Serialization protection methods

For security/compatibility reasons, you can control the way Java classes are filtered during deserialisation. This is particularly important for agent-server communication.

The filtering can be either whitelist- or blacklist-based.

The whitelist is the only recommended option for XStream serialisation. Blacklist (the former default) is scheduled for removal and should only be considered as a temporary fix in case of problems with the whitelist.


You can disable serialization security completely by setting the system property. This is not recommended for security reasons.

You can set up the serialization protection methods in Bamboo administration > Security > Security settings.

Serialization説明 オプション
XStreamAgent - server messaging
  • whitelist (default)
  • blacklist (insecure) 
  • strict blacklist (insecure) 
BandanaBamboo custom storage mechanism that can be used by plugins
  • blacklist
  • strict blacklist (default)

Overview of options

The recommended option: whitelist

Whitelist has three sources:

  • bundled with Bamboo (can't be modified),
  • a list of whitelisted classes can be added into Bamboo home directory,
  • plugin vendors can define certain classes as allowed.

A whitelist has higher priority than a blacklist. If a class is blacklisted by Bamboo, but is whitelisted anywhere (by a plugin or via bamboo home directory settings), then even if we're using the blacklist security setting, the class will still be allowed to be serialized/deserialized.

For more information about how to add classes to the whitelist or implement a plugin module, see Bamboo developer documentation.

Blacklist (insecure)

Blacklists are provided by Bamboo and can't be modified by plugin vendors or administrators.

Strict blacklist (insecure)

Strict blacklist restricts a bit more classes then the blacklist. Nevertheless, it's still considered insecure and it can cause problems with some of the plugins.

最終更新日: 2021 年 12 月 15 日


Powered by Confluence and Scroll Viewport.