Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31695

saving pgp configuration fails due to com.thoughtworks.xstream.security.ForbiddenClassException com.sonatype.nexus.pgp.api.dto.PGPConfigurationDTO

    Details

    • Notability:
      4

      Description

      This issue does not affect Nexus Repository 3

      In Nexus 2, go to Administration -> Server. Click Save.

      Notice the following WARN in the nexus.log:

      2022-03-31 10:12:13,689-0300 WARN  [qtp366934289-34] admin org.sonatype.nexus.rest.NexusRestletResource - Invalid XML, unable to parse using XStream class com.sonatype.nexus.pgp.api.PGPConfigurationPlexusResource
      com.thoughtworks.xstream.security.ForbiddenClassException: com.sonatype.nexus.pgp.api.dto.PGPConfigurationDTO
        at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
        at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
        at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
        at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
        at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:135)
        at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
        at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1421)
        at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1399)
        at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1337)
        at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1326)
        at org.sonatype.plexus.rest.representation.XStreamRepresentation.getPayload(XStreamRepresentation.java:62)
        at org.sonatype.plexus.rest.resource.RestletResource.deserialize(RestletResource.java:174)
        at org.sonatype.plexus.rest.resource.RestletResource.storeRepresentation(RestletResource.java:295)
        at org.sonatype.nexus.rest.NexusRestletResource.storeRepresentation(NexusRestletResource.java:91)
        at org.restlet.resource.Resource.put(Resource.java:706)
        at org.restlet.resource.Resource.handlePut(Resource.java:603)
        at org.restlet.Finder.handle(Finder.java:359)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Router.handle(Router.java:504)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.sonatype.plexus.rest.RetargetableRestlet.doHandle(RetargetableRestlet.java:36)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at com.noelios.restlet.StatusFilter.doHandle(StatusFilter.java:130)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.restlet.Filter.handle(Filter.java:195)
        at com.noelios.restlet.ChainHelper.handle(ChainHelper.java:124)
        at com.noelios.restlet.application.ApplicationHelper.handle(ApplicationHelper.java:112)
        at org.restlet.Application.handle(Application.java:341)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Router.handle(Router.java:504)
        at org.restlet.Filter.doHandle(Filter.java:150)
        at org.restlet.Filter.handle(Filter.java:195)
        at org.restlet.Router.handle(Router.java:504)
        at com.noelios.restlet.ChainHelper.handle(ChainHelper.java:124)
        at org.restlet.Component.handle(Component.java:676)
        at org.restlet.Server.handle(Server.java:331)
        at com.noelios.restlet.ServerHelper.handle(ServerHelper.java:68)
        at com.noelios.restlet.http.HttpServerHelper.handle(HttpServerHelper.java:147)
        at com.noelios.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:881)
        at org.sonatype.nexus.restlet1x.internal.RestletServlet.service(RestletServlet.java:93)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:297)
        at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:281)
        at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:186)
        at com.google.inject.servlet.AbstractServletPipeline.service(AbstractServletPipeline.java:65)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:112)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.inject.servlet.AbstractFilterPipeline.dispatch(AbstractFilterPipeline.java:100)
        at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)
        at com.google.inject.servlet.AbstractFilterPipeline.dispatch(AbstractFilterPipeline.java:100)
        at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)
        at com.google.inject.servlet.AbstractFilterPipeline.dispatch(AbstractFilterPipeline.java:100)
        at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)
        at com.sonatype.nexus.analytics.internal.RestRequestCollector.doFilter(RestRequestCollector.java:81)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:450)
        at org.sonatype.nexus.web.internal.SecurityFilter.executeChain(SecurityFilter.java:90)
        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.inject.servlet.AbstractFilterPipeline.dispatch(AbstractFilterPipeline.java:100)
        at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)
        at com.sonatype.nexus.licensing.internal.LicensingRedirectFilter.doFilter(LicensingRedirectFilter.java:135)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.inject.servlet.AbstractFilterPipeline.dispatch(AbstractFilterPipeline.java:100)
        at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)
        at com.codahale.metrics.servlet.AbstractInstrumentedFilter.doFilter(AbstractInstrumentedFilter.java:97)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at org.sonatype.nexus.web.internal.CommonHeadersFilter.doFilter(CommonHeadersFilter.java:69)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at org.sonatype.nexus.web.internal.ErrorPageFilter.doFilter(ErrorPageFilter.java:71)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at org.sonatype.nexus.web.internal.BaseUrlHolderFilter.doFilter(BaseUrlHolderFilter.java:66)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at org.sonatype.nexus.web.internal.HeaderPatternFilter.doFilter(HeaderPatternFilter.java:96)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.inject.servlet.AbstractFilterPipeline.dispatch(AbstractFilterPipeline.java:100)
        at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:82)
        at org.sonatype.nexus.web.internal.NexusGuiceFilter$MultiFilterPipeline.dispatch(NexusGuiceFilter.java:56)
      

      The following endpoint is failing with 400 status code:

      PUT /nexus/service/local/pgp/configuration
      

      The on disk configuration at sonatype-work/nexus/conf/pgp.xml is not updated.

      Workaround

      Edit the on disk sonatype-work/nexus/conf/pgp.xml manually if any changes are actually needed to PGP configuration, then restart repo.

      OR

      Add this line to <APP-DIR>/conf/nexus.properties and restart repo for the change to take effect.

      com.thoughtworks.xstream.whitelist.TypeWhitelist.allowedTypes=com.sonatype.nexus.pgp.api.dto.PGPConfigurationDTO
      

      Expected

      Should be able to save PGP configuration without issue.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Rich Seddon Rich Seddon
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title