The whitelist is the only recommended option for XStream serialisation. Blacklist (the former default) is scheduled for removal and should only be considered as a temporary fix in case of problems with the whitelist. |
You can disable serialization security completely by setting the bamboo.security.serialization.disable system property. This is not recommended for security reasons.
You can set up the serialization protection methods in Bamboo administration > Security > Security settings.
| Serialization | 説明 | オプション |
|---|---|---|
| XStream | Agent - server messaging |
|
| Bandana | Bamboo custom storage mechanism that can be used by plugins |
|
Whitelist has three sources:
A whitelist has higher priority than a blacklist. If a class is blacklisted by Bamboo, but is whitelisted anywhere (by a plugin or via bamboo home directory settings), then even if we're using the blacklist security setting, the class will still be allowed to be serialized/deserialized.
For more information about how to add classes to the whitelist or implement a plugin module, see Bamboo developer documentation.
Blacklists are provided by Bamboo and can't be modified by plugin vendors or administrators.
Strict blacklist restricts a bit more classes then the blacklist. Nevertheless, it's still considered insecure and it can cause problems with some of the plugins.