-
Bug
-
Resolution: Fixed
-
Low
-
7.15.0
-
2
-
Severity 2 - Major
-
12
-
As the Confluence 7.15 version sets the xstream.allowlist.enable as true by default in the development mode that requires to use the xstream-security module.
When using compat-lib, xstream-security module seems not work with the given explanations in https://confluence.atlassian.com/doc/xstream-1-4-upgrade-1026045605.html
Cause
It is found that security-module registration event registers the security module with core's and plugin's XStream, but not compat-lib's XStream reference.
As part of quick solution, Confluence team would try to lazify the XStream reference in XStreamManagerCompat class.
That provokes:
com.atlassian.confluence.api.service.exceptions.ServiceException: Could not deserialize object as XStream might not be properly initialized
Workaround
If Confluence is running through amps, configure confluence JVM sysprop `xstream.allowlist.enable` to `false` using systemPropertyVariables. Please read more about setting system properties on its amps documentation.
- has a regression in
-
-
- Closed
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[CONFSERVER-74692] Confluence 7.15 xstream-security module not working in dev mode with compat lib
A fix for this issue is available in Confluence Server and Data Center 7.13.5.
Upgrade now or check out the Release Notes to see what other issues are resolved.
bbc2e5f3acbb , can you please tell me about #2
> 2. How is it using XStream?
and one more:
have you marked your class into allowlist and if yes, can you please share the snippet?
Hello @Ganesh Gautam,
I'm working on the Scaffolding plugin.
We are using it as described in this XStream upgrade guide?
The previous version of confluence-compat-lib is 1.4.1. Now, we have bumped it to 1.4.2 as recommended.
I'm running Confluence in dev mode. Everything works fine with prod-mode.
I hope this helps with the investigation.
Thanks
bbc2e5f3acbb
I need more info:
- Which plugin are you talking about.
- How is it using XStream?
- Is it using XStreamCompat as per the XStream upgrade guide?
- Which version were you using before?
- Are you running Confluence in dev mode, if yes, what is the behaviour with prod-mode.
Thanks,
Ganesh
We already have the compat-lib to version 1.4.2
<dependency>
<groupId>com.atlassian.confluence.compat</groupId>
<artifactId>confluence-compat-lib</artifactId>
<version>1.4.2</version>
</dependency>
But it doesn't help. But, the workaround provided in this ticket is working. We don't want to push this production:
<systemPropertyVariables>
<xstream.allowlist.enable>false</xstream.allowlist.enable>
</systemPropertyVariables>
We never had this issue in prior versions of Confluence until we started using Confluence 7.16.2
Thanks for coming back with the version.
Can you please confirm which plugin is giving that error? As plugins would need to use the new version of compat-lib to take advantage of the fix.
Hey @Ganesh Gautam,
Thanks for your reply. Actually, we are on the latest version of Confluence 7.16.2. It is a mistake from my end to have put 7.12.0.
Hi bbc2e5f3acbb
Please use the Confluence version with the fix shipped. A third-party plugin recently tested and onboarded their plugin with the new compat-lib and things look okay on the fixed versions. I would recommend to either wait for 7.13.5 LTS or use the latest Confluence version.
Thanks,
Ganesh
Hello guys,
This issue described here, never happened to us in the previous version on Dev instance. Now, after upgrading to Confluence 7.12.0, we are getting this issue. However, on production, we are not getting this issue.
This is the error we are getting: "Could not deserialize object as XStream might not be properly initialized"
Would you please re-open this ticket?
A fix for this issue is available in Confluence Server and Data Center 7.16.2.
Upgrade now or check out the Release Notes to see what other issues are resolved.
We have released confluence-compat-lib-1.4.2 along with confluence-7.17.0-m60(to test) which contains ConfluenceXStreamInternal class as OSGi available for compat usage. Plugins can use xstream-security module in atlassian-plugin.xml to mark the classes needed in XStream allowlist as per our previous XStream guide.
Hi 6a66c94f366a
The 8.0 prep work has started, soon there will be EAPs for it. Now that we are planning for 8.0, this item will move to short-term backlog and dev in next few sprints. I will intimate here once we have progressed on this issue.
Thanks for checking with us.
Regards,
Ganesh
Hi Ganesh and Sunny,
We are still waiting for the fix of the compat-lib not only to be ready for Confluence 8.0 so that we can implement the XStream security modules but also to allow usage of workarounds like the one mentioned here https://jira.atlassian.com/browse/CONFSERVER-69322 .
Regards,
Pablo
Comalatech
Hi Sunny,
Would prefer to wait until the compat-lib gets fixed so that the xstream-security module can work again when using that library.
Regards,
Pablo
After trying to add the 'xstream.allowlist.enable' with value 'false' as a Java runtime argument with the –jvmargs parameter (which it did not work), Ganesh suggested to set it as a system property variable in the Maven Confluence Plugin in the pom of the app, and that worked:
<plugin>
<groupId>com.atlassian.maven.plugins</groupId>
<artifactId>maven-confluence-plugin</artifactId>
...
<configuration>
...
<systemPropertyVariables>
<xstream.allowlist.enable>false</xstream.allowlist.enable>
</systemPropertyVariables>
</configuration>
</plugin>
Hi Ganesh,
We tried using the system property 'xstream.allowlist.enable' with value 'true' in previous Confluence versions and with value 'false' in Confluence 7.15 and it did not have the expected behaviour in any of them.
We have scheduled a call with you to clarify both the property and the module usage.
Regards,
Pablo
Hi Pablo,
Thanks for reaching out, I just confirmed `xstream.allowlist.enable` should be working as per our automated test for this prop. We made XStream allowlist default for dev mode to brace plugins for future upgrade to XStream 1.4.18 next year. Note that this is only for dev mode, prod customers shouldn't be impacted.
I would be happy to get your security module configured so that your app can work and brace for 1.4.18.
Thanks,
Ganesh
Confluence 7.15-beta2 breaks Apps in dev mode using XStream: XStream might not be properly initialized
To provide a bit more context about the urgency of this issue:
New changes introduced in Confluence 7.15 beta ("The XStream allowlist is now enabled by default when Confluence is running in dev mode" to be precise) causes XStream deserialization to fail, which causes our Confluence top App Comala Document Management to unavoidably fail in development mode.
This is a blocker issue for us as we rely on XStream to retrieve data we store using Bandana and Content Properties and this affects our development process.
We know already the XStream version was upgraded with Confluence 7.10 to version 1.4. There they also added the XStreamManagerCompat toallow backwards compatibility and it is the one we are using right now.
The following "xstream-security" module was specified in [XStream 1.4 Upgrade|https://confluence.atlassian.com/doc/xstream-1-4-upgrade-1026045605.html] as a way to avoid the restrictions. We have tried using all the specified options (type, regex, wildcard) and none seemed to work.
<xstream-security key = "xstream-set" name="Some XStream allowlist set"> <type>com.atlassian.test.ExampleClass</type> <type>com.atlassian.test.AnotherExampleClass</type> <regex>com.atlassian.example.*</regex> <wildcard>com.some.package.**</wildcard> </xstream-security>
Also the "xstream.allowlist.enable" system property cannot be disabled setting its value to "false".
A fix for this issue is available in Confluence Server and Data Center 7.17.0.
Upgrade now or check out the Release Notes to see what other issues are resolved.