Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62774

Whitelist org.acegisecurity.GrantedAuthorityImpl for XML serialization

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Do
    • Component/s: core
    • Labels:
    • Similar Issues:

      Description

      I would like to add org.acegisecurity.GrantedAuthorityImpl to core/src/main/resources/jenkins/security/whitelisted-classes.txt

       

      Is it a bad idea? If not I will open the corresponding PR on the Github repository.

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Martin Goyot could you please explain the use-case? For me it looks like a bad idea, but it would be great to know a use-case if you want to have a more detailed answer

          Show
          oleg_nenashev Oleg Nenashev added a comment - Martin Goyot could you please explain the use-case? For me it looks like a bad idea, but it would be great to know a use-case if you want to have a more detailed answer
          Hide
          erwyn Martin Goyot added a comment - - edited

          Hi Oleg Nenashev. So maybe it's indeed a bad idea.

          I'm working on an OAuth plugin, and when a user connects we gather the GrantedAuthorities which are composed of Authenticated and Groups coming from the OAuth/OIDC server. When I have those details about the user's groups, I add them to the user through a property on the User object and they then end up serialized by Jenkins, which is what I want so that I can retrieve them afterwards in like `loadUserByUsername` where I need to rebuild the user. So now, I have 3 things coming to my mind about this:

          1. I add org.acegisecurity.GrantedAuthorityImpl in the whitelist and thus I can serialize it
          2. But maybe doing so is a bad idea, so I could serialize just the user groups retrieved from the OAuth/OIDC server and proceed to transformation as GrantedAuthorityImpl on demand
          3. But maybe this is also a bad idea and then I should Re-Query the OAuth/OIDC server everytime `loadUserByUsername` is hit, the problem being that I (as the current user) am not allowed to query for other users on this server. So maybe I should just not give user groups from users which are not my current user and not fulfill the `getGrantedAuthorities()` contract for those ?
          4. Maybe you have another idea ?

          Thanks for your help !

          Show
          erwyn Martin Goyot added a comment - - edited Hi Oleg Nenashev . So maybe it's indeed a bad idea. I'm working on an OAuth plugin, and when a user connects we gather the GrantedAuthorities which are composed of Authenticated and Groups coming from the OAuth/OIDC server. When I have those details about the user's groups, I add them to the user through a property on the User object and they then end up serialized by Jenkins, which is what I want so that I can retrieve them afterwards in like `loadUserByUsername` where I need to rebuild the user. So now, I have 3 things coming to my mind about this: I add org.acegisecurity.GrantedAuthorityImpl in the whitelist and thus I can serialize it But maybe doing so is a bad idea, so I could serialize just the user groups retrieved from the OAuth/OIDC server and proceed to transformation as GrantedAuthorityImpl on demand But maybe this is also a bad idea and then I should Re-Query the OAuth/OIDC server everytime `loadUserByUsername` is hit, the problem being that I (as the current user) am not allowed to query for other users on this server. So maybe I should just not give user groups from users which are not my current user and not fulfill the `getGrantedAuthorities()` contract for those ? Maybe you have another idea ? Thanks for your help !
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          If you use an external OAuth plugin, caching group memberships on the disk is a potential security risk. Cache may become inconsistent with the OAuth server, and it would be your responsibility to somehow manage that. It becomes difficult without permissions to query users indeed...

           

          My recommendation is option (3) if possible. If it does not work, option (2) with all implied risks

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - If you use an external OAuth plugin, caching group memberships on the disk is a potential security risk. Cache may become inconsistent with the OAuth server, and it would be your responsibility to somehow manage that. It becomes difficult without permissions to query users indeed...   My recommendation is option (3) if possible. If it does not work, option (2) with all implied risks  
          Hide
          erwyn Martin Goyot added a comment -

          Thank you very much for those insights Oleg Nenashev, I'll see with the others how we're going to proceed.

           

          Thanks, I close this issue.

          Show
          erwyn Martin Goyot added a comment - Thank you very much for those insights Oleg Nenashev , I'll see with the others how we're going to proceed.   Thanks, I close this issue.
          Hide
          erwyn Martin Goyot added a comment -

          Question answered by Oleg Nenashev.

           

          This is a bad idea, won't do.

          Show
          erwyn Martin Goyot added a comment - Question answered by Oleg Nenashev .   This is a bad idea, won't do.

            People

            • Assignee:
              Unassigned
              Reporter:
              erwyn Martin Goyot
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: