Uploaded image for project: 'GeoServer'
  1. GEOS-8255

Adding extra IP's to "Excluded network masks" breaks geoserver (re)start


    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 2.11.2
    • Fix Version/s: 2.11.5, 2.12.3, 2.13-beta
    • Component/s: Security
    • Labels:
    • Environment:

      Ubuntu 16.04; Tomcat 8; Java 8


      Go to the Admin GUI
      Security > Authentication > Excluded network masks (comma separated)
      And fill in one or more extra IP's, i.e. ";"

      This will generate a config.xml similar to this:

      <whitelistedMasks class="java.util.Arrays$ArrayList">
            <a class="string-array">

      Then restart Geoserver/Tomcat, and it will fail to do so:
      Part of the stack trace:

      22 Aug 11:39:41 ERROR [config.util] - Class java.util.Arrays$ArrayList is not whitelisted for XML parsing. 
      This is done to prevent Remote Code Execution attacks, but it might be 
      you need this class to be authorized for GeoServer to actually work
      If you are a user, you can set a variable named GEOSERVER_XSTREAM_WHITELIST
        with a semicolon separated list of fully qualified names, or patterns
        to match several classes.The variable can be set as a system variable,
        an environment variable, or a servlet context variable, just like
        For example, in order to authorize the org.geoserver.Foo class,
        plus any class in the org.geoserver.custom package, one could set
        a system variable: 
      If instead you are a developer, you can call allowTypes/allowTypeHierarchy against
        the XStream used for serialization by rolling a custom
        XStreamPersisterInitializer or customizing your XStreamServiceLoader.
      Aug 22, 2017 11:39:41 AM org.apache.catalina.core.StandardContext startInternal
      SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file
      Aug 22, 2017 11:39:41 AM org.apache.catalina.core.StandardContext startInternal
      SEVERE: Context [/geoserver] startup failed due to previous errors




            • Assignee:
              bartv bartvliz
            • Votes:
              1 Vote for this issue
              3 Start watching this issue


              • Created: