Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49543

Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl on Old Apache TomCat 8.x versions

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Workaround: Update to Apache Tomcat 8.0.50 or above

      When saving on the configuration page for a user (http://cool.jenkins.url/user/user.name/configure) I get the following stack trace.

      Adding "-Dhudson.remoting.ClassFilter=org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl" fixes the issue.

      This seems to also be causing issues for workflow-cps-global-lib-plugin's local git repository.

      Stack Trace:

      java.lang.UnsupportedOperationException: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl for security reasons; see https://jenkins.io/redirect/class-filter/
      	at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
      	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
      	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
      Caused: java.lang.RuntimeException: Failed to serialize hudson.model.User#properties for class hudson.model.User
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
      	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
      	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
      	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
      	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
      	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
      	at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
      	at hudson.XmlFile.write(XmlFile.java:193)
      Caused: java.io.IOException
      	at hudson.XmlFile.write(XmlFile.java:200)
      	at hudson.model.User.save(User.java:827)
      	at hudson.model.User.doConfigSubmit(User.java:901)
      	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
      	at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
      	at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
      	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
      	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
      	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
      	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      	at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at com.smartcodeltd.jenkinsci.plugin.assetbundler.filters.LessCSS.doFilter(LessCSS.java:47)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:237)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:214)
      	at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
      	at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:59)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:534)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
      	at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      

      Plugins

      ace-editor 1.1
      active-directory 2.6
      analysis-core 1.94
      ansicolor 0.5.2
      ant 1.8
      antisamy-markup-formatter 1.5
      apache-httpcomponents-client-4-api 4.5.3-2.1
      artifactory 2.14.0
      authentication-tokens 1.3
      aws-credentials 1.23
      aws-java-sdk 1.11.264
      blueocean 1.4.1
      blueocean-autofavorite 1.2.1
      blueocean-bitbucket-pipeline 1.4.1
      blueocean-commons 1.4.1
      blueocean-config 1.4.1
      blueocean-core-js 1.4.1
      blueocean-dashboard 1.4.1
      blueocean-display-url 2.2.0
      blueocean-events 1.4.1
      blueocean-git-pipeline 1.4.1
      blueocean-github-pipeline 1.4.1
      blueocean-i18n 1.4.1
      blueocean-jira 1.4.1
      blueocean-jwt 1.4.1
      blueocean-personalization 1.4.1
      blueocean-pipeline-api-impl 1.4.1
      blueocean-pipeline-editor 1.4.1
      blueocean-pipeline-scm-api 1.4.1
      blueocean-rest 1.4.1
      blueocean-rest-impl 1.4.1
      blueocean-web 1.4.1
      bouncycastle-api 2.16.2
      branch-api 2.0.18
      build-blocker-plugin 1.7.3
      build-failure-analyzer 1.19.2
      build-history-metrics-plugin 1.2
      build-monitor-plugin 1.12+build.201708172343
      build-token-root 1.4
      build-user-vars-plugin 1.5
      cloud-stats 0.16
      cloudbees-bitbucket-branch-source 2.2.9
      cloudbees-disk-usage-simple 0.9
      cloudbees-folder 6.3
      command-launcher 1.2
      conditional-buildstep 1.3.6
      config-autorefresh-plugin 1.0
      config-file-provider 2.17
      configurationslicing 1.47
      credentials 2.1.16
      credentials-binding 1.15
      custom-tools-plugin 0.5
      cvs 2.13
      display-url-api 2.2.0
      docker-commons 1.11
      docker-slaves 1.0.7
      docker-workflow 1.15
      dropdown-viewstabbar-plugin 1.7
      durable-task 1.17
      dynamicparameter 0.2.0
      email-ext 2.61
      extended-choice-parameter 0.76
      external-monitor-job 1.7
      extra-columns 1.18
      favorite 2.3.1
      flexible-publish 0.15.2
      fortify-on-demand-uploader 3.0.6
      ghprb 1.40.0
      git 3.7.0
      git-client 2.7.1
      git-server 1.7
      github 1.29.0
      github-api 1.90
      github-branch-source 2.3.2
      github-organization-folder 1.6
      google-oauth-plugin 0.5
      gradle 1.28
      greenballs 1.15
      groovy 2.0
      handlebars 1.1.1
      handy-uri-templates-2-api 2.1.6-1.0
      hipchat 2.1.1
      htmlpublisher 1.14
      icon-shim 2.0.3
      ivy 1.28
      jackson2-api 2.8.11.1
      jacoco 2.2.1
      javadoc 1.4
      jenkins-design-language 1.4.1
      jenkins-jira-plugin 3.1.0
      jenkinslint 0.14.0
      jira 2.5
      jira-steps 1.3.1
      jquery 1.12.4-0
      jquery-detached 1.2.1
      jquery-ui 1.0.2
      jsch 0.1.54.1
      junit 1.24
      kpp-management-plugin 1.0.0
      kubernetes 1.2
      kubernetes-credentials 0.3.0
      kubernetes-pipeline-aggregator 1.5
      kubernetes-pipeline-arquillian-steps 1.5
      kubernetes-pipeline-devops-steps 1.5
      kubernetes-pipeline-steps 1.5
      last-changes 2.6
      ldap 1.19
      ldapemail 0.8 false
      lockable-resources 2.1
      logstash 1.4.0
      mailer 1.20
      mapdb-api 1.0.9.0
      matrix-auth 2.2
      matrix-project 1.12
      maven-plugin 3.1
      mercurial 2.2
      metrics 3.1.2.10
      momentjs 1.1.1
      monitoring 1.71.0
      multiple-scms 0.6
      newrelic-deployment-notifier 1.3
      next-build-number 1.5
      nodejs 1.2.4
      oauth-credentials 0.3
      pam-auth 1.3
      parameter-pool 1.0.3
      parameter-separator 1.0
      parameterized-trigger 2.35.2
      persistent-parameter 1.1
      pipeline-build-step 2.7
      pipeline-github-lib 1.0
      pipeline-graph-analysis 1.6
      pipeline-input-step 2.8
      pipeline-maven 3.3.0
      pipeline-milestone-step 1.3.1
      pipeline-model-api 1.2.7
      pipeline-model-declarative-agent 1.1.1
      pipeline-model-definition 1.2.7
      pipeline-model-extensions 1.2.7
      pipeline-rest-api 2.9
      pipeline-stage-step 2.3
      pipeline-stage-tags-metadata 1.2.7
      pipeline-stage-view 2.9
      pipeline-utility-steps 1.5.1
      plain-credentials 1.4
      play-autotest-plugin 1.0.2
      port-allocator 1.8
      publish-over 0.21
      publish-over-ssh 1.18
      pubsub-light 1.12
      quality-gates 2.5
      resource-disposer 0.8
      restification 1.1.1
      ruby 1.2
      ruby-runtime 0.13
      run-condition 1.0
      rvm 0.6
      saferestart 0.3
      sauce-ondemand 1.171
      scm-api 2.2.6
      script-security 1.41
      scriptler 2.9
      sidebar-link 1.9.1
      sonar 2.6.1
      sse-gateway 1.15
      ssh-agent 1.15
      ssh-credentials 1.13
      ssh-slaves 1.25.1
      structs 1.13
      subversion 2.10.2
      test-stability 2.3
      thinBackup 1.9
      timestamper 1.8.9
      token-macro 2.3
      variant 1.1
      versioncolumn 2.0
      warnings 4.65
      windows-slaves 1.3.1
      workflow-aggregator 2.5
      workflow-api 2.25
      workflow-basic-steps 2.6
      workflow-cps 2.44
      workflow-cps-global-lib 2.9
      workflow-durable-task-step 2.18
      workflow-job 2.17
      workflow-multibranch 2.17
      workflow-scm-step 2.6
      workflow-step-api 2.14
      workflow-support 2.18
      ws-cleanup 0.34
      yet-another-docker-plugin 0.1.0-rc47

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Though it certainly does not meet the usual “soak period” criteria, I would advocate backporting this to 2.107.1 since the fix seems pretty safe and demonstrably fixes a serious regression (compared to the previous LTS) for users in this environment. But waiting for 2.107.2 is probably acceptable as well if the issue is noted in the upgrade guide—the workaround after all is to just upgrade Tomcat (or stop using it altogether).

            Show
            jglick Jesse Glick added a comment - Though it certainly does not meet the usual “soak period” criteria, I would advocate backporting this to 2.107.1 since the fix seems pretty safe and demonstrably fixes a serious regression (compared to the previous LTS) for users in this environment. But waiting for 2.107.2 is probably acceptable as well if the issue is noted in the upgrade guide—the workaround after all is to just upgrade Tomcat (or stop using it altogether).
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Oleg Nenashev
            Path:
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            test/src/test/java/jenkins/security/ClassFilterImplTest.java
            http://jenkins-ci.org/commit/jenkins/2ce5036cb06a7dab0d4868e9539c8d42e7a5678c
            Log:
            JENKINS-49543 - Add direct unit test for module class whitelisting

            (cherry picked from commit 800668ba4305964afe59d8744fcfc24013ff6ee6)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/jenkins/security/ClassFilterImpl.java test/src/test/java/jenkins/security/ClassFilterImplTest.java http://jenkins-ci.org/commit/jenkins/2ce5036cb06a7dab0d4868e9539c8d42e7a5678c Log: JENKINS-49543 - Add direct unit test for module class whitelisting (cherry picked from commit 800668ba4305964afe59d8744fcfc24013ff6ee6)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/security/ClassFilterImpl.java
            http://jenkins-ci.org/commit/jenkins/dd3ddf3ceb6428dc0b3a15148d65e8baece0a42c
            Log:
            JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules.

            (cherry picked from commit 376c6a0add41e0c2049b64edfdd464bb8717ed1b)

            Compare: https://github.com/jenkinsci/jenkins/compare/db0bddeb2cb5...dd3ddf3ceb64

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ClassFilterImpl.java http://jenkins-ci.org/commit/jenkins/dd3ddf3ceb6428dc0b3a15148d65e8baece0a42c Log: JENKINS-49543 Old versions of Tomcat also failed to serialize classes from Jenkins modules. (cherry picked from commit 376c6a0add41e0c2049b64edfdd464bb8717ed1b) Compare: https://github.com/jenkinsci/jenkins/compare/db0bddeb2cb5...dd3ddf3ceb64
            Hide
            olivergondza Oliver Gondža added a comment -

            Agreed this can be quite severe and the fix seems fairly straightforward. Though as the fix is unreleased for now, it will be reverted during RC period in case it will cause problems. It will be part of the RC I will push tomorrow unless tests suggests otherwise.

            Show
            olivergondza Oliver Gondža added a comment - Agreed this can be quite severe and the fix seems fairly straightforward. Though as the fix is unreleased for now, it will be reverted during RC period in case it will cause problems. It will be part of the RC I will push tomorrow unless tests suggests otherwise.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The fix has been integrated towards 2.110

            Show
            oleg_nenashev Oleg Nenashev added a comment - The fix has been integrated towards 2.110

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                notanother Tim McNally
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: