Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50781

Shiro Plugin - Refusing to marshal org.apache.shiro.authc.credential.AllowAllCredentialsMatcher for security reasons

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Hi team, i have upgrade my Jenkins to version 2.107.2 but still getting this error when i try to use shiro plugin, which i believe it is refer to JEP-200, any advise please?

      Caused by: java.lang.UnsupportedOperationException: Refusing to marshal org.apache.shiro.authc.credential.AllowAllCredentialsMatcher for security reasons; see [https://jenkins.io/redirect/class-filter/]
              at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
              at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
              at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
              at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
              at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Would be nice to have a full stacktrace, but I'd guess it is an issue in the plugin itself, not in Credentials API.

          angel liang Could you please provide pointers to the codebase of the Shiro Plugin? I do not see it in Jenkins org or in https://github.com/apache/shiro

          Show
          oleg_nenashev Oleg Nenashev added a comment - Would be nice to have a full stacktrace, but I'd guess it is an issue in the plugin itself, not in Credentials API. angel liang Could you please provide pointers to the codebase of the Shiro Plugin? I do not see it in Jenkins org or in https://github.com/apache/shiro
          Hide
          angelliang angel liang added a comment -

          Hi please see the attachment [^hudson.zip]

          thanks a lot.

          Show
          angelliang angel liang added a comment - Hi please see the attachment [^hudson.zip] thanks a lot.
          Hide
          oleg_nenashev Oleg Nenashev added a comment - - edited

          OK. I'd guess it is your custom plugin then. Maybe you want to open-source and host it in Jenkins update center it at some point: https://wiki.jenkins.io/display/JENKINS/Hosting+Plugins

          From what I see in the code, you need to...

          1) Make the "private final JndiLdapContextFactory jndiLdapContextFactory" field transient
          2) Move the initialization logic from class constructor to a private method (e.g. initJndiLdapContextFactory()). Constructor should invoke this method
          3) Add a readResolve() method, which also invokes initJndiLdapContextFactory(). It will help the plugin to reinitialize when the class is loaded from the disk by Jenkins

          readResolve() examples: https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility

          Hopefully it helps

          Show
          oleg_nenashev Oleg Nenashev added a comment - - edited OK. I'd guess it is your custom plugin then. Maybe you want to open-source and host it in Jenkins update center it at some point: https://wiki.jenkins.io/display/JENKINS/Hosting+Plugins From what I see in the code, you need to... 1) Make the "private final JndiLdapContextFactory jndiLdapContextFactory" field transient 2) Move the initialization logic from class constructor to a private method (e.g. initJndiLdapContextFactory()). Constructor should invoke this method 3) Add a readResolve() method, which also invokes initJndiLdapContextFactory(). It will help the plugin to reinitialize when the class is loaded from the disk by Jenkins readResolve() examples: https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility Hopefully it helps
          Hide
          angelliang angel liang added a comment -

          It seems Jenkins blacklist this class, any suggest how we can move it to whitelist?

          https://shiro.apache.org/static/1.2.5/apidocs/org/apache/shiro/authc/credential/AllowAllCredentialsMatcher.html

           

          Show
          angelliang angel liang added a comment - It seems Jenkins blacklist this class, any suggest how we can move it to whitelist? https://shiro.apache.org/static/1.2.5/apidocs/org/apache/shiro/authc/credential/AllowAllCredentialsMatcher.html  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          angel liang see https://jenkins.io/blog/2018/03/15/jep-200-lts/ and https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers. But I would really recommend to make the jndiLdapContextFactory class transient as suggested above

          Show
          oleg_nenashev Oleg Nenashev added a comment - angel liang see https://jenkins.io/blog/2018/03/15/jep-200-lts/ and https://jenkins.io/blog/2018/01/13/jep-200/#for-plugin-developers . But I would really recommend to make the jndiLdapContextFactory class transient as suggested above
          Hide
          angelliang angel liang added a comment -

          thanks a lot, it worked with this workaround, bypass the classes(like AllowAllCredentialsMatcher), i am doing further testing on my Jenkins, cheers. 
          java -Dhudson.remoting.ClassFilter=some.pkg.and.ClassName,some.pkg.and.OtherClassName -jar jenkins.war

          Show
          angelliang angel liang added a comment - thanks a lot, it worked with this workaround, bypass the classes(like AllowAllCredentialsMatcher), i am doing further testing on my Jenkins, cheers.  java -Dhudson.remoting.ClassFilter=some.pkg.and.ClassName,some.pkg.and.OtherClassName -jar jenkins.war
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          OK, I will close it then. Since the plugin is not open-source, it's totally your decision how to fix ther issue

          Show
          oleg_nenashev Oleg Nenashev added a comment - OK, I will close it then. Since the plugin is not open-source, it's totally your decision how to fix ther issue

            People

            Assignee:
            angelliang angel liang
            Reporter:
            angelliang angel liang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: