[JIRA] (JENKINS-49543) Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

[timothy.mcnally@build.com (JIRA)]

Tim McNally created an issue

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl Issue Type: Bug Assignee: Unassigned Components: cli, workflow-cps-global-lib-plugin Created: 2018-02-13 21:54 Environment: Centos 6.7 Oracle JRE 1.8.0_112 Tomcat 8 Jenkins 2.105 Labels: JEP-200 Priority: Minor Reporter: Tim McNally When saving on the configuration page for a user I get the following stack trace. Adding "-Dhudson.remoting.ClassFilter=org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl" Fixes the issue. This seems to also be causing issues for workflow-cps-global-lib-plugin. Stack Trace: java.lang.UnsupportedOperationException: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl for security reasons; see https://jenkins.io/redirect/class-filter/ at hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:88) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.writeItem(AbstractCollectionConverter.java:64) at com.thoughtworks.xstream.converters.collections.CollectionConverter.marshal(CollectionConverter.java:74) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84) at hudson.util.RobustReflectionConverter.marshallField(RobustReflectionConverter.java:265) at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:252) Caused: java.lang.RuntimeException: Failed to serialize hudson.model.User#properties for class hudson.model.User at hudson.util.RobustReflectionConverter$2.writeField(RobustReflectionConverter.java:256) at hudson.util.RobustReflectionConverter$2.visit(RobustReflectionConverter.java:224) at com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider.visitSerializableFields(PureJavaReflectionProvider.java:138) at hudson.util.RobustReflectionConverter.doMarshal(RobustReflectionConverter.java:209) at hudson.util.RobustReflectionConverter.marshal(RobustReflectionConverter.java:150) at com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58) at com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:43) at com.thoughtworks.xstream.core.TreeMarshaller.start(TreeMarshaller.java:82) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.marshal(AbstractTreeMarshallingStrategy.java:37) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1026) at com.thoughtworks.xstream.XStream.marshal(XStream.java:1015) at com.thoughtworks.xstream.XStream.toXML(XStream.java:988) at hudson.XmlFile.write(XmlFile.java:193) Caused: java.io.IOException at hudson.XmlFile.write(XmlFile.java:200) at hudson.model.User.save(User.java:827) at hudson.model.User.doConfigSubmit(User.java:901) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at com.smartcodeltd.jenkinsci.plugin.assetbundler.filters.LessCSS.doFilter(LessCSS.java:47) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:237) at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:214) at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88) at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:114) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:59) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:616) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:534) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Plugins ace-editor 1.1 active-directory 2.6 analysis-core 1.94 ansicolor 0.5.2 ant 1.8 antisamy-markup-formatter 1.5 apache-httpcomponents-client-4-api 4.5.3-2.1 artifactory 2.14.0 authentication-tokens 1.3 aws-credentials 1.23 aws-java-sdk 1.11.264 blueocean 1.4.1 blueocean-autofavorite 1.2.1 blueocean-bitbucket-pipeline 1.4.1 blueocean-commons 1.4.1 blueocean-config 1.4.1 blueocean-core-js 1.4.1 blueocean-dashboard 1.4.1 blueocean-display-url 2.2.0 blueocean-events 1.4.1 blueocean-git-pipeline 1.4.1 blueocean-github-pipeline 1.4.1 blueocean-i18n 1.4.1 blueocean-jira 1.4.1 blueocean-jwt 1.4.1 blueocean-personalization 1.4.1 blueocean-pipeline-api-impl 1.4.1 blueocean-pipeline-editor 1.4.1 blueocean-pipeline-scm-api 1.4.1 blueocean-rest 1.4.1 blueocean-rest-impl 1.4.1 blueocean-web 1.4.1 bouncycastle-api 2.16.2 branch-api 2.0.18 build-blocker-plugin 1.7.3 build-failure-analyzer 1.19.2 build-history-metrics-plugin 1.2 build-monitor-plugin 1.12+build.201708172343 build-token-root 1.4 build-user-vars-plugin 1.5 cloud-stats 0.16 cloudbees-bitbucket-branch-source 2.2.9 cloudbees-disk-usage-simple 0.9 cloudbees-folder 6.3 command-launcher 1.2 conditional-buildstep 1.3.6 config-autorefresh-plugin 1.0 config-file-provider 2.17 configurationslicing 1.47 credentials 2.1.16 credentials-binding 1.15 custom-tools-plugin 0.5 cvs 2.13 display-url-api 2.2.0 docker-commons 1.11 docker-slaves 1.0.7 docker-workflow 1.15 dropdown-viewstabbar-plugin 1.7 durable-task 1.17 dynamicparameter 0.2.0 email-ext 2.61 extended-choice-parameter 0.76 external-monitor-job 1.7 extra-columns 1.18 favorite 2.3.1 flexible-publish 0.15.2 fortify-on-demand-uploader 3.0.6 ghprb 1.40.0 git 3.7.0 git-client 2.7.1 git-server 1.7 github 1.29.0 github-api 1.90 github-branch-source 2.3.2 github-organization-folder 1.6 google-oauth-plugin 0.5 gradle 1.28 greenballs 1.15 groovy 2.0 handlebars 1.1.1 handy-uri-templates-2-api 2.1.6-1.0 hipchat 2.1.1 htmlpublisher 1.14 icon-shim 2.0.3 ivy 1.28 jackson2-api 2.8.11.1 jacoco 2.2.1 javadoc 1.4 jenkins-design-language 1.4.1 jenkins-jira-plugin 3.1.0 jenkinslint 0.14.0 jira 2.5 jira-steps 1.3.1 jquery 1.12.4-0 jquery-detached 1.2.1 jquery-ui 1.0.2 jsch 0.1.54.1 junit 1.24 kpp-management-plugin 1.0.0 kubernetes 1.2 kubernetes-credentials 0.3.0 kubernetes-pipeline-aggregator 1.5 kubernetes-pipeline-arquillian-steps 1.5 kubernetes-pipeline-devops-steps 1.5 kubernetes-pipeline-steps 1.5 last-changes 2.6 ldap 1.19 ldapemail 0.8 false lockable-resources 2.1 logstash 1.4.0 mailer 1.20 mapdb-api 1.0.9.0 matrix-auth 2.2 matrix-project 1.12 maven-plugin 3.1 mercurial 2.2 metrics 3.1.2.10 momentjs 1.1.1 monitoring 1.71.0 multiple-scms 0.6 newrelic-deployment-notifier 1.3 next-build-number 1.5 nodejs 1.2.4 oauth-credentials 0.3 pam-auth 1.3 parameter-pool 1.0.3 parameter-separator 1.0 parameterized-trigger 2.35.2 persistent-parameter 1.1 pipeline-build-step 2.7 pipeline-github-lib 1.0 pipeline-graph-analysis 1.6 pipeline-input-step 2.8 pipeline-maven 3.3.0 pipeline-milestone-step 1.3.1 pipeline-model-api 1.2.7 pipeline-model-declarative-agent 1.1.1 pipeline-model-definition 1.2.7 pipeline-model-extensions 1.2.7 pipeline-rest-api 2.9 pipeline-stage-step 2.3 pipeline-stage-tags-metadata 1.2.7 pipeline-stage-view 2.9 pipeline-utility-steps 1.5.1 plain-credentials 1.4 play-autotest-plugin 1.0.2 port-allocator 1.8 publish-over 0.21 publish-over-ssh 1.18 pubsub-light 1.12 quality-gates 2.5 resource-disposer 0.8 restification 1.1.1 ruby 1.2 ruby-runtime 0.13 run-condition 1.0 rvm 0.6 saferestart 0.3 sauce-ondemand 1.171 scm-api 2.2.6 script-security 1.41 scriptler 2.9 sidebar-link 1.9.1 sonar 2.6.1 sse-gateway 1.15 ssh-agent 1.15 ssh-credentials 1.13 ssh-slaves 1.25.1 structs 1.13 subversion 2.10.2 test-stability 2.3 thinBackup 1.9 timestamper 1.8.9 token-macro 2.3 variant 1.1 versioncolumn 2.0 warnings 4.65 windows-slaves 1.3.1 workflow-aggregator 2.5 workflow-api 2.25 workflow-basic-steps 2.6 workflow-cps 2.44 workflow-cps-global-lib 2.9 workflow-durable-task-step 2.18 workflow-job 2.17 workflow-multibranch 2.17 workflow-scm-step 2.6 workflow-step-api 2.14 workflow-support 2.18 ws-cleanup 0.34 yet-another-docker-plugin 0.1.0-rc47 Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

[timothy.mcnally@build.com (JIRA)]

Tim McNally updated an issue

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Change By: Tim McNally When saving on the configuration page for a user I get the following stack trace. Adding "-Dhudson.remoting.ClassFilter=org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl" Fixes fixes the issue. This seems to also be causing issues for workflow-cps-global-lib-plugin 's local git repository . Stack Trace: {noformat}

{noformat} Plugins {noformat}

yet-another-docker-plugin 0.1.0-rc47{noformat}

Add Comment

[timothy.mcnally@build.com (JIRA)]

Tim McNally updated an issue

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl Change By: Tim McNally

When saving on the configuration page for a user (http://cool.jenkins.url/user/user.name/configure) I get the following stack trace. Adding "-Dhudson.remoting.ClassFilter=org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl" fixes the issue.

[timothy.mcnally@build.com (JIRA)]

Tim McNally updated an issue

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Change By: Tim McNally Environment: Centos 6. 7 9

Oracle JRE 1.8.0_112 Tomcat 8 Jenkins 2.105

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev assigned an issue to Oleg Nenashev

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Change By: Oleg Nenashev Assignee: Oleg Nenashev

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl All classes from modules should be serializable, will try to reproduce

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Tim McNally I tried to reproduce it manually and in unit tests, no success so far. Any chance that your instance defines a custom class filter?

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev started work on JENKINS-49543

Change By: Oleg Nenashev Status: Open In Progress

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev updated JENKINS-49543

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Change By: Oleg Nenashev Status: In Progress Review

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated an issue

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Change By: Jesse Glick Component/s: core Component/s: cli Component/s: workflow-cps-global-lib-plugin

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Most likely the problem lies in ClassFilterImpl.isPluginManifest as called by isLocationWhitelisted. The reporter is running on Tomcat rather than the built-in Winstone like most users, so that is very likely the cause. Now 2.104 fixed JENKINS-49147 but perhaps you are seeing some similar issue caused by another weird Tomcat behavior, perhaps depending on the specific version being run. You can turn on logging on ClassFilterImpl to pinpoint the problem easily.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated JENKINS-49543

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Change By: Jesse Glick Status: In Review Progress

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick stopped work on JENKINS-49543

Change By: Jesse Glick Status: In Progress Open

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Changing status to reflect the fact that the filed PR merely confirms that there is nothing broken in Jenkins core under normal conditions; it does not pretend to fix the issue as reported.

Add Comment

[timothy.mcnally@build.com (JIRA)]

Tim McNally commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

I did not see anything from turning on logging for ClassFilterImpl and triggering the exception. After reading through JENKINS-49147 I upgraded our Tomcat server from 8.0.12 to 8.0.50(latest 8.0), this resolves the issue. I also tried upgrading to 8.5.28(latest 8.5) and confirmed that also resolves the issue. Out of curiosity, is running Jenkins in Tomcat a "supported" platform or should I look to moving to the built-in servlet container?

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

It is definitely "supported", but AFAIK we test Jenkins only with embedded Jetty web container. Maybe Raul Arabaolaza and Isa Vilacides know about specific TomCat tests. In the case of this ticket I will think how to properly update https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200 to reflect TomCat compat issues as well

Add Comment

[rarabaolaza@cloudbees.com (JIRA)]

Raul Arabaolaza commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

No tomcat tests that I am aware of

Add Comment

[scm_issue_link@java.net (JIRA)]

SCM/JIRA link daemon commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/jenkins/security/ClassFilterImpl.java test/src/test/java/jenkins/security/ClassFilterImplTest.java http://jenkins-ci.org/commit/jenkins/800668ba4305964afe59d8744fcfc24013ff6ee6 Log: JENKINS-49543 - Add direct unit test for module class whitelisting

Add Comment

[scm_issue_link@java.net (JIRA)]

SCM/JIRA link daemon commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Code changed in jenkins User: Oleg Nenashev Path: core/src/main/java/jenkins/security/ClassFilterImpl.java test/src/test/java/jenkins/security/ClassFilterImplTest.java

http://jenkins-ci.org/commit/jenkins/04bd7e60ca8954d7665febb1f6f7663598ac67d9 Log: Merge pull request #3290 from oleg-nenashev/tests/JENKINS-49543

JENKINS-49543 - Add direct unit test for module class whitelisting

Compare: https://github.com/jenkinsci/jenkins/compare/59bfe03ebe70...04bd7e60ca89

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev updated an issue

Jenkins / JENKINS-49543 Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Change By: Oleg Nenashev Labels: JEP-200 documentation

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev started work on JENKINS-49543

Change By: Oleg Nenashev Status: Open In Progress

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Tim McNallyI have added the documentation to https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+fix+for+JEP-200#PluginsaffectedbyfixforJEP-200-Otheraffectedcomponents/configurations , PTAL I will check whether it is possible to extend the patch quickly, but maybe we could agree that the update is the feasible mitigation

Add Comment

[timothy.mcnally@build.com (JIRA)]

Tim McNally commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

I agree that updating Tomcat is the correct mitigation route. This is reinforced by the fact that Tomcat 8.0.x line is officially entering EOL soon. (announcement) Thanks for your help in resolving this.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-49543

Re: Refusing to marshal org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl

Obviously updating to the most recent supported version of Tomcat would be a good idea, if you need to run Jenkins on Tomcat at all (most people use the built-in Jetty server), but that does not change the fact that there appears to be a regression in Jenkins core related to certain Tomcat versions and we would like to correct that regression. Once we either know how to reproduce from scratch, or have access to sufficient field diagnostics, the fix is likely simple.

I did not see anything from turning on logging for ClassFilterImpl and triggering the exception.

Then you did not properly configuring logging. There should be a logger for jenkins.security.ClassFilterImpl registering messages at FINE or above. At some point, probably early in startup (most likely long before you try to reconfigure a user and see the error), there should be a message from the isLocationWhitelisted method about ssh-cli-auth-1.4.jar. When Jenkins is operating normally, this should be saying … seems to be a Jenkins plugin, OK followed by a message from isBlacklisted saying … permitting … due to its location in … In your case, I suspect there is some other message being logged from isLocationWhitelisted, most likely … is not recognized; rejecting where the message is showing a URL which is not in the expected format file://some/path/to/ssh-cli-auth-1.4.jar. At least, that was the root cause of JENKINS-49147, so I am guessing this one is similar. BTW it is advisable to install the support-core plugin as that will ensure that all output from custom loggers is captured to log files on disk and included in a ZIP file you can share (in part or in whole). Jenkins core only saves (by default) the last 256 messages from any given logger, so you might miss the critical messages from ClassFilterImpl in scrollback.

Add Comment