Minor I would like to add org.acegisecurity.GrantedAuthorityImpl to core/src/main/resources/jenkins/security/whitelisted-classes.txt
Is it a bad idea? If not I will open the corresponding PR on the Github repository.
[JENKINS-62774] Whitelist org.acegisecurity.GrantedAuthorityImpl for XML serialization
Hi oleg_nenashev. So maybe it's indeed a bad idea.
I'm working on an OAuth plugin, and when a user connects we gather the GrantedAuthorities which are composed of Authenticated and Groups coming from the OAuth/OIDC server. When I have those details about the user's groups, I add them to the user through a property on the User object and they then end up serialized by Jenkins, which is what I want so that I can retrieve them afterwards in like `loadUserByUsername` where I need to rebuild the user. So now, I have 3 things coming to my mind about this:
- I add org.acegisecurity.GrantedAuthorityImpl in the whitelist and thus I can serialize it
- But maybe doing so is a bad idea, so I could serialize just the user groups retrieved from the OAuth/OIDC server and proceed to transformation as GrantedAuthorityImpl on demand
- But maybe this is also a bad idea and then I should Re-Query the OAuth/OIDC server everytime `loadUserByUsername` is hit, the problem being that I (as the current user) am not allowed to query for other users on this server. So maybe I should just not give user groups from users which are not my current user and not fulfill the `getGrantedAuthorities()` contract for those ?
- Maybe you have another idea ?
Thanks for your help !
Martin Goyot
added a comment - - edited Hi oleg_nenashev . So maybe it's indeed a bad idea.
I'm working on an OAuth plugin, and when a user connects we gather the GrantedAuthorities which are composed of Authenticated and Groups coming from the OAuth/OIDC server. When I have those details about the user's groups, I add them to the user through a property on the User object and they then end up serialized by Jenkins, which is what I want so that I can retrieve them afterwards in like `loadUserByUsername` where I need to rebuild the user. So now, I have 3 things coming to my mind about this:
I add org.acegisecurity.GrantedAuthorityImpl in the whitelist and thus I can serialize it
But maybe doing so is a bad idea, so I could serialize just the user groups retrieved from the OAuth/OIDC server and proceed to transformation as GrantedAuthorityImpl on demand
But maybe this is also a bad idea and then I should Re-Query the OAuth/OIDC server everytime `loadUserByUsername` is hit, the problem being that I (as the current user) am not allowed to query for other users on this server. So maybe I should just not give user groups from users which are not my current user and not fulfill the `getGrantedAuthorities()` contract for those ?
Maybe you have another idea ?
Thanks for your help ! If you use an external OAuth plugin, caching group memberships on the disk is a potential security risk. Cache may become inconsistent with the OAuth server, and it would be your responsibility to somehow manage that. It becomes difficult without permissions to query users indeed...
My recommendation is option (3) if possible. If it does not work, option (2) with all implied risks
Martin Goyot
added a comment - Thank you very much for those insights oleg_nenashev, I'll see with the others how we're going to proceed.
Thanks, I close this issue.
Martin Goyot
added a comment - Thank you very much for those insights oleg_nenashev , I'll see with the others how we're going to proceed.
Thanks, I close this issue. Martin Goyot
added a comment - Question answered by oleg_nenashev .
This is a bad idea, won't do. 
erwyn could you please explain the use-case? For me it looks like a bad idea, but it would be great to know a use-case if you want to have a more detailed answer