seems pretty safe and demonstrably fixes a serious regression (compared to the previous LTS) for users in this environment. But waiting for 2.107.2 is probably acceptable as well if the issue is noted in the upgrade guide—the workaround after all is to just upgrade Tomcat (or stop using it altogether).

          Code changed in jenkins
          User: Oleg Nenashev
          Path:
          core/src/main/java/jenkins/security/ClassFilterImpl.java
          test/src/test/java/jenkins/security/ClassFilterImplTest.java
          http://jenkins-ci.org/commit/jenkins/2ce5036cb06a7dab0d4868e9539c8d42e7a5678c
          Log:
          JENKINS-49543 - Add direct unit test for module class whitelisting

          (cherry picked from commit 800668ba4305964afe59d8744fcfc24013ff6ee6)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/jenkins/security/ClassFilterImpl.java test/src/test/java/jenkins/security/ClassFilterImplTest.java http://jenkins-ci.org/commit/jenkins/2ce5036cb06a7dab0d4868e9539c8d42e7a5678c Log: JENKINS-49543 - Add direct unit test for module class whitelisting (cherry picked from commit 800668ba4305964afe59d8744fcfc24013ff6ee6)

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/security/ClassFilterImpl.java
          http://jenkins-ci.org/commit/jenkins/dd3ddf3ceb6428dc0b3a15148d65e8baece0a42c
          Log:
          JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules.

          (cherry picked from commit 376c6a0add41e0c2049b64edfdd464bb8717ed1b)

          Compare: https://github.com/jenkinsci/jenkins/compare/db0bddeb2cb5...dd3ddf3ceb64

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ClassFilterImpl.java http://jenkins-ci.org/commit/jenkins/dd3ddf3ceb6428dc0b3a15148d65e8baece0a42c Log: JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules. (cherry picked from commit 376c6a0add41e0c2049b64edfdd464bb8717ed1b) Compare: https://github.com/jenkinsci/jenkins/compare/db0bddeb2cb5...dd3ddf3ceb64

          Agreed this can be quite severe and the fix seems fairly straightforward. Though as the fix is unreleased for now, it will be reverted during RC period in case it will cause problems. It will be part of the RC I will push tomorrow unless tests suggests otherwise.

          Oliver Gondža added a comment - Agreed this can be quite severe and the fix seems fairly straightforward. Though as the fix is unreleased for now, it will be reverted during RC period in case it will cause problems. It will be part of the RC I will push tomorrow unless tests suggests otherwise.

          Oleg Nenashev added a comment -

          The fix has been integrated towards 2.110

          Oleg Nenashev added a comment - The fix has been integrated towards 2.110

            jglick Jesse Glick
            notanother Tim McNally
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: