Serialization protection methods

Security

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

 

You can control Java classes that are serialized in Bamboo, which is particularly important for communication between agents and servers.

Bamboo allows you to control the classes in two ways: you can whitelist or blacklist them.

See also

You can disable serialization security by setting the bamboo.security.serialization.disable system property.

You can set up the serialization protection methods in Bamboo administration > Security > Security settings.

SerializationDescriptionOptions
XStreamAgent - server messaging
  • whitelist
  • blacklist
  • strict blacklist (default)
BandanaBamboo custom storage mechanism that can be used by plugins
  • blacklist
  • strict blacklist (default)

Whitelist

The default whitelist bundled with Bamboo can't be modified. Whitelists have three sources:

  • provided by Bamboo
  • classes can be added into Bamboo home directory and 
  • by plugin vendors

A whitelist has higher priority than a blacklist. If a class is blacklisted by Bamboo, but is whitelisted anywhere (by a plugin or via bamboo home directory settings), then even if we're using the blacklist security setting, the class will still be allowed to be serialized/deserialized.

For more information about how to add classes to the whitelist or implement a plugin module, see Bamboo developer documentation.

Blacklist

Blacklists are provided by Bamboo and can't be modified by plugin vendors or administrators.

Strict blacklist

Strict blacklist restricts more classes and is a more secure approach. However, it can cause problems with some of the plugins.

Last modified on Apr 22, 2016

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.