Serialization protection methods in Bamboo
The whitelist is the only recommended option for XStream serialisation. Blacklist (the former default) is scheduled for removal and should only be considered as a temporary fix in case of problems with the whitelist.
You can disable serialization security completely by setting the bamboo.security.serialization.disable system property. This is not recommended for security reasons.
You can set up the serialization protection methods in Bamboo administration > Security > Security settings.
Serialization | Description | Options |
---|---|---|
XStream | Agent - server messaging |
|
Bandana | Bamboo custom storage mechanism that can be used by plugins |
|
Overview of options
The recommended option: whitelist
Whitelist has three sources:
- bundled with Bamboo (can't be modified),
- a list of whitelisted classes can be added into Bamboo home directory,
- plugin vendors can define certain classes as allowed.
A whitelist has higher priority than a blacklist. If a class is blacklisted by Bamboo, but is whitelisted anywhere (by a plugin or via bamboo home directory settings), then even if we're using the blacklist security setting, the class will still be allowed to be serialized/deserialized.
For more information about how to add classes to the whitelist or implement a plugin module, see Bamboo developer documentation.
Blacklist (insecure)
Blacklists are provided by Bamboo and can't be modified by plugin vendors or administrators.
Strict blacklist (insecure)
Strict blacklist restricts a bit more classes then the blacklist. Nevertheless, it's still considered insecure and it can cause problems with some of the plugins.