|
Go to the Admin GUI
Security > Authentication > Excluded network masks (comma separated)
And fill in one or more extra IP’s:
This will generate a config.xml similar to this:
...
<whitelistedMasks class="java.util.Arrays$ArrayList">
<a class="string-array">
<string>127.0.0.1</string>
<string>192.168.0.1</string>
</a>
</whitelistedMasks>
...
Then restart Geoserver/Tomcat, and it will fail to do so:
Part of the stack trace:
22 Aug 11:39:41 ERROR [config.util] - Class java.util.Arrays$ArrayList is not whitelisted for XML parsing.
This is done to prevent Remote Code Execution attacks, but it might be
you need this class to be authorized for GeoServer to actually work
If you are a user, you can set a variable named GEOSERVER_XSTREAM_WHITELIST
with a semicolon separated list of fully qualified names, or patterns
to match several classes.The variable can be set as a system variable,
an environment variable, or a servlet context variable, just like
GEOSERVER_DATA_DIR.
For example, in order to authorize the org.geoserver.Foo class,
plus any class in the org.geoserver.custom package, one could set
a system variable:
-DGEOSERVER_XSTREAM_WHITELIST=org.geoserver.Foo;org.geoserver.custom.**
If instead you are a developer, you can call allowTypes/allowTypeHierarchy against
the XStream used for serialization by rolling a custom
XStreamPersisterInitializer or customizing your XStreamServiceLoader.
Aug 22, 2017 11:39:41 AM org.apache.catalina.core.StandardContext startInternal
SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file
Aug 22, 2017 11:39:41 AM org.apache.catalina.core.StandardContext startInternal
SEVERE: Context [/geoserver] startup failed due to previous errors
|
