Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49147

JEP-200 location-based whitelisting broken in obsolete versions of Tomcat

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: core
    • Environment:
      Jenkins 2.103 running on Debian 8 with OpenJDK 1.8.0_131 and Tomcat8
    • Similar Issues:

      Description

      I followed my normal procedure in updating our Jenkins builder:

      • Update all Jenkins plugins first.
      • Update jenkins core (using .war file)

      I got the error message about JEP-200 and XStream, so I browsed to the wiki page. It had a note in there about -Dhudson.remoting.ClassFilter=, with a comma-separated list of class names from the log file. I got the list of classes:

      # grep -ri rejecting /var/log/tomcat8/catalina.out | awk -F ' ' '{print $2}' | sort | uniq
      hudson.model.Cause$UserIdCause
      hudson.model.Hudson$CloudList
      hudson.model.MyViewsProperty
      hudson.model.PaneStatusProperties
      hudson.model.Queue$State
      hudson.model.UpdateSite
      hudson.model.View$PropertyList
      hudson.node_monitors.ArchitectureMonitor
      hudson.node_monitors.ClockMonitor
      hudson.node_monitors.DiskSpaceMonitor
      hudson.node_monitors.ResponseTimeMonitor
      hudson.node_monitors.SwapSpaceMonitor
      hudson.node_monitors.TemporarySpaceMonitor
      hudson.remoting.RemoteInvocationHandler$RPCRequest
      hudson.scm.SCMRevisionState$None
      hudson.search.UserSearchProperty
      hudson.slaves.JNLPLauncher
      hudson.slaves.RetentionStrategy$2
      hudson.tasks.LogRotator
      hudson.tasks.Shell$DescriptorImpl
      hudson.triggers.SCMTrigger$BuildAction
      hudson.triggers.SCMTrigger$DescriptorImpl
      hudson.triggers.SCMTrigger$SCMTriggerCause
      hudson.util.CopyOnWriteMap$Hash
      jenkins.model.BuildDiscarderProperty
      jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy
      jenkins.security.ApiTokenProperty
      jenkins.security.LastGrantedAuthoritiesProperty
      jenkins.slaves.RemotingWorkDirSettings
      

      So, I added those as a comma-separated list to -Dhudson.remoting.ClassFilter= and restarted Tomcat. Jenkins came back (authentication worked, but no build information is available, and slaves cannot connect), but I am now seeing a message about "You have data stored in an older format and/or unreadable data.". I am a bit afraid I will lose my build history and other metadata if I click on "Discard Unreadable Data". Is that a "safe" operation for my builds metadata?

      Also, why do I need to add so many exclusions to the hudson.remoting.ClassFilter, some of which seem to be internal to jenkins/hudson? Shouldn't that "just work"? Did I do something wrong in the upgrade?

        Attachments

          Issue Links

            Activity

            Hide
            kmott Kyle Mott added a comment -

            If I trigger the build again, it goes away, so I'm guessing some transient turd left by Tomcat. Thanks again for all of the help Jesse!

            Show
            kmott Kyle Mott added a comment - If I trigger the build again, it goes away, so I'm guessing some transient turd left by Tomcat. Thanks again for all of the help Jesse!
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            http://jenkins-ci.org/commit/jenkins/655be64a1753a3077a81fc0c34573bca74dcf5a0
            Log:
            JENKINS-49147 Tolerate unusual CodeSource.location format from old versions of Tomcat.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ClassFilterImpl.java http://jenkins-ci.org/commit/jenkins/655be64a1753a3077a81fc0c34573bca74dcf5a0 Log: JENKINS-49147 Tolerate unusual CodeSource.location format from old versions of Tomcat.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            http://jenkins-ci.org/commit/jenkins/cd875f0e5aa8191e414a8b9940b02137d8ffb2f4
            Log:
            Merge pull request #3264 from jglick/Tomcat-JENKINS-49147

            JENKINS-49147 Tolerate unusual CodeSource.location format from old versions of Tomcat

            Compare: https://github.com/jenkinsci/jenkins/compare/dbc75125c565...cd875f0e5aa8

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/jenkins/security/ClassFilterImpl.java http://jenkins-ci.org/commit/jenkins/cd875f0e5aa8191e414a8b9940b02137d8ffb2f4 Log: Merge pull request #3264 from jglick/Tomcat- JENKINS-49147 JENKINS-49147 Tolerate unusual CodeSource.location format from old versions of Tomcat Compare: https://github.com/jenkinsci/jenkins/compare/dbc75125c565...cd875f0e5aa8
            Hide
            danielbeck Daniel Beck added a comment -

            Resolved towards 2.104.

            Show
            danielbeck Daniel Beck added a comment - Resolved towards 2.104.
            Hide
            danielbeck Daniel Beck added a comment -

            This is in 2.104 so realistic LTS baselines will include this (and we're aiming for 2.107).

            Show
            danielbeck Daniel Beck added a comment - This is in 2.104 so realistic LTS baselines will include this (and we're aiming for 2.107).

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                kmott Kyle Mott
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: