• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: None
• Affects Version/s: 7.18.0
• Component/s: Server - Platform
• Labels:

  None

[CONFSERVER-81014] xstream-security module not working in atlas-debug mode

Ajay Sharma (Inactive) made changes - 07/Jun/2023 11:01 AM

QA Demo Status	Original: Not Done [ 14330 ]	New: Not Needed [ 14332 ]
QA Kickoff Status	Original: Not Done [ 14234 ]	New: Not Needed [ 14236 ]
Resolution		New: Fixed [ 1 ]
Status	Original: Ready for Development [ 10049 ]	New: Closed [ 6 ]

Collapse comment: Ajay Sharma (Inactive) added a comment - 09/Dec/2022 7:00 AM

Ajay Sharma (Inactive) added a comment - 09/Dec/2022 7:00 AM

It is happening in the attached sample plugin because of incorrect initialisation of xstream . Here xstream is being used just at the time of bean initialisation and cannot use xstream in afterPropertiesSet .

In order to fix/avoid this issue:
It is recommended to lazily initialise XStream instance, and use in a flow that triggers after the SAL LifecycleAware.onStart is called.

If a plugin wants to use it in afterPropertiesSet, they need delayed calls as XStream won’t be ready until plugin starts.

This is because as per plugin’s workflow, all the modules will be enabled after the beans/objects gets initialised.

 

!https://developer.atlassian.com/favicon.ico!Plugins2 add-ons

Expand comment: Ajay Sharma (Inactive) added a comment - 09/Dec/2022 7:00 AM

Ajay Sharma (Inactive) added a comment - 09/Dec/2022 7:00 AM It is happening in the attached sample plugin because of incorrect initialisation of xstream . Here xstream is being used just at the time of bean initialisation and cannot use xstream in afterPropertiesSet . In order to fix/avoid this issue: It is recommended to lazily initialise XStream instance, and use in a flow that triggers after the SAL LifecycleAware.onStart is called . If a plugin wants to use it in afterPropertiesSet , they need delayed calls as XStream won’t be ready until plugin starts. This is because as per plugin’s workflow, all the modules will be enabled after the beans/objects gets initialised.   !https://developer.atlassian.com/favicon.ico!Plugins2 add-ons

Ajay Sharma (Inactive) made changes - 05/Dec/2022 7:00 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 711553 ]

Ajay Sharma (Inactive) made changes - 05/Dec/2022 6:19 AM

Remote Link

Original: This issue links to "Page (Confluence)" [ 709779 ]

Ajay Sharma (Inactive) made changes - 28/Nov/2022 2:46 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 709779 ]

Ganesh Gautam made changes - 14/Nov/2022 1:13 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 706252 ]

Ajay Sharma (Inactive) made changes - 04/Nov/2022 5:21 PM

Assignee

New: Ajay Sharma [ 19cb521e4007 ]

James Ponting made changes - 01/Nov/2022 12:47 AM

Status

Original: Needs Triage [ 10030 ]

New: Ready for Development [ 10049 ]

James Richards made changes - 01/Nov/2022 12:46 AM

Link

New: This issue is a regression of CONFSERVER-74692 [ CONFSERVER-74692 ]

James Richards made changes - 01/Nov/2022 12:45 AM

Description

Original: h3. Issue Summary This is reproducible on Data Center: yes use the new module like this: {code:java} <xstream-security key = "xstream-set" name="Some XStream allowlist set">     <wildcard>**</wildcard> </xstream-security> {code} does not work. h3. Steps to Reproduce  # Create an app that uses <{{{}xstream-security/>{}}}  # Use {{atlas-debug}} to start Confluence h3. Expected Results The app runs without error h3. Actual Results The below exception is thrown in the {{atlassian-conflence.log}} file: {noformat} 2022-08-22 09:01:36,891 ERROR [ThreadPoolAsyncTaskExecutor::Thread 31] [plugin.osgi.factory.OsgiPlugin] onPluginContainerFailed Unable to start the plugin container for plugin 'com.company.myplugin'  -- url: /confluence/rest/plugins/1.0/ | traceId: 401ca2d490aee6a6 | userName: admin org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sampleComponent': Invocation of init method failed; nested exception is com.atlassian.confluence.api.service.exceptions.ServiceException: Could not deserialize object as XStream might not be properly initialized{noformat} h3. Workaround When using {{atlas-debug}} add {code:java} <configuration>     <systemPropertyVariables> <xstream.allowlist.enable>false</xstream.allowlist.enable>     </systemPropertyVariables> </configuration> {code}

New: h3. Issue Summary This is reproducible on Data Center: yes Use the new module like this: {code:java} <xstream-security key = "xstream-set" name="Some XStream allowlist set">     <wildcard>**</wildcard> </xstream-security> {code} does not work. h3. Steps to Reproduce  # Create an app that uses <{{{}xstream-security/>{}}}  # Use {{atlas-debug}} to start Confluence h3. Expected Results The app runs without error h3. Actual Results The below exception is thrown in the {{atlassian-conflence.log}} file: {noformat} 2022-08-22 09:01:36,891 ERROR [ThreadPoolAsyncTaskExecutor::Thread 31] [plugin.osgi.factory.OsgiPlugin] onPluginContainerFailed Unable to start the plugin container for plugin 'com.company.myplugin'  -- url: /confluence/rest/plugins/1.0/ | traceId: 401ca2d490aee6a6 | userName: admin org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sampleComponent': Invocation of init method failed; nested exception is com.atlassian.confluence.api.service.exceptions.ServiceException: Could not deserialize object as XStream might not be properly initialized{noformat} h3. Workaround When using {{atlas-debug}} add {code:java} <configuration>     <systemPropertyVariables> <xstream.allowlist.enable>false</xstream.allowlist.enable>     </systemPropertyVariables> </configuration> {code}

Load more older events