Serialization protection methods
You can disable serialization security by setting the bamboo.security.serialization.disable system property.
You can set up the serialization protection methods in Bamboo administration > Security > Security settings.
| Serialization | 説明 | オプション |
|---|---|---|
| XStream | Agent - server messaging |
|
| Bandana | Bamboo custom storage mechanism that can be used by plugins |
|
ホワイトリスト
The default whitelist bundled with Bamboo can't be modified. Whitelists have three sources:
- provided by Bamboo
- classes can be added into Bamboo home directory and
- by plugin vendors
A whitelist has higher priority than a blacklist. If a class is blacklisted by Bamboo, but is whitelisted anywhere (by a plugin or via bamboo home directory settings), then even if we're using the blacklist security setting, the class will still be allowed to be serialized/deserialized.
For more information about how to add classes to the whitelist or implement a plugin module, see Bamboo developer documentation.
Blacklist
Blacklists are provided by Bamboo and can't be modified by plugin vendors or administrators.
Strict blacklist
Strict blacklist restricts more classes and is a more secure approach. However, it can cause problems with some of the plugins.