Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52848

Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl for security reasons

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: core
    • Labels:
    • Environment:
      Java HotSpot(TM) 64-Bit Server VM 1.8.0_131
      Jenkins 2.130
      Linux (amd64)
      wildfly


    • Similar Issues:

      Description

      When saving on the configuration page for a user (http://cool.jenkins.url/user/user.name/configure) I get the following stack trace:

      java.lang.UnsupportedOperationException: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl for security reasons; see https://jenkins.io/redirect/class-filter/
      	at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88)
      	at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64)
      	at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
      	at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265)
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252)
      Caused: java.lang.RuntimeException: Failed to serialize hudson.model.User#properties for class hudson.model.User
      	at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256)
      	at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224)
      	at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138)
      	at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209)
      	at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150)
      	at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
      	at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43)
      	at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82)
      	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026)
      	at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015)
      	at com.thoughtworks.xstream.XStream.toXML(XStream.java:988)
      	at hudson.XmlFile.write(XmlFile.java:193)
      Caused: java.io.IOException
      	at hudson.XmlFile.write(XmlFile.java:200)
      	at hudson.model.User.save(User.java:841)
      	at hudson.model.User.doConfigSubmit(User.java:915)
      	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
      	at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77)
      	at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
      	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
      	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
      	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
      	at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209)
      	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
      	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
      	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
      	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      	at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at com.smartcodeltd.jenkinsci.plugin.assetbundler.filters.LessCSS.doFilter(LessCSS.java:47)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
      	at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
      	at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
      	at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114)
      	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
      	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
      	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
      	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
      	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:748)
      

      Plugins

      ace-editor	1.1	 
      analysis-core	1.95	 
      ant	1.8	 
      antisamy-markup-formatter	1.5	 
      apache-httpcomponents-client-4-api	4.5.5-3.0	 
      authentication-tokens	1.3	 
      bouncycastle-api	2.16.3	 
      branch-api	2.0.20	 
      build-monitor-plugin	1.12+build.201805070054	 
      build-timeout	1.19	 
      buildtriggerbadge	2.9	 
      categorized-view	1.10	 
      checkstyle	3.50	 
      cloudbees-folder	6.5.1	 
      cobertura	1.13-SNAPSHOT (private-741319c3)	 
      command-launcher	1.2	 
      credentials	2.1.17	 
      credentials-binding	1.16	 
      dashboard-view	2.9.11	 
      description-setter	1.10	 
      disk-usage	0.28	 
      display-url-api	2.2.0	 
      docker-commons	1.13	 
      docker-workflow	1.17	 
      doclinks	0.6.1	 
      dry	2.50	 
      durable-task	1.22	 
      email-ext	2.62	 
      envinject	2.1.5	 
      envinject-api	1.5	 
      extended-choice-parameter	0.76	 
      extensible-choice-parameter	1.6.0	 
      external-monitor-job	1.7	 
      favorite	2.3.2	 
      findbugs	4.72	 
      git	3.9.1	 
      git-client	2.7.2	 
      git-parameter	0.9.3	 
      git-server	1.7	 
      gradle	1.29	 
      groovy	2.0	 
      handlebars	1.1.1	 
      handy-uri-templates-2-api	2.1.6-1.0	 
      htmlpublisher	1.16	 
      icon-shim	2.0.3	 
      jackson2-api	2.8.11.3	 
      jacoco	2.3-SNAPSHOT (private-54c46538-r.baradari)	 
      javadoc	1.4	 
      jdk-tool	1.1	 
      jenkins-design-language	1.6.2	 
      jira	3.0.0	 
      jobConfigHistory	2.18	 
      jquery	1.12.4-0	 
      jquery-detached	1.2.1	 
      jsch	0.1.54.2	 
      junit	1.24	 
      ldap	1.20	 
      mailer	1.21	 
      mapdb-api	1.0.9.0	 
      matrix-auth	2.2	 
      matrix-project	1.13	 
      maven-plugin	3.1.2	 
      metrics	4.0.2.2	 
      momentjs	1.1.1	 
      nodenamecolumn	1.2	 
      pam-auth	1.3	 
      permissive-script-security	0.3	 
      pipeline-build-step	2.7	 
      pipeline-graph-analysis	1.7	 
      pipeline-input-step	2.8	 
      pipeline-milestone-step	1.3.1	 
      pipeline-model-api	1.3.1	 
      pipeline-model-declarative-agent	1.1.1	 
      pipeline-model-definition	1.3.1	 
      pipeline-model-extensions	1.3.1	 
      pipeline-rest-api	2.10	 
      pipeline-stage-step	2.3	 
      pipeline-stage-tags-metadata	1.3.1	 
      pipeline-stage-view	2.10	 
      pipeline-utility-steps	2.1.0	 
      plain-credentials	1.4	 
      pmd	3.50	 
      port-allocator	2.0-SNAPSHOT (private-08/04/2011 14:09-r.baradari)	 
      publish-over	0.22	 
      publish-over-cifs	0.10	 
      pubsub-light	1.12	 
      release	2.11-SNAPSHOT (private-03a6704a-r.baradari)	 
      scm-api	2.2.7	 
      script-security	1.44	 
      scriptler	2.9	 
      simple-theme-plugin	0.4	 
      sse-gateway	1.15	 
      ssh-credentials	1.14	 
      ssh-slaves	1.26	 
      structs	1.14	 
      subversion	2.11.0	 
      tasks	4.52	 
      token-macro	2.5	 
      translation	1.16	false
      variant	1.1	 
      violations	0.7.11	 
      warnings	4.68	 
      windows-slaves	1.3.1	 
      workflow-aggregator	2.5	 
      workflow-api	2.28	 
      workflow-basic-steps	2.9	 
      workflow-cps	2.54	 
      workflow-cps-global-lib	2.9	 
      workflow-durable-task-step	2.19	 
      workflow-job	2.22	 
      workflow-multibranch	2.19	 
      workflow-scm-step	2.6	 
      workflow-step-api	2.16	 
      workflow-support	2.19	 
      xvnc	1.24	 
      

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          If Module class is being rejected, something is going wrong with module discovery. The class should be whitelisted.

          Would it be possible to get System log for the startup?  Also, do you use any web containers?

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - If Module class is being rejected, something is going wrong with module discovery. The class should be whitelisted. Would it be possible to get System log for the startup?  Also, do you use any web containers?  
          Hide
          peter_vagedes Peter Vagedes added a comment -

          Thank you for your support. I attached the start sequence from the server log.
          As to the web container: We are running Jenkins in wildfly-10.0.0. Is this answering your question?

          Show
          peter_vagedes Peter Vagedes added a comment - Thank you for your support. I attached the start sequence from the server log. As to the web container: We are running Jenkins in wildfly-10.0.0. Is this answering your question?
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Yes, likely the JAR path format is different in this wildfly version.

          Jesse Glick has already applied fixes for few web containers, so maybe he could quickly diagnose the issue

          Show
          oleg_nenashev Oleg Nenashev added a comment - Yes, likely the JAR path format is different in this wildfly version. Jesse Glick has already applied fixes for few web containers, so maybe he could quickly diagnose the issue

            People

            • Assignee:
              Unassigned
              Reporter:
              peter_vagedes Peter Vagedes
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: