Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50334

Reverse Proxy Auth plugin affected by JEP-200

    Details

    • Similar Issues:

      Description

      I tried to save same changes in global jenkins config and have this error with Reverse Proxy Auth plugin installed, can u check ? :

      Stack trace

      java.lang.UnsupportedOperationException: Refusing to marshal org.acegisecurity.GrantedAuthorityImpl for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.ArrayConverter.marshal(ArrayConverter.java:45) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.MapConverter.marshal(MapConverter.java:79) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm#authContext for class org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize jenkins.model.Jenkins#securityRealm for class hudson.model.Hudson at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:200) at jenkins.model.Jenkins.save(Jenkins.java:3168) at jenkins.tools.GlobalToolConfiguration.configure(GlobalToolConfiguration.java:92) at jenkins.tools.GlobalToolConfiguration.doConfigure(GlobalToolConfiguration.java:79) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$10.dispatch(MetaClass.java:374) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:59) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:514) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128) at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            See https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200 . Reverse Proxy Auth plugin has been fixed in 1.6.0, but you are using 1.5 according to the ticket

            Show
            oleg_nenashev Oleg Nenashev added a comment - See https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200 . Reverse Proxy Auth plugin has been fixed in 1.6.0, but you are using 1.5 according to the ticket
            Hide
            chsquare Chris Heisterkamp added a comment -

            I'm seeing this issue when my jenkins/config.xml has the following 

            <securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.6.3">
              <proxyTemplate/>
              <authContext>
                <entry>
                  <string>user123</string>
                  <org.acegisecurity.GrantedAuthority-array>
                    <org.acegisecurity.GrantedAuthorityImpl>
                      <role>authenticated</role>
                    </org.acegisecurity.GrantedAuthorityImpl>
                  </org.acegisecurity.GrantedAuthority-array>
                </entry>
              </authContext>
              <authorityUpdateCache/>
              <inhibitInferRootDN>false</inhibitInferRootDN>
              <userSearchBase></userSearchBase>
              <userSearch>uid={0}</userSearch>
              <updateInterval>15</updateInterval>
              <forwardedUser>X-Forwarded-User</forwardedUser>
              <retrievedUser>user123</retrievedUser>
              <headerGroups>X-Forwarded-Groups</headerGroups>
              <headerGroupsDelimiter>|</headerGroupsDelimiter>
              <disableLdapEmailResolver>false</disableLdapEmailResolver>
              <displayNameLdapAttribute></displayNameLdapAttribute>
              <emailAddressLdapAttribute></emailAddressLdapAttribute>
            </securityRealm>

            I get the error

            May 11, 2018 10:53:56 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1
            
            WARNING: org.acegisecurity.GrantedAuthorityImpl in file:/data/.jenkins/war/WEB-INF/lib/acegi-security-1.0.7.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/

            On Jenkins 2.107.3 and reverse-plugin-version 1.6.3.

            Is there a different config for <authContext> that needs to be used after JEP-200? 

            Show
            chsquare Chris Heisterkamp added a comment - I'm seeing this issue when my jenkins/config.xml has the following  <securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.6.3"> <proxyTemplate/> <authContext> <entry> <string>user123</string> <org.acegisecurity.GrantedAuthority-array> <org.acegisecurity.GrantedAuthorityImpl> <role>authenticated</role> </org.acegisecurity.GrantedAuthorityImpl> </org.acegisecurity.GrantedAuthority-array> </entry> </authContext> <authorityUpdateCache/> <inhibitInferRootDN>false</inhibitInferRootDN> <userSearchBase></userSearchBase> <userSearch>uid={0}</userSearch> <updateInterval>15</updateInterval> <forwardedUser>X-Forwarded-User</forwardedUser> <retrievedUser>user123</retrievedUser> <headerGroups>X-Forwarded-Groups</headerGroups> <headerGroupsDelimiter>|</headerGroupsDelimiter> <disableLdapEmailResolver>false</disableLdapEmailResolver> <displayNameLdapAttribute></displayNameLdapAttribute> <emailAddressLdapAttribute></emailAddressLdapAttribute> </securityRealm> I get the error May 11, 2018 10:53:56 PM jenkins.security.ClassFilterImpl lambda$isBlacklisted$1 WARNING: org.acegisecurity.GrantedAuthorityImpl in file:/data/.jenkins/war/WEB-INF/lib/acegi-security-1.0.7.jar might be dangerous, so rejecting; see https://jenkins.io/redirect/class-filter/ On Jenkins 2.107.3 and reverse-plugin-version 1.6.3. Is there a different config for <authContext> that needs to be used after JEP-200? 
            Hide
            oleg_nenashev Oleg Nenashev added a comment -
            Show
            oleg_nenashev Oleg Nenashev added a comment - CC Wadeck Follonier  

              People

              • Assignee:
                wfollonier Wadeck Follonier
                Reporter:
                pi3tr0 Pietro Leone
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: